Alleged Russian Authentication Hack Has US Companies on Alert
The U.S. Department of Homeland Security and thousands of businesses were put on alert on Monday following a sophisticated hacking campaign that is suspected to be orchestrated by the Russian government.
The breach started at technology company SolarWinds, which was used as a stepping stone — Reuters reports — after 18,000 of the company's customers downloaded a compromised software update.
This allowed hackers to spy on businesses and government agencies for close to nine months.
SolarWinds hack starts chain of events
In a regulatory disclosure, SolarWinds said it believed the attack was carried out by an "outside nation state" that inserted malicious code into updates — issued between March and June of this year — of its Orion network management software.
"SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” it said.
As Ars Technica writes, the hackers reportedly used a novel technique to bypass MFA protections provided by Duo. This involved them gaining administrative privileges on the infected network before using them to steal a Duo secret known as an akey from a server running Outlook Web App, which is used to provide account authentication for various services.
Government agencies compromised
Three insiders reported to Reuters that emails sent by officials at DHS, which oversees border security and defense against hacking, were monitored by the hackers as part of the advanced hacking campaign.
Since the attacks were first revealed on Sunday, reports have emerged from Reuters, the New York Times, and the Washington Post that agencies affected include the U.S. departments of Treasury and Commerce, the Defense Department, State Department and National Institutes of Health were hacked.
All of these are customers of SolarWinds, alongside the majority of the United States’ Fortune 500 companies and several British government agencies.
"For operational security reasons the DoD will not comment on specific mitigation measures or specify systems that may have been impacted," a Pentagon spokesman said.
'Malicious actors' responsible for 'cyber espionage'
The United States issued an emergency warning on Sunday, ordering government users to disconnect SolarWinds software compromised by "malicious actors." Moscow denied having any involvement in the cyber attacks.
One of Reuters' insiders emphasized that the critical network that DHS’ cybersecurity division uses to protect infrastructure, including the recent elections, was not breached by the cyber attack.
As the attackers could use SolarWinds to get inside a network and then create a new backdoor, disconnecting from the company's network management program might not be enough to get rid of the problem, cybersecurity experts claim.
FireEye, a cybersecurity company affected by the breach, said in a blog post that other targets included "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East."
"If it is cyber espionage, then it one of the most effective cyber espionage campaigns we’ve seen in quite some time," explained John Hultquist, FireEye’s director of intelligence analysis.