This week news broke that United States government agencies and corporations alike—as well as international targets—were victims of a massive nation-state espionage campaign. But as the revelations continue to pile up, and new targets are discovered by the day, it can be hard to get a handle on what exactly happened and what it all means.
The hackers, who have been widely reported as Russian, compromised high-profile targets like the US Commerce, Treasury, Homeland Security, and Energy Departments, as well as companies like the security firm FireEye. All of the attacks appear to stem from one initial compromise of the IT infrastructure and network-management firm SolarWinds. Hackers had breached the company as far back as October 2019, then planted malicious code in software updates to its network-monitoring tool, Orion. Any customer that installed an Orion patch released between March and June inadvertently planted a Russian backdoor on their own network.
In a statement on Thursday, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said it “has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” CISA, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence are all part of a “Cyber Unified Coordination Group” that is quarterbacking the US government’s response to the widespread intrusions and working to get a handle on the scale and scope of the situation as quickly as possible.
Not all of the victims of this campaign were affected in the same way. In some cases Russia planted a backdoor but didn’t go any further; in others, it moved deep within their networks for reconnaissance and data exfiltration. Figuring out the difference—and the implications of each—is going to be increasingly important as investigators dig deeper into the SolarWinds morass.