SolarWinds hack impacts U.S. government and military, exposes most of Fortune 500

In mid-December, security analysts announced a serious data breach at two U.S. government departments. The SolarWinds hack has turned out to be one of the most far-reaching and sophisticated cyberattacks ever carried out against the U.S. government — the full impact of which now appears to go well beyond what was initially suspected.

In the past few days, we’ve learned more about the incident, including the scope, the attack vector, and the likely culprits. In what follows, we’ll try to answer some of the most common questions that people have been asking.

Who was compromised in the SolarWinds hack?

When the attack was first disclosed, the only parts of the U.S. government known for certain to be affected were the Treasury and Commerce Departments. But in the past week, it’s become clear that this was just the tip of the iceberg: So far, officials have acknowledged that the Pentagon, the Department of Homeland Security, and the State Department were all breached.

The damage is likely far more widespread, since up to 18,000 users — many of whom work in government agencies and large organizations — were exposed to the source of the breach. The list of potentially compromised organizations includes much of the federal government as well as defense contractors, national laboratories involved in the manufacture of nuclear weapons, and most Fortune 500 companies.

What was stolen in the hack?

It’s difficult to know exactly what or how much data was stolen at this point, but given the extent of the breach, it’s safe to say that the potential loss is enormous. Experts are already comparing the SolarWinds hack to some of the most effective cyberattacks ever conducted against the United States.

In addition, the impact of the attack isn’t just limited to stolen data, since it’s very likely that the attackers used their initial access to establish a persistent presence on sensitive networks. The hack began in March 2020 and went undetected for months, giving the bad actors ample time to install other backdoors on compromised systems and networks, and to cover their tracks in order to remain undetected for the long term. In the words of former homeland security adviser Thomas Bossert, “It will take years to know for certain which networks [the attackers] control and which ones they just occupy”.

How did the SolarWinds hack happen?

SolarWinds is an American software company. They produce a network monitoring tool called Orion that is used by numerous U.S. government agencies and Fortune 500 corporations.

The SolarWinds hack was a supply chain attack: a type of cyberattack that occurs when bad actors compromise software at the source — software that is then used by other parties, leading to their compromise. In this case, the hackers inserted a remote access tool into the code of an Orion software update. When Orion users installed the update, they also installed the malicious backdoor, giving the attackers a way into their networks. 

It’s not yet known how the SolarWinds internal network was breached in the first place, but the explanation could turn out to be something as simple as stolen Microsoft 365 credentials or a weak employee password. 

Who is responsible for the SolarWinds hack?

Experts believe that the SolarWinds attack was perpetrated by nation-state actors or by an APT group with nation-state affiliations.

The consensus in the security community is that the Russian government is in some way behind the attack, which was either launched directly by the SVR (the Russian Foreign Intelligence Service) or using an APT proxy known as Cozy Bear (APT29). According to Bossert, the evidence “points to…the SVR., whose tradecraft is among the most advanced in the world”. 

The involvement of Russian intelligence is perhaps unsurprising, given the fact that they’ve been implicated in numerous online disinformation campaigns as well as direct attacks on U.S. federal agencies and critical infrastructure facilities over the past year. 

Am I in danger from the SolarWinds hack?

Nation-state hackers and APT groups generally only go after the big targets: government agencies, militaries, corporations, large organizations, and particularly high-value individuals like politicians, executives, or employees with access to sensitive data. They’re not likely to be interested in your personal information, so in that respect at least, most people don’t have anything to worry about from the SolarWinds attack. 

However, in the broader sense, this incident puts all Americans in danger, since a foreign adversary now has unprecedented access to an unknown number of sensitive networks and systems. As Bossert cautions: “In the networks that the Russians control, they have the power to destroy or alter data, and impersonate legitimate people. Domestic and geopolitical tensions could escalate quite easily if they use their access for malign influence and misinformation — both hallmarks of Russian behavior”. In addition, the remediation process — figuring out which networks have been affected and making them secure again — is likely to be costly, time-consuming, and fraught with uncertainty.

The road ahead

In the immediate weeks and months, security professionals will have to work overtime to ferret out intruders on their networks, and they will need to watch for suspicious activity that might indicate an ongoing compromise. 

Bossert and others are also calling for bi-partisan cooperation in order to make sure an incident like this doesn’t happen again, which would mean presenting a united front to foreign adversaries and working together to strengthen the nation’s cyberdefenses.

If you’d like to learn more about the tools and tactics used by nation-state adversaries and APT groups, with a particular focus on the outlook for Mac users, read our interview with Patrick Wardle, an Apple security expert and former NSA hacker himself!