That hack of the U.S. government may have hit 18,000 institutions

16 December 2020 (Paris, France) – The U.S. government is still getting its arms around the scope of the Russia-linked hack that penetrated the Pentagon, Treasury, Commerce, Homeland Security and State departments (at least), and other institutions are bracing for damage.

The big picture: The news, which Reuters broke Sunday, has shaken the government and larger cybersecurity world. The National Security Council reportedly held an emergency meeting over the weekend to discuss the breaches.

Who was (probably) behind it. Cyber operators likely working for the SVR, a Russian intelligence service, compromised the software of IT contractor SolarWinds to gain access to these government networks — and have been potentially roaming in them since March.

The group’s history. The same hacking unit, known as APT29 or Cozy Bear, hacked prominent cybersecurity vendor FireEye. Cozy Bear was also behind a major compromise in 2014 and 2015 of Pentagon, White House and State Department email systems.

• In the FireEye breach, Russian spies stole the tools the U.S. firm’s own hackers used to see if clients’ networks were secure — tools that, in theory, Russia could repurpose for malign hacking. The operators also seemed interested in FireEye’s government clients.

The upper limit of the hack’s potential reach: Some 18,000 SolarWinds customers — not individuals, institutions — may have been breached in the campaign, said SolarWinds.

What we don’t know:

• What they were after. The hackers appeared to gain access to email systems at affected agencies, though we don’t know whose emails, nor just how sensitive they are. It’s possible they got deeper into government systems than merely scraping unclassified emails.
• Whether the hackers are still active in victim networks.Once a determined and capable foreign intelligence service has forced its way into a system, it will seek new avenues to keep spying even if its initial access points get cut off. We don’t know if, or how many, victim networks are still compromised.
• The full list of victims. It likely includes currently unnamed “national security agencies and defense contractors” according to the Wall Street Journal’s Dustin Volz, on top of the growing list of other confirmed and reported victims.

What’s at stake: The Pentagon and State Department are — and will always be — premier targets for foreign intelligence services. But there’s plenty of potential interest to Russian intelligence within other agencies.

• Treasury has multiple agencies and bureaus that focus on terror financing, sanctions and helping track the financial flows of suspected intelligence operatives and agencies worldwide.
• Commerce’s Bureau of Industry and Security identifies and sanctions firms and individuals secretly working for foreign governments or terror groups that are attempting to procure sensitive military technologies prohibited from export.
• DHS’ Homeland Security Investigations arm does key work in countering nuclear proliferation, while the department’s Cybersecurity and Infrastructure Security Agency is responsible for securing federal networks.

Between the lines: There’s no evidence that these particular parts of Treasury, Commerce or DHS were breached. But the point is that sensitive national security work is often done in lesser-known corners of the U.S. government.

• As the China-linked hack of the Office of Personnel Management  showed, if an adversary pries its way into these spaces, the result can be devastating.

What’s next: It’s a strong bet there are other shoes waiting to drop.

• SolarWinds’ customers include most of the Fortune 500 and a wide swath of U.S. military and civilian government bodies, per a recently deleted page on SolarWinds’ website.

Be smart: As stunning as the hack’s apparent success may be, the effort behind it is par for the course in the world of cyber espionage. The general public just rarely gets a glimpse into the machinery of modern spying.

• And while the SolarWinds hack is immensely serious, the targeting of government agencies is precisely the type of cyber spying that all capable intelligence services do — including those in the U.S.