How to Understand the Russia Hack Fallout

Not all SolarWinds victims are created equal. 
russian flag
As reports continue to come out about the SolarWinds hack, it's important to understand the distinctions between victims.Photograph: KIRILL KUDRYAVTSEV/Getty Images

This week news broke that United States government agencies and corporations alike—as well as international targets—were victims of a massive nation-state espionage campaign. But as the revelations continue to pile up, and new targets are discovered by the day, it can be hard to get a handle on what exactly happened and what it all means.

The hackers, who have been widely reported as Russian, compromised high-profile targets like the US Commerce, Treasury, Homeland Security, and Energy Departments, as well as companies like the security firm FireEye. All of the attacks appear to stem from one initial compromise of the IT infrastructure and network-management firm SolarWinds. Hackers had breached the company as far back as October 2019, then planted malicious code in software updates to its network-monitoring tool, Orion. Any customer that installed an Orion patch released between March and June inadvertently planted a Russian backdoor on their own network.

In a statement on Thursday, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency said it "has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations." CISA, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence are all part of a "Cyber Unified Coordination Group" that is quarterbacking the US government's response to the widespread intrusions and working to get a handle on the scale and scope of the situation as quickly as possible.

Not all of the victims of this campaign were affected in the same way. In some cases Russia planted a backdoor but didn't go any further; in others, it moved deep within their networks for reconnaissance and data exfiltration. Figuring out the difference—and the implications of each—is going to be increasingly important as investigators dig deeper into the SolarWinds morass.

In the Ether

SolarWinds claims to have more than 300,000 customers in total, but not all of them would have been impacted by the company's compromise. For one thing, the situation only affects those who use Orion, and within that group only those who installed the tainted patches would have been exposed. SolarWinds said in a US Securities and Exchange Commission breach filing on Monday that it has notified roughly 33,000 Orion customers about the risk posed by the malicious software updates. But the company also said in its submission that it believes "the actual number" of customers with potential exposure is less than 18,000.

While it's generally a best practice to install updates on your personal devices as soon as possible, things often work a little differently in massive enterprise IT settings. Organizations are often way behind on patching their network infrastructure and fleet of devices; running these updates without causing downtime or other unforeseen problems involves complicated logistics. This is almost always a bad thing in terms of security. For example, widespread failure to patch let the Windows bug EternalBlue wreak havoc in 2017 and beyond. But in this case, being behind seemingly allowed many Orion users to dodge a bullet, because they never actually installed the tainted updates. It can take large organizations time, though, to confirm whether the patches made it through at all.

"The fear on this one is real," says David Kennedy, CEO of the threat-tracking firm Binary Defense Systems, who formerly worked at the NSA and with the Marine Corps' Signals Intelligence unit. "This type of attack could allow the adversary access to essentially anyone they wanted that had SolarWinds Orion and the bad patch. There is a large scramble right now to see which systems were compromised, and if there is a probability this could have happened, organizations need to investigate."

In the Neighborhood

Of the 18,000 Orion customers at serious risk, incident responders say it's important to understand that not all were actually victims of deep targeting. When users downloaded the the malicious Orion updates, they were essentially wheeling a Trojan horse into their networks. But this is a digital and remotely accessible Trojan horse that attackers can leave dormant forever or can activate at will. To move forward with the attack at a given target, the attackers would send commands to the implant for it to download more malware that would allow the attackers to enter the victim's network. At that point, the hackers might use this access to go all the way in digitally ransacking the target's data, or they might look around a bit and lose interest.

This means there are really three subgroups within the potential victims of these attacks: Orion users who installed the backdoor but were never otherwise exploited; victims who had some malicious activity on their networks, but who ultimately weren't appealing targets for attackers; and victims who were actually deeply compromised because they held valuable data.

"If they didn't exfiltrate data, it’s because they didn’t want it," says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. "If they didn’t take access, it’s because they weren’t interested in it."

Even so, that first and second group still need to neuter the backdoor to prevent future access. Since it was able to analyze indicators from its own breach, FireEye led an effort that other firms have since joined to publish information about the anatomy of the attacks. Some of the “indicators of compromise” include IP addresses and Domain Name Service record responses associated with the attackers' malicious infrastructure. Responders and victims can use this information to check whether servers or other devices on their networks have been communicating with the hackers' systems. Microsoft also worked with FireEye and GoDaddy to develop a sort of "kill switch" for the backdoor by seizing control of IP addresses the malware communicates with, so it can't receive commands anymore.

Eliminating the backdoor is crucial, especially since the attackers have still been actively exploiting it. And now that the technical details about their infrastructure are public, there's also a risk that other hackers could piggyback on the malicious access as well if it's not locked down.

In the House

For victims who suffered deeper compromise, though, simply closing the door is not enough, because attackers have already established themselves inside.

For clear targets like US government agencies, the question is what exactly attackers got access to and what bigger picture that information can paint in terms of geopolitics, US defensive and offensive capabilities across the Department of Defense, critical infrastructure, and more.

Identifying exactly what was taken is challenging and time consuming. For example, some reports have indicated that hackers breached critical systems of the Department of Energy's National Nuclear Security Administration, which is responsible for the US nuclear weapons arsenal. But DOE spokesperson Shaylyn Hynes said in a statement late Thursday that while attackers did access DOE "business networks," they did not breach "the mission-essential national security functions of the Department."

"The investigation is ongoing, and the response to this incident is happening in real time," Hynes said.

This is the situation for all victims at this point. Some targets will go on to discover that they were impacted more deeply than they initially believed; others may find that hackers kicked the tires but didn't go any further. This is the core danger of a supply chain attack such as the SolarWinds breach. Attackers get a huge amount of access all at once and can have their pick of the victims while responders are left playing catch up.

Though it's difficult to establish the full scope of the situation, researchers have been making a concerted effort to sort out who was hit and how badly. By tracking and linking IP addresses, DNS records, and other attacker flags, security analysts are even developing methods to proactively identify targets. Kaspersky Labs, for example, released a tool on Friday that decodes DNS requests from the attackers' command-and-control infrastructure that could help indicate which targets the hackers prioritized.

The news about the hacking spree will likely continue for weeks as more organizations identify where they fit in the rubric of potential targets. Microsoft president Brad Smith wrote on Thursday that the company has notified more than 40 customers about signs of deep intrusion on their networks. And Microsoft says that while the vast majority of these victims are in the US, some are in seven other countries: Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates. "It’s certain that the number and location of victims will keep growing," Smith added.

Later that night, Microsoft confirmed that it had been compromised in the campaign as well.


More Great WIRED Stories