Comment: Mystery — and fear — mounts over SolarWinds hack

Months after the first incursions by Russian hackers, we still don’t know how bad the damage is.

By Timothy L. O’Brien / Bloomberg Opinion

Brad Smith, Microsoft’s president, made it clear in a Senate Intelligence Committee hearing last week that the federal government and leading members of the business community still don’t fully understand how digital burglars pulled off one of the most dangerous computer hacks in history.

“Who knows the entirety of what happened here?” asked Smith. “Right now, the attacker is the only one who knows the entirety of what they did.”

Intelligence analysts and technologists believe that the “attacker” is the Russian government and that about 1,000 of its operatives orchestrated a massive breach of at least 100 companies around the globe, as well as nine U.S. agencies. The Russians crept onto those servers by targeting SolarWinds, an Austin, Texas-based company that is a leading provider of network and information-technology software. Other undisclosed vendors may also have been involved.

The attack, which came to light late last year, set off alarms in the highest reaches of the government and corporate America, prompting the Biden administration to disclose plans to retaliate against Russia in coming weeks. The White House hasn’t offered details about what that response will entail, but has said it would involve more than diplomatic or economic sanctions. The response is also meant to signal the government’s distaste for a range of Russian activities, including digital disruption (such as interfering in U.S. elections), theft (such as sponsoring ransomware botnets and attempting to steal covid-19 vaccine research) and political vendettas (such as the poisoning and imprisonment of the Russian dissident Alexei Navalny).

But as two committees in the House of Representatives held a joint hearing Friday on the SolarWinds hack, featuring the same witnesses who testified before the Senate last Tuesday, it’s clear that glaring problems remain. Computer networks are vulnerable, information about how to defend and respond to attacks is scattered among private and public stakeholders who don’t freely share it with one another, and the Russian hack may be ongoing.

Although the Russians initially penetrated networks in the fall of 2019, and began lifting information last spring, the breach didn’t become publicly known until December, when FireEye — a Milpitas, Calif., company specializing in digital warfare — disclosed that it had been hacked. Cybersleuths in the federal government — including the National Security Agency — had not been aware of the hack. Corporate heavyweights at Microsoft weren’t aware until FireEye alerted them shortly after Thanksgiving and asked for help conducting a forensic analysis.

“Without this transparency, we would likely still be unaware of this campaign,” Smith said of FireEye’s alert. “In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity.”

It turned out that hackers had accessed and exploited Microsoft source code that authenticates customers using some of the software giant’s programs. Microsoft has since acknowledged that it hadn’t made sure its programs could detect the theft of identity tools providing cloud-computing access to its clients; a reminder that the cloud, overall, remains vulnerable to hackers and may be impossible to fully protect. FireEye also discovered attackers had breached its own private, in-house data center by piggybacking malware on a software update from SolarWinds. And SolarWinds, which hadn’t adequately protected its own systems, proved to be a leading nexus for a large portion of the attacks.

After sneaking into SolarWinds, the hackers deposited malware that gave them powers so broad they enjoyed “God-mode,” the ability to skirt encrypted protections and control everything on a network. The hackers masked their presence by replacing legitimate tools and utilities with their own and then depositing time bombs on a network. Then they covered their tracks by restoring the legitimate files. The malware was placed on SolarWinds’ supply chain, allowing it to travel onto victims’ networks whenever SolarWinds sent its customers a software update.

Sudhakar Ramakrishna, the chief executive of SolarWinds, said at the Senate hearing that his company still isn’t entirely sure how the hackers penetrated its systems, though his team has narrowed its investigation to three possibilities; unreassuring testimony given how long ago his company was breached. As many as 17,000 companies were imperiled in the Russian hack, according to Senate testimony.

Legislators attending Tuesday’s session, overseen by Sen. Mark Warner, D-Va., said they’re considering a national data breach reporting law, which would mandate hacking disclosures the private sector has long resisted due to concerns about reputational damage and legal liabilities. But Smith and Kevin Mandia, FireEye’s chief executive, both said that companies will have to embrace greater disclosure if they want to protect themselves.

Amazon.com, which operates a ubiquitous cloud computing business, was repeatedly criticized by legislators for not sending a representative to testify, even though hackers breached its servers and used them as staging grounds to strip data from government networks. Amazon has said it wasn’t victimized in the hack, and has already shared what it knows with law enforcement and the government.

Smith and Mandia also said that companies and governments seeking to protect themselves need to increase public-private collaboration and information-sharing, and take practical steps to strengthen supply-chain security, insulate networks and redefine how nation-states conduct themselves in cyberspace (good luck with that last one).

“There are still too many missing pieces of the puzzle,” Smith said. “We need a full examination of what other cloud services and networks the Russians have accessed. Before we as a nation can secure our digital ecosystem, we need to know that the Russian attackers are no longer present in the dozens or hundreds of networks in which they have accessed data or information through this attack.”

Scared yet?

Timothy L. O’Brien is a senior columnist for Bloomberg Opinion.

Talk to us

More in Opinion

toon
Editorial cartoons for Sunday, April 11

A sketchy look at the news of the day.… Continue reading

Eric Brossard displays his commemorative Drug Court graduation coin that reads, "I came with hope, worked and learned. I have a new life. A life that I've earned." (Olivia Vanni / The Herald)
Editorial: Court ruling requires focus on addiction treatment

A court decision allows for a more effective and affordable solution to substance use disorder.

** FILE ** In this March 9, 1936 black-and-white file photo Works Progress Administration (WPA) workers build a new farm-to-market road along Knob Creek in Tennessee. In sheer size, the economic measures announced by President Barack Obama to address "a crisis unlike we've ever known" are remarkable. They amount to the most-expensive plans ever to come through the government in peacetime, rivaling and in many cases dwarfing New Deal spending programs that President Franklin D. Roosevelt famously created to battle the Great Depression. They amount to a political tour-de-force. Yet despite the scope of these remedies, gloom and uncertainty about government's ability to deliver a fix persist.  (AP Photo/File)
Viewpoints: History backs Biden’s broad infrastructure plans

To have the success of FDR’s New Deal, Biden’s plans must do more than build roads and bridges.

Commentary: Help agencies who help children most in need

NW Children’s Foundation supports organizations providing crucial services to help children thrive.

Comment: Climate bill should credit manufacturers’ efforts

State manufactures have worked to reduce carbon emissions; that should be reflected in legislation.

Legislation would support sales of electric vehicles

Washington citizens have an opportunity to help address an important issue in… Continue reading

U.S. voices needed to oppose Myanmar coup and junta

The United States must take a clear and decisive stance against the… Continue reading

toon
Editorial cartoons for Saturday, April 10

A sketchy look at the news of the day.… Continue reading

An architectual illustration shows the proposed Learning Resource Center at Everett Community College. The centerAn architectual illustration shows the proposed Learning Resource Center at Everett Community College. The center would replace the college's Libary Media Center, built in 1988. The Senate capital budget proposal allocates $48 million for its construction, while the House budget includes no funding for it. (Courtesy of Everett Community College) would replace the college's
Editorial: Capital budget a bipartisan boost for communities

House and Senate proposals are substantial and needed, but final talks should secure an EvCC project.

Most Read