SolarWinds hack: How Sunburst hackers infiltrated highest levels of US government

Cyber attack went undetected for months, meaning it may have since morphed into far more insidious malware still lurking on victims’ computers

Anthony Cuthbertson
Friday 18 December 2020 14:27 GMT
Comments
Software from SolarWinds compromised around 18,000 organisations
Software from SolarWinds compromised around 18,000 organisations (Getty Images)

Your support helps us to tell the story

From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.

At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.

The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.

Your support makes all the difference.

The largest hack of a Western government in recent memory appears to have stemmed from an innocuous-looking pop-up message.

In March, IT staff at up to 18,000 companies and organisations using SolarWinds software clicked on a link to download the latest version of a product called Orion. SolarWinds makes technology that allows organisations – including US federal agencies and some of the world’s biggest companies – to manage their computer systems and networks, and so updated of this kind arrive regularly.

What neither SolarWinds nor the IT workers knew was that the new version of the software was laced with a malicious form of malware that would grant hackers “God-view” access to any infected networks.

So how did hackers manage to infiltrate the highest levels of the US government and go unnoticed for so long?

The hack, known as Sunburst, may have happened in the spring but the groundwork for the attack most likely began much earlier. In order to booby-trap the pop-up, the hackers first needed to gain access to SolarWinds’ computer systems.

Once inside the US firm, the hackers were able to secretly insert the malware into a standard security update, which would have looked identical to numerous other updates issued by the popular IT management software.

SolarWinds counts all five branches of the US military, the Pentagon, the State Department and the Office of the President of the United States among its 300,000 global customers.

All were advised to update their software immediately in order to address the security vulnerability, though for many it will already be too late.

In a security advisory published this week, SolarWinds described it as a “very sophisticated” attack that “could potentially allow an attacker to compromise the server” of the victims, meaning sensitive information would have already been exposed.

Not only that, the fact the hackers had a nine month headstart before being discovered means they could have already developed new and much harder to detect methods of lurking within victims’ computer systems.

As such, uncovering the malware and issuing an update is just the beginning of the process of routing out any malignant actors still probing the networks.

It is not yet known, at least not publicly, whether any state secrets of highly classified information was breached, though US senators have called for a full list of any federal agency impacted by the attack.

It is expected to take months to uncover the full extent of the attack, with forensic investigations aiming to figure out which emails, files and other data were accessed, and whether they were copied or transmitted to other systems.

Who was behind the SolarWinds hack?

The sophisticated nature of the hack points to a nation state, with US adversaries in the cyber domain most commonly being China, Iran, North Korea and Russia.

“We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker,” SolarWinds explained in its advisory.

Some security experts believe it has the hallmarks of a Russian hacking collective known as Cosy Bear, which has links to Russia’s Foreign Intelligence Service SVR. 

Former Homeland Security adviser Thomas Bossert said that “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”

Cyber security firm FireEye, which was the first to report the hack after falling victim to it, also said it was likely a Russian operation, using “top-tier operations tradecraft and resources”, though Russia has denied any involvement.

“I reject these statements, these accusations,” said Vladimir Putin’s press secretary Dmitry Peskov.

“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away. We have nothing to do with this.”

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies

Comments

Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in