Russians are the prime suspects in a major hack this month against U.S. computer networks, compromising the data of the departments of Commerce, Treasury, and Homeland Security, as well as a number of Fortune 500 companies, in one of the largest reported cyberattacks ever.
The full scope of the hack will not be known for weeks or longer, but already the loss is significant.
One example is the loss of hacking tools used to test software for weaknesses by the leading commercial cybersecurity firm FireEye. These powerful tools are now in the hands of the hackers and could be used in later attacks or sold to other hackers.
In addition to this, other organizations are still assessing the extent of the data that was compromised, but it could be significant, given how large and important those organizations are.
Although identifying perpetrators is a difficult thing in cybersecurity, all fingers are currently pointing at the hacking group APT29, also known as Cozy Bear, which is thought to be affiliated with the Russian intelligence service, the SVR, and conducts a broad range of cyberespionage on behalf of the Russian government as a part of its global strategy to steal data and undermine Western governments.
Cozy Bear is a very advanced and disciplined threat actor, capable of using the most powerful methods for compromising high-value targets.
How it compromised these networks is evidence of its sophistication. As explained in a Heritage Foundation report, hacks are basically the unauthorized access of a network to either steal stuff or disrupt stuff, and they begin with a vulnerability that is exploited, providing access to the network and further opportunity to create and exploit other vulnerabilities.
The Cozy Bear hackers were able to first compromise SolarWinds, a prominent Texas information technology software company that supplies tech to government agencies and Fortune 500 companies.
They would have conducted extensive research on SolarWinds to find a vulnerability that would have given them access. Often, people are the weak link in the cybersecurity chain, and that opens an organization up for exploitation.
After this initial compromise, the hackers gained access to client networks by embedding malware in an update to the Oracle software managed by SolarWinds. That gave them a very subtle means of gaining access to a broad range of targets, which thought they were downloading trusted software.
Of the 33,000 or so users of the software, about 18,000 downloaded the corrupted version and became vulnerable to further exploitation.
However, that doesn’t mean that all of those entities had data stolen or compromised. Due to the sophistication of the targets, the Cozy Bear hackers probably went after the dozen or so that would have the highest value to them.
The actual theft would have occurred over time as the hackers worked within the compromised systems, and found and created further vulnerabilities to get at the most valuable information.
Hacks of this type usually target specific data, and can sometimes be opportunistic as well, as other compromises are created in the system. But they are closer to an elaborate heist for a specific piece of priceless art than robbing a convenience store.
The networks have layers of security that would have had to be systematically compromised and defeated to get at the most valuable data, and that process takes time. It’s not as though once the initial software was downloaded by the targets, the hackers could right-click the download button to take all the data.
For example, seemingly legitimate internal emails could be generated to compromise other portions of the network or to gain access to secure areas of the network. Passwords could be stolen and used to gain access to other areas. The compromised SolarWinds software provided a platform within the system from which to conduct further attacks on the network.
This all highlights the importance of cybersecurity and reducing vulnerabilities to prevent hacks or to mitigate the damage done by them if they do occur.
Better training for staff, better supply chain security, and more sharing of threat intelligence are all a part of making U.S. networks safer from cyberthreats and criminals.
There are also a number of things individuals can do to reduce their vulnerability to hacks and cybercrime, like strengthening passwords and being careful with personal information on social media.
In addition, hacks of this magnitude by foreign adversaries like the Russians have national security implications, given the sensitive nature of the stolen data. The U.S. should use all of its tools, and not just cyber ones, to deter and retaliate for hacks of this nature.
Cyber is a critical part of the global world, with vast implications for both economic and national security.
A hack like this reminds us that we live in a dangerous world and that our adversaries will stop at nothing to gain an advantage. Organizations and individuals must not be complacent.