So much is still unknown about what is now being called the Sunburst hack, the cyber attack on US government agencies and corporations. U.S. officials widely believe that Russian state-sponsored hackers are responsible.
The attack gave the culprits access to numerous major U.S. business and government organizations. The immediate consequences will be difficult to assess, and a complete accounting of the damage is unlikely. However, the nature of the organizations involved alone makes it clear that this is perhaps the most consequent cyber attack against the US to date.
An act of cyber war is usually not like a bomb inflicting immediate, well-understood damage. On the contrary, it’s more like a cancer – it’s slow to detect, difficult to eradicate, and it causes continuous and significant damage over a long period of time. Here are five points that cybersecurity – the oncologists in the cancer analogy – can name with what is known so far.
1. The victims were hard to crack
From the top cyber security firm FireEye to the US Treasury, Microsoft, Intel and many other organizations, the victims of the attack are mostly companies with comprehensive cyber security practices. The list of organizations using the software includes companies such as MasterCard, Lockheed Martin and PricewaterhouseCoopers. SolarWinds estimates about 18,000 businesses have been affected.
As CEO of the cyber security firm Cyber Reconnaissance Inc. and an associate professor of computer science at Arizona State University, I met security personnel from many of the targeted organizations. Many of the organizations have world-class cyber security teams. These are some of the most difficult targets to achieve in American business. The victims of Sunburst were specifically targeted, probably with the primary focus on intelligence gathering.
2. It was almost certainly the work of a nation – not criminals
Criminal hackers focus on short-term financial gain. They use techniques such as ransomware to extort money from their victims, steal financial information and harvest computer resources for activities such as sending spam emails or exploiting cryptocurrency.
Criminal hackers exploit known security issues that could have occurred if the victims had been more thoroughly in their safety. The hackers usually target weaker security organizations, such as health care systems, universities and municipal governments. University networks are notoriously decentralized, difficult to secure and cyber security is underfunded. Medical systems typically use special medical devices that use outdated, vulnerable software that is difficult to upgrade.
Hackers affiliated with national governments, on the other hand, have completely different motives. They seek long-term access to critical infrastructure, gather intelligence and develop the means to eliminate certain industries. They also steal intellectual property – especially intellectual property that is expensive to develop in fields such as high technology, medicine, defense and agriculture.
SOPA Images / LightRocket via Getty Images
The great effort to infiltrate one of the Sunburst victims is also a telling sign that it was not merely a criminal hack. A firm like FireEye, for example, is a bad target for a criminal attacker. The company has less than 4,000 employees, but has computer security at the same level as the world’s leading defense and financial enterprises.
3. The attack used trusted third-party software
The hackers gained access by deploying their malware in software updates to SolarWinds’ Orion software, which is widely used to manage large enterprise networks. The Sunburst attack depended on a reliable relationship between the targeted organization and SolarWinds. When Orion users updated their systems in the spring of 2020, they unknowingly invited a Trojan horse into their computer networks.
Apart from a report on lax security at SolarWinds, very little is known about how hackers initially gained access to SolarWinds. However, the Russians had previously, in 2017, used the tactic to jeopardize a third-party software update process. This was during the infamous NotPetya attack, which is considered to be the most financially damaging cyber attack in history.
4. The extent of the damage is unknown
It will take time to discover the extent of the damage. The investigation is complicated because the attackers gained access to most of the victims in the spring of 2020, giving the hackers time to expand and hide their access to and control over the victims’ systems. For example, some experts believe that a vulnerability in VMWare, software commonly used in corporate networks, has also been used to gain access to victims’ systems, although the company denies this.
Raimond Spekking, CC BY-SA
I expect the damage to be unevenly distributed among the victims. It depends on various factors, such as how extensively the organization has used the SolarWinds software, how segmented its networks are, and the nature of their software maintenance software. For example, Microsoft apparently had limited deployments of Orion, and so the attack had limited impact on their systems.
In contrast, the plethora of FireEye hackers included penetration testing tools, which were used to test the defenses of high-end FireEye customers. The theft of these tools was probably appreciated by hackers to increase their capabilities in future attacks, as well as to gain insight into what FireEye customers are protecting.
5. The failure can cause real damage
There is a very thin, often non-existent line between gathering information and damaging the real world. What may start as espionage or espionage can easily escalate into warfare.
The presence of malware on a computer system that gives the attacker greater user rights is dangerous. Hackers can use the control of a computer system to destroy computer systems, as was the case in the Iranian cyber attacks against Saudi Aramco in 2012, and could damage physical infrastructure, as was the case with the Stuxnet attack on Iran’s nuclear facilities in 2010.
Furthermore, individuals can only be harmed with information alone. The Chinese breach of Equifax in 2017, for example, put detailed financial and personal information about millions of Americans in the hands of one of the U.S.’s biggest strategic competitors.
No one knows the full extent of the Sunburst attack, but the scale is large and the victims represent important pillars of the US government, economy and critical infrastructure. Information stolen from the systems and malware that the hackers may have left behind can be used for follow-up attacks. I believe it is likely that the Sunburst attack could harm Americans.
[Get the best of The Conversation, every weekend. Sign up for our weekly newsletter.]