Let’s Talk About This Massive Government Cybersecurity Issue We Just Discovered (Part 1 of 2)

“This is the most consequential cyberespionage campaign in history…” 

– Dmitri Alperovitch, a co-founder of CrowdStrike security firm and chairman of Silverado Policy Accelerator, a think tank (source)

On December 13, 2020, just when we all thought that we could relax and enjoy some socially distant holidays and kick 2020 to the curb, some pretty awful news broke. 

This time the news wasn’t about the coronavirus. In fact, this news could be considered by some to be slightly worse than the existence of coronavirus because a vaccine can’t cure it. 

We’re talking about the massive cybersecurity breach that affected most federal agencies in the US, more than 425 of the Fortune 500 companies, and numerous other public and private entities across North America, Europe, Asia, and the Middle East. 

This hack may have affected your company too, so read on to get the facts. 

What Happened?

On December 8, 2020, FireEye, one of the world’s top cybersecurity firms, announced that they had been hacked. This in itself is huge news, because FireEye is the company you call in when your business has just been destroyed by a cyberattack. Sony hired them. Equifax hired them. They’re a huge deal. 

FireEye reports that attackers stole their “Red Team tools,” which are the 300-or-so super-secret tools that FireEye uses to track down elite hackers, such as nation-state hackers. The Red Team tools are like the crown jewels of cybersecurity investigation… and the thieves got ‘em. 

This is bad news, but it gets so much worse. 

Sometime before their official announcement, FireEye let the NSA know that their systems had also been hacked. The NSA specializes in cybersecurity, so the fact that they didn’t know they’d been hacked is both embarrassing and extremely worrisome. 

On December 13, 2020 the US’s Cybersecurity Infrastructure and Security Agency (CISA) released an emergency directive telling all government agencies to “power down” any instances of SolarWinds software in their systems. SolarWinds is a respected network monitoring software used by US government agencies, Fortune 500 companies, and tons of other large companies. 

At that point and over the following few days, news broke that the Pentagon, the NSA, the Department of Homeland Security, the CDC, the State Department, the Treasury, the Department of Commerce, the Department of Energy, the Justice Department, Los Alamos National Laboratories (which makes nuclear weapons), and numerous utility companies had probably been affected by the breach because they all used SolarWinds software

By “affected by the breach,” we mean that these agencies’ and companies’ communications systems had probably been compromised, their email had been read, and an unknown amount of data had been accessed and stolen from them. 

Businesses and public agencies in the rest of North America, Europe, Asia, and the Middle East were also hacked.

How Did the Thieves Get In?

The cybersecurity breach was a very sophisticated “supply chain attack,” which is one of the hardest types of hacking attacks to pull off. This type of attack consists of hacking into a subcontractor to tunnel through to a prime target. 

Confused? We’ll share this handy explanation from the New York Times in which they said that if you wanted to, say, destroy a bunch of military tanks, you could either break into the tank factory and sabotage the tanks directly (for which you would probably get caught and imprisoned) or you could figure out who sells, say, ball bearings to the tank factory – and then break into their factory and flatten all the ball bearings on one side. 

In that scenario the tanks would still be sabotaged, but you would have a much lower likelihood of being caught and punished. The ball bearings are part of the supply chain for making the tanks… and, similarly, the SolarWinds software is part of the supply chain for network monitoring at a lot of really impressive companies and government agencies. 

Here’s how the hackers broke into the supply chain: 

  • At some point in the past, we don’t know when, hackers got into SolarWinds’s systems. This may have been the result of poor password management – it looks like SolarWinds openly published their security update download site’s password on GitHub by mistake.
  • In October 2019, hackers began crafting a fake software security update that would mimic the code in SolarWinds’s Orion security updates, but with extra code in there that would deliver malware to the users who downloaded the update. 
  • By March 2020, the hackers uploaded the fake security update to the SolarWinds website. It looked very real because it mostly contained SolarWinds’s code and because it was signed with SolarWinds’s security certificate. 
  • Following cybersecurity best practices, up to 18,000 users downloaded the fake security update between March and May 2020. By doing so, they unintentionally installed malware that gave the hackers a “back door” into the computer systems of most of the US government agencies, the world’s top cybersecurity firms, and a bunch of the leading global enterprises. 

Extra bad news: On December 17, 2020, CISA announced that SolarWinds may not have been the only software affected by the poisoned supply chain software attack. Other third-party software solutions are also likely to have been affected… but we don’t know which ones yet. 

It’s time to be extra diligent about your cybersecurity. 


Learn More in Part 2

Get Cybersecurity Help for Your Systems and Networks

Whether or not you use SolarWinds software, you may have become the victim of a cybersecurity breach in 2020. To secure your systems against further attack, or to prevent an attack in the first place, it’s a smart idea to hire an expert cybersecurity team that works with small and mid-sized businesses and organizations like yours. 

For 20 years, Interplay has been helping Seattle-area businesses secure their systems from attack, set up and maintain technology that really works, and save big on the high costs of tech. 

Curious whether your systems are secured? Check out our DIY Network Health Checkup for fast answers on your current cybersecurity status. 

 


Photo by NASA from Unsplash