HOME

TheInfoList



OR:

In 2020, a major
cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the
United States federal government The federal government of the United States (U.S. federal government or U.S. government) is the national government of the United States, a federal republic located primarily in North America, composed of 50 states, a city within a fe ...
, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included
NATO The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two No ...
, the U.K. government, the
European Parliament The European Parliament (EP) is one of the legislative bodies of the European Union and one of its seven institutions. Together with the Council of the European Union (known as the Council and informally as the Council of Ministers), it adopts ...
,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
and others. The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the
U.S. Treasury Department The Department of the Treasury (USDT) is the national treasury and finance department of the federal government of the United States, where it serves as an executive department. The department oversees the Bureau of Engraving and Printing and ...
and the National Telecommunications and Information Administration (NTIA), part of the
U.S. Department of Commerce The United States Department of Commerce is an executive department of the U.S. federal government concerned with creating the conditions for economic growth and opportunity. Among its tasks are gathering economic and demographic data for busin ...
. In the following days, more departments and private organizations reported breaches. The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms:
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
,
SolarWinds SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offi ...
, and
VMware VMware, Inc. is an American cloud computing and virtualization technology company with headquarters in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture. VMware's desktop software ru ...
. A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
infrastructure. In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution. U.S. Senator
Richard J. Durbin Richard Joseph Durbin (born November 21, 1944) is an American lawyer and politician serving as the senior United States senator from Illinois, a seat he has held since 1997. A member of the Democratic Party, Durbin has served as the Senate Dem ...
described the cyberattack as tantamount to a declaration of war. President
Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who served as the 45th president of the United States from 2017 to 2021. Trump graduated from the Wharton School of the University of P ...
was silent for days after the attack, before suggesting that China, not
Russia Russia (, , ), or the Russian Federation, is a transcontinental country spanning Eastern Europe and Northern Asia. It is the largest country in the world, with its internationally recognised territory covering , and encompassing one-eig ...
, might have been responsible for it, and that "everything is well under control".


Background

SolarWinds SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offi ...
, a
Texas Texas (, ; Spanish: ''Texas'', ''Tejas'') is a state in the South Central region of the United States. At 268,596 square miles (695,662 km2), and with more than 29.1 million residents in 2020, it is the second-largest U.S. state by ...
-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack. SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious iles that would then be distributed to SolarWinds customers. Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents. On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.


Methodology

Multiple
attack vector In computer security, an attack vector is a specific path, method, or scenario that can be exploited to break into an IT system, thus compromising its security. The term was derived from the corresponding notion of vector in biology. An attack ve ...
s were used in the course of breaching the various victims of the incident.


Microsoft exploits

The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure. At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers. Alongside this, "
Zerologon Zerologon (formally: ) is a critical vulnerability in Microsoft's authentication protocol Netlogon, as implemented in some versions of Microsoft Windows and Samba. Severity Zerologon has a score of 10 under the Common Vulnerability Scoring Syst ...
", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts. Additionally, a flaw in Microsoft's
Outlook Web App Outlook on the web (previously known as Exchange Web Connect, Outlook Web Access, and Outlook Web App) is a personal information manager web app from Microsoft. It includes a web-based email client, a calendar tool, a contact manager, and a ta ...
may have allowed attackers to bypass
multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
. Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of
single sign-on Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-enterin ...
infrastructure increased the viability of the attack.


SolarWinds exploit

Here, too, the attackers used a supply chain attack. The attackers accessed the build system belonging to the software company
SolarWinds SolarWinds Corporation is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure. It is headquartered in Austin, Texas, with sales and product development offi ...
, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019. In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion. The first known modification, in October 2019, was merely a
proof of concept Proof of concept (POC or PoC), also known as proof of principle, is a realization of a certain method or idea in order to demonstrate its feasibility, or a demonstration in principle with the aim of verifying that some concept or theory has prac ...
. Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure. In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. These users included U.S. government customers in the executive branch, the military, and the intelligence services (see
Impact Impact may refer to: * Impact (mechanics), a high force or shock (mechanics) over a short time period * Impact, Texas, a town in Taylor County, Texas, US Science and technology * Impact crater, a meteor crater caused by an impact event * Impac ...
section, below). If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers. The communications were designed to mimic legitimate SolarWinds traffic. If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilise if they wished to exploit the system further. The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too. The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components, and seeking additional access. Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents. This access apparently helped them to hunt for certificates that would let them sign
SAML Security Assertion Markup Language (SAML, pronounced ''SAM-el'', ) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based ...
tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory. Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network. Having accessed data of interest, they encrypted and exfiltrated it. The attackers hosted their command-and-control servers on commercial cloud services from
Amazon Amazon most often refers to: * Amazons, a tribe of female warriors in Greek mythology * Amazon rainforest, a rainforest covering most of the Amazon basin * Amazon River, in South America * Amazon (company), an American multinational technolog ...
,
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
,
GoDaddy GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. , GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The ...
and others. By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the
Department of Homeland Security The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terr ...
(DHS). FBI investigators recently found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.


VMware exploits

Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers. As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.


Discovery


Microsoft exploits

During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a
think tank A think tank, or policy institute, is a research institute that performs research and advocacy concerning topics such as social policy, political strategy, economics, military, technology, and culture. Most think tanks are non-governmenta ...
whose identity has not publicly been revealed. The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass
multi-factor authentication Multi-factor authentication (MFA; encompassing two-factor authentication, or 2FA, along with similar terms) is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting ...
. Later, in June and July 2020, Volexity observed the attacker utilising the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals. Volexity said it was not able to identify the attacker. Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to
CrowdStrike CrowdStrike Holdings, Inc. is an American cybersecurity technology company based in Austin, Texas. It provides cloud workload and endpoint security, threat intelligence, and cyberattack response services. The company has been involved in inves ...
. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email. Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol. This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised. Using VirusTotal, ''
The Intercept ''The Intercept'' is an American left-wing news website founded by Glenn Greenwald, Jeremy Scahill, Laura Poitras and funded by billionaire eBay co-founder Pierre Omidyar. Its current editor is Betsy Reed. The publication initially reporte ...
'' discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of
Austin, Texas Austin is the capital city of the U.S. state of Texas, as well as the seat and largest city of Travis County, with portions extending into Hays and Williamson counties. Incorporated on December 27, 1839, it is the 11th-most-populous city ...
.


SolarWinds exploit

On December 8, 2020, the cybersecurity firm
FireEye Trellix (formerly FireEye and McAfee Enterprise) is a privately held cybersecurity company founded in 2022. It has been involved in the detection and prevention of major cyber attacks. It provides hardware, software, and services to investigat ...
announced that
red team A red team or team red are a group that plays the role of an enemy or competitor to provide security feedback from that perspective. Red teams are used in many fields, especially in cybersecurity, airport security, law enforcement, the military a ...
tools had been stolen from it by what it believed to be a state-sponsored attacker. FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft. After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself. Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist,
sources Source may refer to: Research * Historical document * Historical source * Source (intelligence) or sub source, typically a confidential provider of non open-source intelligence * Source (journalism), a person, publication, publishing institute o ...
said that the FireEye breach was related. On December 15, FireEye confirmed that the
vector Vector most often refers to: *Euclidean vector, a quantity with a magnitude and a direction *Vector (epidemiology), an agent that carries and transmits an infectious pathogen into another living organism Vector may also refer to: Mathematic ...
used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion. The security community shifted its attention to Orion. The infected versions were found to be ''2019.4'' through ''2020.2.1 HF1'', released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT. Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion
binaries A binary file is a computer file that is not a text file. The term "binary file" is often used as a term meaning "non-text file". Many binary file formats contain parts that can be interpreted as text; for example, some computer document fil ...
, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline. July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on
LinkedIn LinkedIn () is an American business and employment-oriented online service that operates via websites and mobile apps. Launched on May 5, 2003, the platform is primarily used for professional networking and career development, and allows job se ...
.


VMware exploits

Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.


Responsibility


Conclusions by investigators

SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation. Russian-sponsored
hackers A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means. Though the term ''hacker'' has become associated in popu ...
were suspected to be responsible. U.S. officials stated that the specific groups responsible were probably the SVR or
Cozy Bear Cozy Bear, classified by the United States federal government as advanced persistent threat APT29, is a Russian hacker group believed to be associated with one or more intelligence agencies of Russia. The Dutch General Intelligence and Securi ...
(also known as APT29). FireEye gave the suspects the placeholder name "UNC2452";
incident response An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards ...
firm Volexity called them "Dark Halo". On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR. One security researcher offers the likely operational date, February 27, 2020, with a significant change of aspect on October 30, 2020. In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla, a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.


Statements by U.S. government officials

On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as
Berserk Bear Berserk Bear (aka Crouching Yeti, Dragonfly, Dragonfly 2.0, DYMALLOY, Energetic Bear, Havex, IRON LIBERTY, Koala, or TeamSpy) is a Russian cyber espionage group, sometimes known as an advanced persistent threat. According to the United States, the ...
, a state-sponsored group believed to be part of Russia's FSB. On December 18,
U.S. Secretary of State The United States secretary of state is a member of the executive branch of the federal government of the United States and the head of the U.S. Department of State. The office holder is one of the highest ranking members of the president's Ca ...
Mike Pompeo Michael Richard Pompeo (; born December 30, 1963) is an American politician, diplomat, and businessman who served under President Donald Trump as director of the Central Intelligence Agency (CIA) from 2017 to 2018 and as the 70th United State ...
said Russia was "pretty clearly" responsible for the cyber attack. On December 19, U.S. president
Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who served as the 45th president of the United States from 2017 to 2021. Trump graduated from the Wharton School of the University of P ...
publicly addressed the attacks for the first time, downplaying its severity and suggesting without evidence that China, rather than Russia, might be responsible. The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history." On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia." On December 21, 2020, former Attorney General
William Barr William Pelham Barr (born May 23, 1950) is an American attorney who served as the 77th and 85th United States attorney general in the administrations of Presidents George H. W. Bush and Donald Trump. Born and raised in New York City, Barr ...
said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump. On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit. On June 10, 2021,
FBI Director The Director of the Federal Bureau of Investigation is the head of the Federal Bureau of Investigation, a United States' federal law enforcement agency, and is responsible for its day-to-day operations. The FBI Director is appointed for a single ...
Christopher Wray attributed the attack to Russia's SVR specifically.


Denial of involvement

The Russian government said that it was not involved. The Chinese foreign ministry said in a statement, "China resolutely opposes and combats any form of cyberattacks and cyber theft."


Impact

SolarWinds said that of its 300,000 customers, 33,000 use Orion. Of these, around 18,000 government and private users downloaded compromised versions. Discovery of the breaches at the U.S. Treasury and Commerce Departments immediately raised concerns that the attackers would attempt to breach other departments, or had already done so. Further investigation proved these concerns to be well-founded. Within days, additional federal departments were found to have been breached.
Reuters Reuters ( ) is a news agency owned by Thomson Reuters Corporation. It employs around 2,500 journalists and 600 photojournalists in about 200 locations worldwide. Reuters is one of the largest news agencies in the world. The agency was esta ...
quoted an anonymous U.S. government source as saying: “This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.” Compromised versions were known to have been downloaded by the
Centers for Disease Control and Prevention The Centers for Disease Control and Prevention (CDC) is the national public health agency of the United States. It is a United States federal agency, under the Department of Health and Human Services, and is headquartered in Atlanta, Georgi ...
, the Justice Department, and some utility companies. Other prominent U.S. organisations known to use SolarWinds products, though not necessarily Orion, were the
Los Alamos National Laboratory Los Alamos National Laboratory (often shortened as Los Alamos and LANL) is one of the sixteen research and development laboratories of the United States Department of Energy (DOE), located a short distance northwest of Santa Fe, New Mexico, ...
,
Boeing The Boeing Company () is an American multinational corporation that designs, manufactures, and sells airplanes, rotorcraft, rockets, satellites, telecommunications equipment, and missiles worldwide. The company also provides leasing and p ...
, and most Fortune 500 companies. Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office,
National Health Service The National Health Service (NHS) is the umbrella term for the publicly funded healthcare systems of the United Kingdom (UK). Since 1948, they have been funded out of general taxation. There are three systems which are referred to using the " ...
, and signals intelligence agencies; the
North Atlantic Treaty Organization The North Atlantic Treaty Organization (NATO, ; french: Organisation du traité de l'Atlantique nord, ), also called the North Atlantic Alliance, is an intergovernmental military alliance between 30 member states – 28 European and two No ...
(NATO); the
European Parliament The European Parliament (EP) is one of the legislative bodies of the European Union and one of its seven institutions. Together with the Council of the European Union (known as the Council and informally as the Council of Ministers), it adopts ...
; and likely
AstraZeneca AstraZeneca plc () is a British-Swedish multinational pharmaceutical and biotechnology company with its headquarters at the Cambridge Biomedical Campus in Cambridge, England. It has a portfolio of products for major diseases in areas includi ...
. FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected. Through a manipulation of software keys, the hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on
economic sanction Economic sanctions are commercial and financial penalties applied by one or more countries against a targeted self-governing state, group, or individual. Economic sanctions are not necessarily imposed because of economic circumstances—they ma ...
s and interactions with the
Federal Reserve The Federal Reserve System (often shortened to the Federal Reserve, or simply the Fed) is the central banking system of the United States of America. It was created on December 23, 1913, with the enactment of the Federal Reserve Act, after a ...
. Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted. These investigations were complicated by: the fact that the attackers had in some cases removed evidence; the need to maintain separate secure networks as organizations' main networks were assumed to be compromised; and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. As of mid-December 2020, those investigations were ongoing. As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used. Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come. Possible future uses could include attacks on hard targets like the
CIA The Central Intelligence Agency (CIA ), known informally as the Agency and historically as the Company, is a civilian foreign intelligence service of the federal government of the United States, officially tasked with gathering, processing, ...
and NSA, or using blackmail to recruit spies. Cyberconflict professor
Thomas Rid Thomas Rid (born 1975) is a political scientist best known for his work on the history and risks of information technology in conflict. He is Professor of Strategic Studies at the Paul H. Nitze School of Advanced International Studies. Previously ...
said the stolen data would have myriad uses. He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the
Washington Monument The Washington Monument is an obelisk shaped building within the National Mall in Washington, D.C., built to commemorate George Washington, once commander-in-chief of the Continental Army (1775–1784) in the American Revolutionary War and th ...
. Even where data was not exfiltrated, the impact was significant. The
Cybersecurity and Infrastructure Security Agency The Cybersecurity and Infrastructure Security Agency (CISA) is an agency of the United States Department of Homeland Security (DHS) that is responsible for strengthening cybersecurity and infrastructure protection across all levels of government, ...
(CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. Anti-malware companies additionally advised searching log files for specific indicators of compromise. However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review. Former
Homeland Security Advisor The Assistant to the President for Homeland Security and Counterterrorism, commonly referred to as the Homeland Security Advisor and formerly the Deputy National Security Advisor for Homeland Security and Counterterrorism, is a senior aide in the ...
Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime. Harvard's
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
, and
NYU New York University (NYU) is a private research university in New York City. Chartered in 1831 by the New York State Legislature, NYU was founded by a group of New Yorkers led by then-Secretary of the Treasury Albert Gallatin. In 1832, the ...
's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely. The Justice Department disclosed in July 2021 that 27 of its federal prosecutors' offices around the country had been affected, including 80% of Microsoft email accounts breached in four New York offices. Two of the offices, in Manhattan and Brooklyn, handle many prominent investigations of white-collar crime, as well as of people close to former president Trump.


List of confirmed connected data breaches


U.S. federal government


U.S. state and local governments


Private sector


Investigations and responses


Technology companies and business

On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye. On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.
GoDaddy GoDaddy Inc. is an American publicly traded Internet domain registrar and web hosting company headquartered in Tempe, Arizona, and incorporated in Delaware. , GoDaddy has more than 21 million customers and over 6,600 employees worldwide. The ...
handed ownership to
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected. On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks. On December 22, 2020, the
North American Electric Reliability Corporation The North American Electric Reliability Corporation (NERC) is a nonprofit corporation based in Atlanta, Georgia, and formed on March 28, 2006, as the successor to the North American Electric Reliability Council (also known as NERC). The original ...
asked electricity companies to report their level of exposure to Solarwinds software. SolarWinds unpublished its featured customer list after the hack, although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server. Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price. Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs. The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.


U.S. government

On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.


Security agencies

On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations. On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks. The Russian government said that it was not involved in the attacks. On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the
FBI The Federal Bureau of Investigation (FBI) is the domestic intelligence and security service of the United States and its principal federal law enforcement agency. Operating under the jurisdiction of the United States Department of Justice, t ...
to investigate. The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group. The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations. The DOE helped to compensate for a staffing shortfall at CISA by allocating resources to help the Federal Energy Regulatory Commission (FERC) recover from the cyberattack. The FBI, CISA, and the
Office of the Director of National Intelligence The director of national intelligence (DNI) is a senior, cabinet-level United States government official, required by the Intelligence Reform and Terrorism Prevention Act of 2004 to serve as executive head of the United States Intelligence Comm ...
(ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts. On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.


Congress

The
Senate Armed Services Committee The Committee on Armed Services (sometimes abbreviated SASC for ''Senate Armed Services Committee'') is a committee of the United States Senate empowered with legislative oversight of the nation's military, including the Department of Def ...
's cybersecurity subcommittee was briefed by Defense Department officials. The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation. Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain. The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack. Senator Ron Wyden called for mandatory security reviews of software used by federal agencies. On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the
Senate Finance Committee The United States Senate Committee on Finance (or, less formally, Senate Finance Committee) is a standing committee of the United States Senate. The Committee concerns itself with matters relating to taxation and other revenue measures general ...
was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials. Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen". On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator
Richard Blumenthal Richard Blumenthal (; born February 13, 1946) is an American lawyer and politician who is the senior United States senator from Connecticut, a seat he has held since 2011. A member of the Democratic Party, he is one of the wealthiest members of ...
asked the same of the
Veterans Administration The United States Department of Veterans Affairs (VA) is a Cabinet-level executive branch department of the federal government charged with providing life-long healthcare services to eligible military veterans at the 170 VA medical centers a ...
.


The judiciary

The
Administrative Office of the United States Courts The Administrative Office of the United States Courts (AO) is the administrative agency of the United States federal court system, established in 1939. The central support entity for the federal judicial branch, the AO provides a wide range of l ...
initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system. It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.


President Trump

President
Donald Trump Donald John Trump (born June 14, 1946) is an American politician, media personality, and businessman who served as the 45th president of the United States from 2017 to 2021. Trump graduated from the Wharton School of the University of P ...
made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction". On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election.Justin Sink
Trump Downplays Huge Hack Tied to Russia, Suggests China
Bloomberg News (December 19, 2020).
He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible.
Adam Schiff Adam Bennett Schiff (born June 22, 1960) is an American lawyer, author, and politician who has served as a United States House of Representatives, U.S. representative since 2001. A member of the Democratic Party (United States), Democratic Par ...
, chair of the
House Intelligence Committee The United States House Permanent Select Committee on Intelligence (HPSCI), also known as the House Intelligence Committee, is a committee of the United States House of Representatives, currently chaired by Adam Schiff. It is the primary committ ...
, described Trump's statements as dishonest, calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin." Former
Homeland Security Advisor The Assistant to the President for Homeland Security and Counterterrorism, commonly referred to as the Homeland Security Advisor and formerly the Deputy National Security Advisor for Homeland Security and Counterterrorism, is a senior aide in the ...
Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the
National Defense Authorization Act The National Defense Authorization Act (NDAA) is the name for each of a series of United States federal laws specifying the annual budget and expenditures of the U.S. Department of Defense. The first NDAA was passed in 1961. The U.S. Congress o ...
would be required to mitigate the damage caused by the attacks.


President Biden

Then
president-elect An ''officer-elect'' is a person who has been elected to a position but has not yet been installed. Notably, a president who has been elected but not yet installed would be referred to as a ''president-elect'' (e.g. president-elect of the Unit ...
Joe Biden said he would identify and penalize the attackers. Biden's incoming chief of staff, Ron Klain, said the
Biden administration Joe Biden's tenure as the 46th president of the United States began with his inauguration on January 20, 2021. Biden, a Democrat from Delaware who previously served as vice president under Barack Obama, took office following his victory ...
's response to the hack would extend beyond sanctions. On December 22, 2020, Biden reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials. In January 2021, Biden named appointees for two relevant White House positions:
Elizabeth Sherwood-Randall Elizabeth D. Sherwood-Randall (born October 4, 1959) is an American national security and energy leader, public servant, educator, and author currently serving as the 11th United States Homeland Security Advisor to President Joe Biden since 2021 ...
as homeland security adviser, and
Anne Neuberger Anne Neuberger (born 1976) is an American national security official, who serves as the Deputy National Security Advisor for Cyber and Emerging Technology in the Biden Administration. Prior to this role, she served for over a decade at NSA, as D ...
as deputy national security adviser for cyber and emerging technology. In March 2021, the Biden administration expressed growing concerns over the hack, and
White House The White House is the official residence and workplace of the president of the United States. It is located at 1600 Pennsylvania Avenue NW in Washington, D.C., and has been the residence of every U.S. president since John Adams in ...
Press Secretary A press secretary or press officer is a senior advisor who provides advice on how to deal with the news media and, using news management techniques, helps their employer to maintain a positive public image and avoid negative media coverage. Dut ...
Jen Psaki Jennifer Rene Psaki (; born c. 1978) is an American television political analyst who currently works for MSNBC. Previously, she was a political advisor who served under both the Obama and Biden administrations. Immediately prior to working for ...
called it “an active threat”. Meanwhile ''
The New York Times ''The New York Times'' (''the Times'', ''NYT'', or the Gray Lady) is a daily newspaper based in New York City with a worldwide readership reported in 2020 to comprise a declining 840,000 paid print subscribers, and a growing 6 million paid d ...
'' reported that the US government was planning economic sanctions as well as "a series of clandestine actions across Russian networks" in retaliation. On April 15, 2021, the United States expelled 10 Russian diplomats and issued sanctions against 6 Russian companies that support its cyber operations, as well as 32 individuals and entities for their role in the hack and in
Russian interference in the 2020 United States elections Russian interference in the 2020 United States elections was a matter of concern at the highest level of national security within the United States government, in addition to the computer and social media industries. In 2020, the RAND Corpora ...
.


Rest of the world

NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks." On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK. The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers. On December 23, 2020, the UK
Information Commissioner's Office The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Digital, Culture, Media and Sport (DCMS). It is the independe ...
– a national privacy authority – told UK organizations to check immediately whether they were impacted. On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.


Cyber espionage or cyberattack?

The attack prompted a debate on whether the hack should be treated as
cyber espionage Cyber may refer to: Computing and the Internet * ''Cyber-'', from cybernetics, a transdisciplinary approach for exploring regulatory and purposive systems Crime and security * Cyber crime, crime that involves computers and networks ** Conventio ...
, or as a
cyberattack A cyberattack is any offensive maneuver that targets computer information systems, computer networks, infrastructures, or personal computer devices. An attacker is a person or process that attempts to access data, functions, or other restricte ...
constituting an act of war. Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid). Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the
Hoover Institution The Hoover Institution (officially The Hoover Institution on War, Revolution, and Peace; abbreviated as Hoover) is an American public policy think tank and research institution that promotes personal and economic liberty, free enterprise, an ...
and
Naval War College The Naval War College (NWC or NAVWARCOL) is the staff college and "Home of Thought" for the United States Navy at Naval Station Newport in Newport, Rhode Island. The NWC educates and develops leaders, supports defining the future Navy and associ ...
argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force. Law professor
Jack Goldsmith Jack Landman Goldsmith III (born September 26, 1962) is an American legal scholar. He is a professor at Harvard Law School who has written extensively in the fields of international law, civil procedure, federal courts, conflict of laws, and na ...
wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks." Law professor Michael Schmitt concurred, citing the ''
Tallinn Manual The ''Tallinn Manual'' (originally entitled, ''Tallinn Manual on the International Law Applicable to Cyber Warfare'') is an academic, non-binding study on how international law (in particular the jus ad bellum and international humanitarian law) ap ...
''. By contrast, Microsoft president Brad Smith termed the hack a cyberattack, stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure." U.S. Senator
Richard J. Durbin Richard Joseph Durbin (born November 21, 1944) is an American lawyer and politician serving as the senior United States senator from Illinois, a seat he has held since 1997. A member of the Democratic Party, Durbin has served as the Senate Dem ...
(D-IL) described the attack as tantamount to a declaration of war.


Debate on possible U.S. responses

Writing for ''Wired'', Borghard and Schneider opined that the U.S. "should continue to build and rely on
strategic deterrence Deterrence theory refers to the scholarship and practice of how threats or limited force by one party can convince another party to refrain from initiating some other course of action. The topic gained increased prominence as a military strategy ...
to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by
threat actor A threat actor or malicious actor is either a person or a group of people that take part in an action that is intended to cause harm to the cyber realm including: computers, devices, systems, or networks. The term is typically used to describe in ...
s, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities). Writing for ''
The Dispatch ''The Dispatch'' is an American conservative subscription-based and advertisement-free online magazine founded by Jonah Goldberg, Stephen F. Hayes, and Toby Stock. Several of ''The Dispatchs staff (including Hayes) are alumni of the defunct ...
'', Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks." Cybersecurity author
Bruce Schneier Bruce Schneier (; born January 15, 1963) is an American cryptographer, computer security professional, privacy specialist, and writer. Schneier is a Lecturer in Public Policy at the Harvard Kennedy School and a Fellow at the Berkman Klein Cente ...
advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the
Global Commission on the Stability of Cyberspace The Global Commission on the Stability of Cyberspace was a multistakeholder Internet governance organization, dedicated to the creation of diplomatic norms of governmental non-aggression in cyberspace. It operated for three years, from 2017 ...
. In the ''New York Times'', Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.


See also

* Cyberwarfare in the United States *
Cyberwarfare by Russia Cyberwarfare by Russia includes denial of service attacks, hacker attacks, dissemination of disinformation and propaganda, participation of state-sponsored teams in political blogs, internet surveillance using SORM technology, persecution of ...
*
EternalBlue EternalBlue is a computer exploit developed by the U.S. National Security Agency (NSA). It was leaked by the Shadow Brokers hacker group on April 14, 2017, one month after Microsoft released patches for the vulnerability. On May 12, 2017, the ...
*
Global surveillance disclosures (2013–present) Ongoing news reports in the international media have revealed operational details about the Anglophone cryptographic agencies' global surveillance of both foreign and domestic nationals. The reports mostly emanate from a cache of top secre ...
* List of data breaches * Moonlight Maze * Office of Personnel Management data breach * Security dilemma * The Shadow Brokers * 2008 cyberattack on United States * 2021 Microsoft Exchange Server data breach


References


External links


SolarWinds Security Advisory



GuidePoint Security Analysis

Russian SVR Targets U.S. and Allied Networks
(pdf file)
A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack
by Dina Temple-Raston, Friday, April 16, 2021
NPR text only version
{{Hacking in the 2020s 2020 in the United States Cyberattacks Data breaches in the United States 2020 in computing Hacking in the 2020s