In a previous post, we discussed the high-profile series of hacks involving Microsoft Exchange Servers. In the months prior to those events, there was another somewhat related attack against the federal government that allowed a large data breach of a huge number of Americans’ personal info. This, to date, has been the largest hack ever against the United States government. In the second of our “Hacks in 2021” series, we’ll take a closer look at the “Federal Government Breach” to figure out why the attack was so effective, who the targets were, and what it can tell us about the nature of state-sponsored hacking groups.
A Brief Run-Down of the Attack
While the US government will be the most remembered victim of this attack, there were over 200 large organizations targeted, including political, social and financial organizations. The actual attack itself was carried out over 8 or 9 months, fueled by two different exploits used against SolarWinds and another one against VMWare. The devastating nature of this breach lead lot of experts to say what they have been saying for a while now—it’s time to treat digital information like any other part of America that we defend, investing resources into preventing breaches from happening in the future.
Why the Attack was Effective
There were quite a number of reasons that this attack was so effective, so secret, and so widespread. For starters, there were ultimately nearly a dozen different exploits that were used to carry this out. To make matters worse, the attacks didn’t become public information until December of 2020 even though they began in March 2020. Secondly, most of the hacks made use of proprietary software. While software like this is specialized and thus more resistant to attacks in general, it is weaker against targeted attacks at some points. In fact, it is this weakness that allowed someone to modify the Orion software undetected while also accessing their network itself undetected.
On top of everything, the attack made use of a lot of online services that the government was switching to as the first wave of the COVID-19 pandemic swept over the United States. A combination of new policies and what is essentially the fog of war allowed the attack to be done in secret. Finally, what the attackers couldn’t access directly they could access by using the user’s emails to authenticate or sign in to clearance for other related systems being granted to the attackers.
Unraveling the Attack
In addition to being so effective, this breach (generally referred to as the “Federal Government Breach”) was extremely difficult to unravel. The extent of the damage and even the number of victims was difficult to assess for a number of reasons.
Who Were the Victims?
With certain attacks, it is easy to alert the customers that have been affected. One of the reasons this breach was so devastating was that it was not immediately clear who specifically was affected in the aftermath of the Orion hack. In some previous attacks, it was far easier to know if someone was affected. In this case, however, not everyone who downloaded the vulnerable software was infected, and not everyone who used Orion stopped using it. Thus, it required an investment of thousands and thousands of man hours to make sure that every affected client was helped to avoid infection.
What Information Was Stolen?
One of the scarier parts was that, into early 2021, the government was still trying to find out exactly what was taken and what was affected. In some cases, it is not clear what was or was not affected. This attack’s ramifications may not be fully known for several more years, as the data from this attack has not been put to full use by the attackers. For this reason, the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) recommended that every SolarWinds customer should rebuild their systems from scratch, even though SolarWinds itself did not have their customers do this.
Which Branches of Government Were Affected?
All three branches of government were hurt by this attack, but the executive branch was hit hardest because it has the most sensitive information. This branch includes everything from the Department of Agriculture to the Department of Education and the Department of Defense, along with all of the associated private information they have access to. Additionally, some local governments were even hurt by this. Some cyber security officials had begun to analyze the attack before it went public, and they published tools to deal with the exploit. Ultimately, however, many of the recommendations revolved around the fact that had Orion been open-source, then this vulnerability would have been well known. But because they hid their source code, picking up what the problem was and potential future problems became essentially impossible.
Motive & Targets
When it comes to motive and targets, that of course varies widely depending on who is being targeted and who is implementing the attack. That being said, there are some common themes. As an example of one thing that many attacks have in common is that they will go after personal information from websites and password sets to go along with it. This is valuable to several groups.
Criminals Looking to Make a Profit
First and foremost, this is valuable to hackers who are looking to simply sell that information outright and turn a profit. These thieves will post stolen information either in part or in whole for sale on a number of encrypted dark web websites. Personal data is also valuable to those looking to find ways to use that data to exploit weaknesses and infect victim’s computers for financial gain. This type of hacker might use the stolen information to form a botnet, to host ransomware, to copy keystrokes for banking info, to commit identity theft, or for a combination of all of these schemes.
Another group who might want sensitive website data is state-sponsored hackers, who in this example would value a website that has had its user data hacked along with a set of cleartext or readable passwords. This group would find great value in data like this because it can be used to obtain their objectives, namely gaining access to the personal information and networks of individuals who happen to work for the federal government. Through this, they are able to infect personal devices that may eventually make their way into government buildings. From there, they can use the compromised personal devices to infect networks or to log in to a government system or website that has classified information. For state-sponsored hackers, there is also use insofar as anything that increases the number of infected devices they have access to increases the likelihood they will gain information that will let them infect more computers. The end goal is that some of these devices they infect will have access to the classified information they are looking for.
While all of this is related specifically to impersonal data gathering to gain access to locked systems, state-sponsored groups also use personal information and compromised data as an asset of spycraft. If you have access to something they want, they will use what they have on you for the purpose of blackmail. With the amount of personal data they could theoretically collect on someone, they will know not only what to use, but what data the target is most sensitive about.
What We Can Learn
While cyber warfare and traditional conflicts/spycraft do not seem wholly interrelated, nation-states use what they can where they can to further their goals. Digital information is just another tool that can be used to gain an upper hand in warfare and power struggles. State actors, however, are not always acting in ways that are specific to attacking government and government-affiliated targets for purposes relating to intelligence gathering. As recent events have also shown us, businesses are not safe from being targeted by state-sponsored hackers—something we will delve deeper into in the next entry in this series.