But what little we know has cybersecurity experts extremely worried — with some describing the attack as a literal wakeup call.
“I woke up in the middle of the night last night just sick to my stomach,” said Theresa Payton, who served as White House Chief Information Officer under President George W. Bush. “On a scale of 1 to 10, I’m at a 9 — and it’s not because of what I know; it’s because of what we still don’t know.”
Since then, more details have emerged suggesting a much wider pattern of compromise. As many as 18,000 SolarWinds customers — out of a total of 300,000 — may have been running software containing the vulnerability that allowed the hackers to penetrate the Commerce Department, the company disclosed in an investor filing this week.
Here’s why the cyberattacks disclosed this week are keeping experts up at night — based on who was targeted, the suspected identities of the attackers and their playbook, according to analysts contacted by CNN Business and published security reports.
All federal agencies on alert
One reason the attack is so concerning is because of who may have been victimized by the spying campaign.
At least three US agencies have publicly confirmed they were compromised: The Department of Commerce, the Department of Homeland Security and the Agriculture Department.
But the range of potential victims is much, much larger, raising the troubling prospect that the US military, the White House or public health agencies responding to the pandemic may have been targeted by the foreign spying, too. The Justice Department, the National Security Agency and even the US Postal Service have all been cited by security experts as potentially vulnerable.
Security experts say this is merely the beginning. In the coming days, we may learn that many more companies and agencies have been compromised than we initially suspected. And we still don’t know what information may have been lost or stolen.
Extraordinarily skilled attackers
Another reason to worry is that the attackers appear to have been extraordinarily skilled and determined.
“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” FireEye said, adding that the breaches appear to date as far back as the spring. “Each of the attacks require meticulous planning and manual interaction.”
Attributing any cyberattack is hard under the best of circumstances and even more challenging when a sophisticated actor works to cover their tracks, as these did. But US officials have tentatively said that the culprit may have links to Russia.
That agents of a foreign government may have been responsible for the breaches is a worrisome sign of not only the attackers’ capabilities, but also their motives. These weren’t opportunistic cybercriminals indiscriminately probing whatever targets they could find in hopes of extorting their victims for a quick payday. These were highly motivated attackers who selected each of their victims for a specific purpose that remains unknown.
“If you compromise somebody’s network for 6 months, there’s a lot of opportunity,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a security think tank. “It’s an amazing coup for the Russians — really impressive.”
An unusual and creative hack
A third reason for concern is the unusual and creative way the attackers carried out their operation: By disguising the initial attack within legitimate software updates issued by SolarWinds.
“SolarWinds is one of the most widely used and effective tools for network monitoring, including across federal networks and major corporations,” said Jamie Barnett, a retired Navy rear admiral and senior vice president at the cybersecurity firm RigNet. “It takes a state-level cyberattack to get into the SolarWinds updates and patches.”
By piggybacking on otherwise trusted software updates, the attackers cleverly took advantage of the normal and recommended best practice of keeping software up to date. Thousands of companies and government agencies could thus have been exposed simply for doing the right thing.
That’s what’s so scary: It’s not clear what could have been done differently in this case, because the very process meant to reassure users that “this software can be trusted” was itself compromised.
The rising frequency and intensity of state-sponsored hacking has some security cybersecurity leaders reiterating calls for a global treaty on cyberwarfare.
“We need a set of binding rules,” Microsoft president Brad Smith said at an event Tuesday held by the Ronald Reagan Foundation and Institute. “And we need a commitment by the democracies of the world to hold authoritarian regimes accountable, so they keep their hands off of civilians in this time of peace when it comes to cyberspace.”
Other experts are increasingly questioning the reliance of many businesses on just a handful of third-party vendors, and saying that perhaps society makes it a little too easy for data to be accessed or shared, particularly during a pandemic when working remotely is normal for countless individuals.
“It begs the question: ‘In cybersecurity, do we have a ‘too big to fail’ situation? And did it happen right under our noses, while we were telling everybody to spend more, to tool up, to get products?” said Payton.