As we learn more about the SolarWinds cyber attack that affected both U S government agencies and private companies it is clear just how serious it is. The attack and its implications are reviewed in several posts in the latest Cyber Security Intelligence newsletter.
Although Russia has denied it, and government agencies have not officially named them, they are the probable source of the attack. According to the Cybersecurity and Infrastructure Agency (CSIA) the hacks began at least as far back as March 2020 (according to later information, October 2019 but SolarWinds was warned two years earlier) and "demonstrated patience, operational security and complex tradecraft". Government targets include the Treasury, Energy and Commerce Departments and the National Nuclear Security Administration. Microsoft has identified over 40 targeted customers, both government and private companies.
While SolarWinds software has been identified as the vulnerability in the attack, the CSIA has identified at least one other vector. The Department of Homeland Security also reported the attackers used multiple methods of entry.
The hackers also compromised building control system devices and industrial control systems. These systems are now over 20 years old and easy to compromise. Black Energy malware used in this and previous attacks is difficult to detect.
Agencies have taken steps to limit the damage, but hackers may have removed logs which showed which files were accessed. At this point, it appears we don't know what we don't know.
How serious is this? Ronald Marks, a visiting professor at George Mason University, calls it "The End of the American Cyber Empire". In a signed article, Marks claims the Russians have undermined the low intensity conflict "battlefield" of the American cyber system. Despite billions of dollars spent on public and private cyber security; thousands of security personnel; new agencies like the CSIA; new safety measures - we were still hacked big time.
President-elect Biden has promised to focus on cyber security. It will be a daunting task. As Marks puts it, "my condolences to the first National Cyber Director".
Since this was first written, additional information has come out and will be posted here subsequently.