The fallout from massive Russian cyberattacks on the U.S. government and private companies continues to spread, touching everything from Cox Communications to an Arizona County to the U.S. agency that oversees the nation’s nuclear arsenal.
Experts say even more victims will likely emerge. But perhaps the most stunning part of the attack is that it was perpetrated using the very services designed to keep computer networks safe in the first place: system updates. The hackers did this by secretly implanting malicious code into software updates, then activating the code to launch the attacks weeks later to further cover their tracks.
“To put it bluntly, based on all the initial data and speaking with our Beltway contacts we believe this cyber attack will likely rank as one of the worst in the last decade given the targeted and cyber espionage nature of this attack,” Dan Ives of Wedbush Securities wrote in a recent note.
An ingenious, dangerous attack
The early investigations into the attack point to it first striking a company called Solarwinds (SWI), which offers network monitoring and management software used by more than 300,000 companies and government entities wordwide.
Solarwinds says attackers placed malicious code, now called Sunburst, into software updates for the company’s Orion platform. When customers downloaded the updates, they unknowingly brought the Sunburst code onto their own servers. From there, the hackers targeted dozens of Solwarwinds customers.
Solarwinds estimates that 18,000 customers across the globe downloaded the update containing Sunburst. Microsoft (MSFT), which is assisting in the response to the attack, says that of those customers, the hackers then targeted some 40 organizations.
According to NYU Tandon School of Engineering professor Justin Cappos, this kind of attack is especially insidious, because it exploits something you’re supposed to do to prevent hacks in the first place: updating your software.
“When nation states want to attack, they tend to attack through software updaters, because the advantage to this is you’re supposed to be doing things like applying a software update, and if you don’t apply software updates, you’re absolutely, definitely vulnerable. Because old software is vulnerable software,” Cappos, a cybersecurity expert, told Yahoo Finance.
That’s the ingenious nature of this attack. Using old, outdated software is dangerous, because the longer a piece of software has been available, the better chance there is that someone has found a way to hack it, which can lead to any number of unforeseen attacks.
One of the best ways for companies, governments, and consumers to protect themselves from such attacks is keep their software up to date. But this attack went after the very updates Solarwinds’ customers downloaded to keep them safe in the first place.
Once on a victim’s systems, the software sat for weeks before being activated and beginning to read, steal, or disrupt any available data.
It’s worth pointing out that companies don’t always trust the software updates they install on their systems, and some do update checks to prevent situations like this.
From Solarwinds to the Treasury Department and beyond
The attack on Solarwinds first came to light when cybersecurity firm FireEye (FEYE) revealed that it had been hacked via a nation-state, likely Russia, on Dec. 8. That a major cybersecurity company like FireEye was attacked was news itself. Following that announcement, an avalanche of government entities and private companies began revealing the same attack had hit them.
The Treasury and Commerce Departments were the next victims to emerge, followed by the Department of Homeland Security and State Department, as well as the National Nuclear Security Administration. Microsoft revealed it was also hit with the hack, but that the attackers didn’t gain access to customer data.
Cybersecurity FireEye was one of the first companies to report it was the victim of the cyberattack. (Image: Reuters/Beck Diefenbach)
And on Friday, Reuters reported that Cox Communications was impacted by the hack as was the Pima, Arizona county government.
What can hacks like this mean?
The Solarwinds attack is likely just one of a number of attacks that we have yet to hear about, according to Jonathan Katz, a professor of computer science at the University of Maryland.
“I think that countries are continually trying to probe the defenses of other countries and sometimes they’re successful and then sometimes we hear about it and sometimes where they’re successful we don’t hear about it,” he told Yahoo Finance. “And many times they are unsuccessful and, of course, we never hear about those.”
But what kind of damage could hacks into major government agencies incur? Katz, using a fictional attack on the Social Security Administration as an example, said that hackers could disrupt payments to Americans, or delete the database containing information on who receives payments, causing chaos for millions of citizens who rely on their Social Security benefits.
In a more dangerous scenario, he said, hackers could attack Defense Department systems and potentially disrupt communications between troops in the field.
While the ultimate goals of the Solarwind attacks are still unknown, this is far from the last we’ll hear about them.