Suspected Russian government hackers breached the computer networks of the US Defense Department. The Commerce Department. The Treasury Department. The State Department. Homeland Security. Even the part of the Energy Department that oversees America’s nuclear arsenal.
And it appears they’ve had access since as far back as March.
It’s one of the largest and most brazen hacks in American history — and it may just be the beginning of a much larger global espionage effort.
What makes it even more troubling is that it’s still unclear precisely what they got access to. Some experts believe it may take years before the hackers are completely out of the US government’s networks and the full extent of their spying efforts are understood.
And it gets worse: Reuters on Thursday reported that the hackers also gained access to Microsoft, which means anyone who uses their software could potentially be compromised.
This all sounds scary, and there really is reason for concern. To better understand what we know, what the stakes are, and what all this could mean, I called up Columbia University’s Jason Healey. Healey is a cybersecurity expert, a former Air Force officer and White House official, and the author of the first history of conflict in cyberspace.
In our conversation, he explained the underlying danger of it all: “To put it in war-fighting terms: [Vladimir] Putin had us entirely at risk of attack, and we had zero idea.”
That’s bad enough, but it could get much, much worse, especially if the hackers also got into European systems and the networks of multinational firms. “If the Russians were in these companies, especially Microsoft, I strongly suspect they’re also going to be in German, French, British, Japanese, and South Korean companies,” he told me. It’s possible, then, that “this has only started.”
Our conversation, edited for length and clarity, is below.
Let’s start with the basics: What happened here?
The Russians, knowing they would struggle mightily to get into hard targets — the US government and also members of the Fortune 500 — instead found that they all used the same software for network management, made by a company called SolarWinds.
Rather than trying to come in the front door, they hacked SolarWinds and inserted their own code into the software. Then SolarWinds signed it and said, “Yes, this is authentic SolarWinds software.” Then all of those targets, and surely European and other democratic governments, also downloaded and accepted that Trojan horse unknowingly — and it’s been sitting there for months.
Why does it seem like US officials and many others suspect it was Russian, even though no one has officially attributed the hack to Russia yet?
We can figure out attribution in many ways. For example, it might be something technical, like the hackers left something behind in their code, or investigators could see that it had been compiled in Cyrillic.
Sometimes, we can just see they’re using the same infrastructure, they’re using the same means as others that we’ve seen, and we can match that up. I’m a fan of the Ocean’s Eleven movies. If you’re in the Ocean’s Eleven world and you know anything about art crime, you would know immediately if a robbery was done by Ocean’s gang or the Night Fox. The same is true here.
In other cases, you can figure it out by context. When the Russians went after Estonia, it was pretty clear who was attacking the Estonians, right? At least you could form a pretty good hypothesis.
And last, there might be actual hard intelligence. We might be in the Russians’ networks and seeing what they did.
I suspect that in this case, attribution came because US officials saw the same tactics and techniques, the “fingerprints” of the Russian group Cozy Bear, that we’ve seen before. They were probably able to quickly attribute the hack to them it because of that.
The methods used to carry out the cyberhack are consistent with Russian cyber operations.— Marco Rubio (@marcorubio) December 18, 2020
But it’s crucial we have complete certainty about who is behind this.
We can’t afford to be wrong on attribution, because America must retaliate, and not just with sanctions.
What can we suspect the hackers are doing inside the networks of all these federal agencies?
There’s what they’ve likely been doing, and then there’s what they could have been doing.
First, they would have had to expand out the presence from just the SolarWinds software. With SolarWinds, they would’ve had a great visibility into the networks they were in, like the Department of Homeland Security. That’s useful, but not nearly as useful as it might be. So then they would’ve had to set up ways to collect information and send it back out.
Unfortunately, SolarWinds is the kind of software that already is sending a lot of information around. Therefore, the Russians were able to camouflage the information that they were stealing as part of that, it looks like. They didn’t have to hire a human spy to try and get into the Department of Homeland Security and Commerce and Defense and the other places. They were able to use the SolarWinds software to gain the access so they could just steal that information.
The first step, then, was getting into the right places. The second step was taking stuff away.
A lot of the comments I’ve seen have focused on how this is not an attack, this is espionage. That’s absolutely right. But imagine if this went undetected for another six months, and a new crisis arose. Say, hypothetically, [President-elect Joe] Biden wanted to support pro-democracy demonstrators in Belarus after Russian President Vladimir Putin significantly backed the autocrat in power against those protesters.
With the access that Putin had with the SolarWind software — and then, oh, my god, it’s even worse if they got into Microsoft — imagine the damage that Russia could do if it switched from espionage to disruption. To put it in war-fighting terms: Putin had us entirely at risk of attack, and we had zero idea.
Why does the reported Microsoft hack appear to distress you so much?
SolarWinds is deep in networks, and many companies use it for their “plumbing,” let’s say. Microsoft isn’t just in a couple or even tens of thousands of places, it’s in millions of places. It’s everywhere. The absolute worst case is if they were able to do to Microsoft what they did to SolarWinds, and when we use Microsoft email, we have accepted Russian code. Potentially, then, everybody who’s using Microsoft 365 was compromised.
The amount of what you can do from a popular network management software to probably the most powerful technology company to ever exist, and one of the most powerful companies ever, that’s really substantial.
How could this hack go undetected for so long?
In part because the Russians were pretty good. I don’t want to say brilliant, but they were good enough to know what they needed to do to stay. Also because this kind of software was already in so many of the places that they needed to go, like routers. They were substantially helped just because they were going after network management software.
What kind of things might the hackers have access to?
The upside is that — we suspect, fingers crossed — they were only in the unclassified networks, which would have given them a solid understanding about America’s unclassified work. They were in the National Nuclear Security Administration (NNSA) of the Department of Energy, but only on the unclassified side, and we don’t have unclassified plans for nuclear warheads. Those are all deeply classified.
They might now understand the inner workings of the NNSA: its organizational structure, who was traveling, and maybe things like unclassified strategic plans. But they wouldn’t have gotten the crown jewels like our warhead design.
We can say the same thing, hopefully, about the Department of Defense, of Commerce, of Treasury, and the rest.
By the way, it looks like we caught the Russians doing this, but who’s to say the Chinese don’t have some kind of similar access?
I assume the US will retaliate for this espionage effort, and I’d also assume US officials are deep into Russian and whoever else’s networks right now.
We can assume so, and after mid-January I think we can expect something. [President] Trump so far hasn’t said anything about this.
I think there’s no doubt that there will be some retaliation as long as it doesn’t particularly violate any stated US norms. The US is going to say we’re going to go back to Russian intelligence, maybe we’re going to try and knock down their home networks, we do additional sanctions and indictments, if we can figure out whom to do that against.
I would suspect a lot more aggression from US Cyber Command against the Russians instead of just stalking them for intelligence purposes, like actively moving to stop them wherever we can.
There is a risk that, when you confront adversaries, they’re going to burn it all down. The North Koreans do this, for example. They destroy your infrastructure rather than get kicked out of where you caught them. It would surprise me if these hackers did that, but it’s possible.
Could this hack be even broader than we’ve already detected?
I have no doubt that this, at least in the United States, is going to be a major shock. But just wait until this hits Europe. If the Russians were in these US companies, especially Microsoft, I strongly suspect they’re also going to be in German, French, British, Japanese, and South Korean companies.
This has only started.
What’s the big takeaway from all of this?
This just demonstrates the amazing vulnerability of our digital societies. We have this critical dependency on a small bit of software that none of us have ever heard of, that all of a sudden has a vulnerability that someone attacks, and it ends up having this massive, system-wide impact.
Dan Geer, one of the smartest people in the cybersecurity business, said as society becomes more technological, it becomes increasingly dependent on “distant digital perfection,” basically meaning we need almost everything to be perfect in order not to be vulnerable — and of course everything is far from perfect.
So let’s take this big picture. It’s unlikely that our kids are going to have an internet that’s as open, secure, and resilient as the one that we have today. With these kinds of attacks going on, and the amount of vulnerability that we have, things are going in a really, really bad direction.
This isn’t a sustainable way to run a global internet — it’s going to get messed up.