Most consequential cyberattack on U.S.

Most consequential cyberattack on U.S.

Washington, 2/13/2021

The FBI memo from early January was barely noticed. That was by design. After it became known that several U.S. agencies had been attacked by hackers in late December, the FBI and NSA would have investigated the case. The result: The goal of the intrusion was to gather information.

That this attack was downplayed was in the interest of Donald Trump, who was still in office. He considered the assumption of some security experts that Russia’s super-hackers had done it to be out of the question. Until his last day in office, the U.S. president-elect did not order any countermeasures. Cybersecurity was obviously never an issue for him. That became clear when he rescinded the post of cybersecurity advisor three years ago.

However, two other politicians, the Democratic chairman of the Intelligence Committee ,Senator Mark Warner , as well as Marco Rubio, the ranking Republican on that panel, had recognized that this attack had a new quality. In a letter to the heads of the intelligence agencies, they complained about how uncoordinated the investigation into the cyberattack had been so far and how little Congress had been informed.

Now it has also emerged that the hackers had spent months penetrating the computer systems of companies and at least a dozen US agencies. Unnoticed, they were able to read e-mail communications at the Treasury Department or access the Justice Department’s system, which lawyers use to submit documents for court hearings. They also infiltrated the networks of the State Department, the Defense Department and the Nuclear Research Center.

New President Jo Biden created the post of deputy security adviser for cyber and emerging technologies immediately after the inauguration. It has now been filled by Anne Neuberger – a senior official on the Security Council staff.

She formerly worked at the NSA intelligence agency, where she led, among other things, a unit that launched a preemptive strike against Russian hacking groups during the 2018 congressional elections, Neuberger’s job is to help affected departments deal with the aftermath of last year’s attack. She also serves as a liaison between affected private sector firms and the government. Most importantly, she coordinates the government’s response and tries to draw fundamental lessons from the attack for future defense work.

Gradually, the real significance is now becoming clear. In a House hearing a few days ago, IT security expert Dimitri Alperovitch summed up the case: this was the most serious cyberattack ever against the United States.

Contrary to what was originally thought, the hackers penetrated their victims‘ systems not only via Solarwinds‘ software, but also via third-party companies such as Microsoft and Intel. About 30 percent of the victims had no connection to Solarwinds, said Brandon Wales, interim head of the National Cyber Protection Agency (Cisa).

It is also unclear whether the hackers set up „backdoors“ in government computer systems for future attacks. Microsoft has admitted that the hackers penetrated its internal systems and gained access to secret source code files. Source code serves as the foundation for software products and is typically one of a software company’s best-kept secrets. According to Microsoft, the hackers would not have been able to modify the source code, but the corporation acknowledged that they had gotten inside its systems through a cracked employee account. The software giant did not disclose what kind of source code was involved. Experts expressed fears that the hackers could now use the knowledge gained about software internals at Microsoft to plan further, even more sophisticated attacks.

The signs point to a storm

It is certain that the attackers exploited the software of the US company SolarWinds for their attack. According to the company, 425 of the Fortune 500 companies in the USA are among its users. The customer lists also include Dax companies Siemens and Deutsche Telekom. The Bonn-based company said: „According to analyses in Germany, there are currently no indications that we are affected. Investigations are still ongoing at isolated subsidiaries abroad.“ Siemens said it immediately took the protective measures recommended by SolarWinds after the hack became known.

After the international security group Fireeye investigated the case, more facts trickled out to the public. According to them, the hackers were able to hijack the central control software of the US company, which runs under the name Orion. The attackers had managed to manipulate an update to the program and gain access to customers‘ systems. „The campaign may have started as early as spring 2020 and is currently ongoing,“ Fireeye experts speculate.

The key role in penetrating the networks was played by the US software company Solarwind. Their Orion software is available to all relevant US authorities. Because updates are always necessary, the attacker took advantage of this by slipping into the update as code, so to speak, and was thus let in undetected during access control. A short time later, the data theft began.

Some experts got hot ears, because the Cybersecurity and Infrastructure Security Agency (CISA) has been making people sit up and take notice with new bad news almost every hour for the past few days. In addition to the NNSA, the Federal Energy Regulatory Commission (FERC) was also a victim of the attack. FERC is responsible for securing the nationwide supply of electricity, oil and gas in the USA. This includes substations, oil and gas storage facilities, terminals, power grids, energy providers, in other words, everything to keep the economy and daily life going. The exploit discovered, i.e. the hackers‘ „booty,“ in FERC’s area of responsibility alone is so extensive that CISA has had to admit it does not have enough resources to deal with it. Its director, Christopher Krebs, was also recently fired by U.S. President-elect Trump.

If any state actor is behind this: he should be warned in any case. Because it seems that the US is in panic mode at the moment. They are virtually wandering through their basement looking for the telltale signs of the burglars. And with every clue they discover, the need for retaliation increases. International law does not yet know any binding legal regimes for cyberspace. Packages of measures under customary international law (set out in Tallinn Manual 2.0, among others) remain controversial. Hopefully, U.S. anger will not turn to violence. In any case, the attack will not go unanswered. Whether the extensive network failures at the Russian telecom provider Rostelecom a few days ago are already a sign of worse attacks – remains speculation for the time being. At the moment, however, the signs are obviously pointing to a storm.