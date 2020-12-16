Clear

Why the US government hack is literally keeping security experts awake at night

The US government is reeling from multiple data breaches at top federal agencies, the result of a worldwide hacking campaign with possible ties to Russia.

Posted: Dec 16, 2020 10:10 AM
Updated: Dec 16, 2020 10:10 AM
Posted By: By Brian Fung, CNN Business

The US government is reeling from multiple data breaches at top federal agencies, the result of a worldwide hacking campaign with possible ties to Russia. Investigators are still trying to figure out how much of the government may have been affected and how badly it may have been compromised.

But what little we know has cybersecurity experts extremely worried — with some describing the attack as a literal wakeup call.

"I woke up in the middle of the night last night just sick to my stomach," said Theresa Payton, who served as White House Chief Information Officer under President George W. Bush. "On a scale of 1 to 10, I'm at a 9 — and it's not because of what I know; it's because of what we still don't know."

On Sunday evening, the Commerce Department acknowledged it had been hit by a data breach after Reuters first reported that sophisticated hackers compromised the agency through a third-party software vendor known as SolarWinds. While SolarWinds is not a household name, it works with many businesses and organizations that are.

Since then, more details have emerged suggesting a much wider pattern of compromise. As many as 18,000 SolarWinds customers — out of a total of 300,000 — may have been running software containing the vulnerability that allowed the hackers to penetrate the Commerce Department, the company disclosed in an investor filing this week.

Here's why the cyberattacks disclosed this week are keeping experts up at night — based on who was targeted, the suspected identities of the attackers and their playbook, according to analysts contacted by CNN Business and published security reports.

All federal agencies on alert

One reason the attack is so concerning is because of who may have been victimized by the spying campaign.

At least three US agencies have publicly confirmed they were compromised: The Department of Commerce, the Department of Homeland Security and the Agriculture Department.

But the range of potential victims is much, much larger, raising the troubling prospect that the US military, the White House or public health agencies responding to the pandemic may have been targeted by the foreign spying, too. The Justice Department, the National Security Agency and even the US Postal Service have all been cited by security experts as potentially vulnerable.

All federal civilian agencies have been told to review their systems in an emergency directive by DHS officials. It's only the fifth such directive to be issued by the Cybersecurity and Infrastructure Security Agency since it was created in 2015.

It isn't just the US government in the crosshairs: The elite cybersecurity firm FireEye, which itself was a victim of the attack, said companies across the broader economy were vulnerable to the spying, too. The software vulnerability that enabled the spying has been found in the tech and telecom industry, as well as at consulting firms and energy companies, according to FireEye.

Security experts say this is merely the beginning. In the coming days, we may learn that many more companies and agencies have been compromised than we initially suspected. And we still don't know what information may have been lost or stolen.

Extraordinarily skilled attackers

Another reason to worry is that the attackers appear to have been extraordinarily skilled and determined.

"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," FireEye said, adding that the breaches appear to date as far back as the spring. "Each of the attacks require meticulous planning and manual interaction."

Attributing any cyberattack is hard under the best of circumstances and even more challenging when a sophisticated actor works to cover their tracks, as these did. But US officials have tentatively said that the culprit may have links to Russia.

That agents of a foreign government may have been responsible for the breaches is a worrisome sign of not only the attackers' capabilities, but also their motives. These weren't opportunistic cybercriminals indiscriminately probing whatever targets they could find in hopes of extorting their victims for a quick payday. These were highly motivated attackers who selected each of their victims for a specific purpose that remains unknown.

"If you compromise somebody's network for 6 months, there's a lot of opportunity," said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a security think tank. "It's an amazing coup for the Russians — really impressive."

An unusual and creative hack

A third reason for concern is the unusual and creative way the attackers carried out their operation: By disguising the initial attack within legitimate software updates issued by SolarWinds.

"SolarWinds is one of the most widely used and effective tools for network monitoring, including across federal networks and major corporations," said Jamie Barnett, a retired Navy rear admiral and senior vice president at the cybersecurity firm RigNet. "It takes a state-level cyberattack to get into the SolarWinds updates and patches."

By piggybacking on otherwise trusted software updates, the attackers cleverly took advantage of the normal and recommended best practice of keeping software up to date. Thousands of companies and government agencies could thus have been exposed simply for doing the right thing.

That's what's so scary: It's not clear what could have been done differently in this case, because the very process meant to reassure users that "this software can be trusted" was itself compromised.

Once inside a target, the attackers waited patiently until they collected enough data on authorized users to impersonate them, allowing the hackers to move through a victim's network undetected for months, according to an analysis by the cybersecurity firm CrowdStrike.

The degree of access the hackers enjoyed, as well as the length of time they were able to collect information, may wind up making this "a much worse cyberattack than the Office of Personnel Management breach" disclosed by the US government in 2015, said Barnett. That breach, attributed to Chinese-linked hackers, resulted in the theft of vast troves of personal data on millions of federal employees and security clearance applicants.

The rising frequency and intensity of state-sponsored hacking has some security cybersecurity leaders reiterating calls for a global treaty on cyberwarfare.

"We need a set of binding rules," Microsoft president Brad Smith said at an event Tuesday held by the Ronald Reagan Foundation and Institute. "And we need a commitment by the democracies of the world to hold authoritarian regimes accountable, so they keep their hands off of civilians in this time of peace when it comes to cyberspace."

Other experts are increasingly questioning the reliance of many businesses on just a handful of third-party vendors, and saying that perhaps society makes it a little too easy for data to be accessed or shared, particularly during a pandemic when working remotely is normal for countless individuals.

"It begs the question: 'In cybersecurity, do we have a 'too big to fail' situation? And did it happen right under our noses, while we were telling everybody to spend more, to tool up, to get products?" said Payton.

Related Content

Scroll for more content...

Minnesota Coronavirus Cases

Data is updated nightly.

Cases: 384164

Reported Deaths: 4542
CountyCasesDeaths
Hennepin802871252
Ramsey34300593
Dakota27615237
Anoka27003265
Washington17090150
Stearns16065145
St. Louis11333159
Scott1023371
Wright999768
Olmsted820946
Sherburne710449
Carver596822
Clay582769
Kandiyohi505648
Rice493446
Blue Earth473222
Crow Wing428248
Otter Tail391037
Chisago382524
Benton361765
Nobles340841
Winona333039
Douglas320350
Mower311323
Polk306640
McLeod286531
Morrison276736
Goodhue267035
Beltrami263929
Lyon262123
Becker250629
Itasca247429
Isanti242925
Carlton238329
Steele23539
Todd212119
Pine202310
Nicollet191430
Mille Lacs190438
Brown184024
Freeborn180214
Le Sueur179713
Cass177713
Meeker176222
Waseca158212
Roseau15279
Martin143223
Wabasha13522
Hubbard129933
Redwood121623
Renville119134
Chippewa115518
Cottonwood11485
Dodge10623
Wadena103510
Houston10046
Watonwan9965
Rock97010
Sibley9424
Aitkin94131
Fillmore9370
Kanabec86218
Pennington84210
Pipestone84018
Yellow Medicine79613
Faribault7835
Swift74113
Murray7075
Jackson6973
Pope6513
Marshall63611
Stevens6255
Clearwater61410
Wilkin5385
Lac qui Parle5208
Lake50211
Koochiching5017
Lincoln4311
Unassigned40859
Big Stone4072
Norman3997
Mahnomen3626
Grant3477
Kittson32514
Red Lake2763
Traverse1762
Lake of the Woods1381
Cook970

Iowa Coronavirus Cases

Data is updated nightly.

Cases: 256789

Reported Deaths: 3291
CountyCasesDeaths
Polk37812379
Linn15539221
Scott12998120
Black Hawk11882193
Woodbury11508151
Johnson1039143
Dubuque10037126
Pottawattamie750879
Story746123
Dallas719260
Webster409151
Sioux408939
Cerro Gordo403051
Clinton378750
Marshall377553
Buena Vista337921
Muscatine332566
Warren331725
Des Moines327326
Plymouth312142
Wapello287388
Lee258521
Jasper257848
Jones247934
Marion235934
Henry231520
Carroll218926
Bremer214038
Crawford194316
Benton187332
Jackson168523
Boone165514
Washington163526
Tama163355
Dickinson158012
Delaware155427
Mahaska148432
Clay142710
Wright141712
Kossuth138323
Buchanan133315
Hardin133222
Hamilton132221
Page129310
Clayton126927
Harrison126449
Cedar126316
Winneshiek121716
Floyd120226
Mills120211
Fayette119714
Butler115715
Lyon114521
Calhoun11398
Poweshiek111221
Cherokee109916
Iowa106619
Hancock105421
Winnebago103326
Allamakee102718
Sac97510
Louisa96923
Chickasaw96710
Grundy95314
Union94812
Cass93236
Mitchell91119
Emmet88423
Appanoose88033
Humboldt86616
Shelby86620
Guthrie85322
Jefferson85216
Madison8388
Franklin81717
Palo Alto7532
Keokuk73318
Pocahontas6434
Ida64017
Montgomery63113
Howard63015
Greene5976
Osceola5935
Davis57912
Unassigned5690
Clarke5566
Monroe51615
Adair51316
Monona51212
Taylor5028
Worth4392
Fremont4295
Van Buren42011
Lucas4106
Decatur3822
Wayne33821
Audubon3346
Ringgold3196
Adams2122
Rochester
Overcast
21° wxIcon
Hi: 29° Lo: 18°
Feels Like: 15°
Mason City
Clear
20° wxIcon
Hi: 30° Lo: 18°
Feels Like: 20°
Albert Lea
Clear
21° wxIcon
Hi: 29° Lo: 19°
Feels Like: 21°
Austin
Clear
21° wxIcon
Hi: 30° Lo: 18°
Feels Like: 21°
Charles City
Clear
23° wxIcon
Hi: 30° Lo: 18°
Feels Like: 16°
A Few Snow Chances
KIMT Radar
KIMT Eye in the sky

Most Popular Stories

Latest Video

Image

Examining COVID-19 Vaccine myths and facts

Image

Police departments seeing increase in food thefts

Image

Drive-by holiday parade honors healthcare workers

Image

High Speed Chase Through Rochester With Man in Trunk

Image

Minnesota wrestlers feeling effects of no mat time

Image

Holiday parade supports healthcare workers

Image

Aaron's forecast: Warmer temps are on the horizon

Image

Olmsted County supports conversion therapy ban

Image

Reports of an attempted abduction in Northwest Rochester

Image

Car Searched After Police Pursuit

Community Events