Read Time: 7 Minutes
Attacks on Fireeye, Solarwind, Orion

What the largest hacking attack in U.S. history could lead to

Analysis
Cyber Security
Photograph: Foto: J.M. Eddins Jr / Defenselink Foto: J.M. Eddins Jr / Defenselink

In Europe, people do not yet realize the scale of the recent cyber attacks on the US. Calls for retaliation are growing louder. Counterattacks are now just a matter of time.

When the security experts of the U.S. IT company Fireeye recently took a closer look at an email request from one of its employees, they made a remarkable discovery. The real author of this message must have been someone else, a powerful and fearsome adversary. When the experts took a closer look at the malware in question, the tip of the iceberg became visible. This cyberhack will now probably go down in history. It seems that over 18,000 US government agencies and companies were victims of a large-scale assault, one which was carried out by attackers commissioned, according to the initial assessment of the American authorities, by a foreign nation. Russia stands accused. The »Cozy Bear« hacking group or others of a similar ilk may have struck again.

 

This large-scale cyber attack is likely to have been carried out in a quality and on a scale for which even experts of the IT scene are unable to come up with the appropriate answers at the moment. The current situation is too confusing and the extent of the potential damage seems too great. Each new report sends shock waves, bitterness and anger through the U.S. authorities. The cyberattack was well thought out. It may have been launched years ago, and it has been so successful that it has already affected some of the most important U.S. government agencies. And it is so massive that some agencies have had to virtually pull the plug in the face of dire need and lack of alternatives.

 

According to initial reports, the National Nuclear Security Administration (NNSA), the agency that operates and monitors the US nuclear arsenal, has been affected. The NNSA is not only responsible for simulating U.S. nuclear weapons tests, for which it uses one of the most modern U.S. supercomputers called BlueGene, but also for transporting and storing the existing armored weapons and radioactive material. In addition, the agency maintains a database with the names of tens of thousands of officials and civilians who work on maintaining the nuclear deterrent in the U.S.; among them is an overview of the subcontractors needed to do so.

 

The attackers were smart, they were deliberate, they were camouflaged; they did not act aggressively, instead proceeding cautiously, step by step inching closer. So exactly as one would do if one did not want to be discovered for a long time! Like a neighbor who, with bad intentions, enters the cellar of his enemy with an imitation key, takes a good look around and records it, and carefully locks the cellar door again after leaving. Fireeye discovered, almost by accident, the key on the cellar door that the burglar had left there. But the big question is  what exactly did he see in the basement, steal, or even render useless without detection?

 

The critical infrastructure of the USA was hacked via a vulnerability and may have been sprawled out in front of the attacker for a long time like an open instruction manual. All he had to do was carefully turn the pages. The first forensic investigations by U.S. IT experts—the results of which have only very sparsely been leaked to the public, presumably primarily to make policymakers aware of the full devastating scale of the situation—show that the attackers used new cyberattack methods and tools that had not been seen before. The repeatedly expressed fears of U.S. cybersecurity experts and the central reference to the vulnerability of software supply chains seem to have come true.

 

And so a key role in penetrating the networks may have fallen to the US software company Solarwind. Solarwind specifically made its Orion software available to all relevant US authorities. As usual, updates were made on an ongoing basis and were sent to the users accordingly. The attackers took advantage of this. They slipped into the software update as code, so to speak, and were let in during "access control". Then they began their work. They gained an overview, created logs and began transferring data.

 

The Cybersecurity and Infrastructure Security Agency (CISA) has been making people sit up and take notice with new bad news almost every hour for the past few days. In addition to the NNSA, the Federal Energy Regulatory Commission (FERC) was also a victim of the attack. In the USA, FERC is practically responsible for securing electricity, oil and gas supplies nationwide. This includes substations, oil and gas storage facilities, terminals, power grids, energy providers. In other words: everything to keep the economy and daily life going. The discovered exploit—meaning: the hackers' "booty"—in FERC's area of responsibility alone is so extensive that CISA has had to admit it does not have enough resources to deal with it. Its director, Christopher Krebs, was also recently fired by U.S. President Trump.

 

It seems that Microsoft was also among the affected. The company announced that the malicious code was also encountered in its own company. Its detection is not easy. For example, in the nearly 50,000 lines of an update code from Solarwind, only after close inspection were some lines discovered that should not have been there. It is now uncertain in which software programs the hackers have already nested everywhere. And this was clearly only one method used by the attackers. Exactly how many methods and which tools were used is unknown. CISA issued an unusually dramatic warning to alert potentially affected agencies and companies to the hack.

 

The Pentagon was also apparently forced to go offline in an emergency measure. And more startling news is coming out of Washington. There are increasing indications that some think tanks, which play a key role in government consulting, have been affected, meaning institutions that sometimes take on an important task in policy consulting for the current US administration. They create threat assessments, formulate evaluations and help to create strategies.

 

Stuxnet shows: The battles in cyberspace have real consequences and can provoke war.

 

The attack catches the U.S. at the most difficult time imaginable. The outgoing U.S. President is reluctant to vacate his seat, while the newly elected U.S. President Biden has yet to take the reins. Some of the handover teams have not even begun their work. To make matters worse, the COVID-19 infection rate continues to rise; it has passed the 300,000 death mark. In addition, the protests against the repeatedly criticized U.S. police force are ongoing. The U.S. is thus clearly in a situation of great tension. Nervousness is spreading more and more. The long-range flights of U.S. B-52 bombers to the Middle East, carried out only in recent weeks, are a visible sign that the U.S. wants to show potential adversaries that it is ready. For whatever.

 

Since 2014 at the latest, cyberspace has become a battlefield. Everyone is fighting everyone else there, it seems, or in shifting alliances. The public only takes notice when the exposed hacker groups are dragged into the light of day by the names given to them by their discoverers. You suddenly read about Office Monkeys, Cozy Car, The Dukes, Cozy Duke, Grizzly Steppe, Fancy Bear or simply the acronym APT29. But behind all these names are state and non-state actors vying for supremacy in the military domain of cyberspace. And all in order to be able to decide the battle for themselves in a possible conflict at the speed of light. But these battles are real and impact real life. This is evidenced by power outages, destroyed power plants, exploding transformers, or nuclear centrifuges going haywire, as we have witnessed in Iran in recent months. Such facilities were already a victim of Stuxnet in 2010.

 

If Russia or another state actor is indeed behind it: it should be warned in any case. Because it seems that the U.S. is in panic mode at the moment. They are virtually wandering through their basement looking for the telltale signs of the intruders. And with every clue they discover, the need for retaliation increases. International law does not yet know any binding legal regimes for cyberspace. Packages of measures under customary international law (set out, among others, in the Tallinn Manual 2.0) remain controversial. So not a good basis for possible escalation. It thus remains to be hoped that U.S. anger will not turn to violence. In any case, the attack will not go unanswered. And the extensive network failures at the Russian telecom provider Rostelevom a few days ago could already be a sign of things to come. But this remains speculation for the time being. At the moment, however, the signs are obviously pointing to a storm.

Dr. Markus Reisner, PhD, is a Colonel in the Austrian Armed Forces, Candid Fellow and author of "Robotic Wars" (Miles-Verlag Berlin 2018).

By: 
Markus Reisner