The suspected Russian hack of US government agencies may have been in the works for longer than suggested, as it’s revealed hackers may have conducted a ‘dry run’ of their massive cyber attack over a year ago.
US officials on Friday said hackers appeared to have targeted SolarWinds Corp back in October 2019, five months before executing a more destructive and malicious breach in March that was only detected recently.
The hackers are believed to have tested their ability to insert malicious code into the company’s network management software on October 10 which was later delivered to some 18,000 of the company’s customers.
The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion. The Austin-based software company provides vital computer network monitoring services to major corporations and government agencies worldwide
The list of victims from the devastating and long-undetected hack on US government agencies and companies continues to grow ever since the sprawling cyber-espionage campaign was disclosed earlier this week. This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US
Officials said a version of the SolarWinds Orion product had been tampered with around that time, however it did not contain the secret network backdoor – which authorities are calling SUNBURST – as the subsequent breach, according to the U.S. Cybersecurity and Infrastructure Security Agency.
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
- Department of State
- Department of Homeland Security
- Commerce Department
- National Institutes of Health
- Department of Energy
- National Nuclear Security Administration
- Los Alamos National Laboratory
- Federal Energy Regulatory Commission
- Office of Secure Transportation
The tampered files went undetected, and in March of 2020, the hackers began using Orion updates to deliver their backdoor.
‘We’re thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run,’ a source familiar with the investigation told Yahoo News.
‘They took their time. They decided to not go out with an actual backdoor right away. That signifies that they’re a little bit more disciplined and deliberate,’ the person added.
The evidence also points to a more concerning suggestion that the hackers may have had access to the company’s software prior to October 2019.
‘This tells us the actor had access to SolarWinds’ environment much earlier than this year. We know at minimum they had access October 10, 2019. But they would certainly have had to have access longer than that,’ the source told Yahoo.
‘So that intrusion [into SolarWinds] has to originate probably at least a couple of months before that – probably at least mid-2019 [if not earlier].’
SolarWinds, which disclosed its unwitting role at the center of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
The attack was believed to be the work of an ‘outside nation state,’ SolarWinds said in a regulatory disclosure.
Secretary of State Mike Pompeo has become the first U.S. official to publicly attribute a massive hacking campaign to Russia. He is seen above with Putin in 2019
In addition to major federal agencies and critical infrastructure, the hackers targeted entities as various as a county government in Arizona and a cable television company.
SolarWinds timeline: Company stocks and when they discovered attack
March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’
SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have
- November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares
- December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds
- December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given
- December 8: FireEye announces hackers broke into its servers
- December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021
- December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company
- December 13: The infiltration of Orion becomes public
The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’
The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted
The Pima County, Arizona government and Cox Communications Inc were identified as victims of the intrusion by Reuters after running a publicly available coding script.
Sources familiar with the US investigation have said the hack was likely carried out by Russia’s foreign intelligence service. Moscow has denied involvement.
Secretary of State Mike Pompeo on Friday became the first US official to publicly attribute the massive hacking campaign to Russia.
‘There was a significant effort to use a piece of third-party software to essentially embed code inside of US government systems,’ Pompeo told The Mark Levin Show on Friday.
‘This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.’
Russian President Vladimir Putin’s spokesman later denied Kremlin involvement, and the Russian embassy said in a statement that the country ‘does not conduct offensive operations in the cyber domain.’
The sprawling attack, which went undetected for nearly nine months, compromised the Departments of Homeland Security, Justice, Treasury, State and Energy, as well as a growing list of companies and local governments across the country.
Officials with the nation’s cybersecurity agency warn that the breach could be difficult to undo, saying the hackers ‘demonstrated sophistication and complex tradecraft’ and that it was likely that they had built additional secret backdoors while active inside the compromised networks.
Experts say there simply are not enough skilled threat-hunting teams to properly identify all the government and private-sector systems that may have been hacked, and warn infected networks may have to be ‘burned to the ground’ and rebuilt from scratch.