A ‘highly sophisticated cyber espionage operation’ has successfully been operating under the radar of the US Cyber Command, Homeland Security and the National Security Agency since March 2020, only being discovered by private cybersecurity firm FireEye in December 2020.1 The hack, described as a supply-chain attack, originally targeted an update for a piece of software called Orion, which is made by the IT company SolarWinds, whilst it was under assembly. This attack enabled the hackers to ‘impersonate any… existing users and accounts, including highly privileged accounts’ of those effected once the update had been installed.2
Due to the ubiquitous nature of the Orion software it is believed that 18,000 clients have been affected by the security breach, including prestigious technology names such as Microsoft, Cisco, Intel, Nvidia and VMware. In addition to this, multiple agencies within the US government have also been affected including the Treasury, State, Commerce and Energy Departments.3 The Justice Department, to which agencies such as the FBI, DEA and US Marshals Services belong, have also reported being affected, with an estimated 3% of its Microsoft Office 365 mailboxes potentially accessed.4
Since the discovery of the hack, the Cyber Unified Coordination Group, comprising US intelligence agencies such as the FBI, the Office of the Director of National Intelligence, the National Security Agency and the Cybersecurity and Infrastructure Security Agency, have confirmed the attack to be of Russian origin, proving to be a major intelligence coup for the most likely suspects; the Russian Foreign Intelligence Service.5
It is not confirmed as to what the object of the attack could be.6 One explanation has been that the hackers intentionally attacked a wide variety of organisations to make it more difficult for investigators to uncover any the adversary specific target. It has been said that Microsoft is nervous after having discovered that the hackers were able to access source code. Cyber security experts have posited the attack could be a ‘prelude to a much more ambitious offensive’.7 A second explanation has been that the attack’s objective was to compromise multiple US government targets, to allow the adversary to gain access to unclassified but sensitive data. One example of this sensitive data, is Operation Black Start which could be attained from the Federal Energy Regulatory Commission and details ‘technical blueprints for how the United States plans to restore power in the event of a cataclysmic blackout’.8 One final explanation has been that the attack started out with a specific target, with those perpetrating the attack believing they would get caught. When this did not happen the hackers decided to broaden the operation further, leading them to being eventually found out.
As a result of this audacious and wide spanning attack it is expected that cybersecurity spending could increase by 20% in 2021.9 In addition to this, it is possible that some software companies could move their engineering departments from Eastern European bases due to the strong influence Russian intelligence agencies are believed to have in these areas. To cut costs SolarWinds themselves moved engineering to satellite offices in the Czech Republic, Poland and Belarus.10 It has been reported that the US judiciary has enacted new procedures in which highly sensitive court documents filed with the federal courts ‘can no longer just [be sent] through the internet’ instead having to be delivered on actual paper or USB sticks.11 Further to this, whole government systems may have to be re-built from the ground up through fear that the hackers have left behind backdoors through which they could once again be able to compromise the system. It may be a requirement for governmental agencies to revisit the need to develop their own in-house software suites in order to defend against supply-chain attacks.
SolarWinds have since hired Chris Krebs, the former director of the US Cybersecurity and Infrastructure Security Agency, to consult with them on the security breach.