“This is the most consequential cyberespionage campaign in history…”
– Dmitri Alperovitch, a co-founder of CrowdStrike security firm and chairman of Silverado Policy Accelerator, a think tank (source)
On December 13, 2020, just when we all thought that we could relax and enjoy some socially distant holidays and kick 2020 to the curb, some pretty awful news broke.
This time the news wasn’t about the coronavirus. In fact, this news could be considered by some to be slightly worse than the existence of coronavirus because a vaccine can’t cure it.
We’re talking about the massive cybersecurity breach that affected most federal agencies in the US, more than 425 of the Fortune 500 companies, and numerous other public and private entities across North America, Europe, Asia, and the Middle East.
This hack may have affected your company too, so read on to get the facts.
On December 8, 2020, FireEye, one of the world’s top cybersecurity firms, announced that they had been hacked. This in itself is huge news, because FireEye is the company you call in when your business has just been destroyed by a cyberattack. Sony hired them. Equifax hired them. They’re a huge deal.
FireEye reports that attackers stole their “Red Team tools,” which are the 300-or-so super-secret tools that FireEye uses to track down elite hackers, such as nation-state hackers. The Red Team tools are like the crown jewels of cybersecurity investigation… and the thieves got ‘em.
This is bad news, but it gets so much worse.
Sometime before their official announcement, FireEye let the NSA know that their systems had also been hacked. The NSA specializes in cybersecurity, so the fact that they didn’t know they’d been hacked is both embarrassing and extremely worrisome.
On December 13, 2020 the US’s Cybersecurity Infrastructure and Security Agency (CISA) released an emergency directive telling all government agencies to “power down” any instances of SolarWinds software in their systems. SolarWinds is a respected network monitoring software used by US government agencies, Fortune 500 companies, and tons of other large companies.
At that point and over the following few days, news broke that the Pentagon, the NSA, the Department of Homeland Security, the CDC, the State Department, the Treasury, the Department of Commerce, the Department of Energy, the Justice Department, Los Alamos National Laboratories (which makes nuclear weapons), and numerous utility companies had probably been affected by the breach because they all used SolarWinds software.
By “affected by the breach,” we mean that these agencies’ and companies’ communications systems had probably been compromised, their email had been read, and an unknown amount of data had been accessed and stolen from them.
Businesses and public agencies in the rest of North America, Europe, Asia, and the Middle East were also hacked.
The cybersecurity breach was a very sophisticated “supply chain attack,” which is one of the hardest types of hacking attacks to pull off. This type of attack consists of hacking into a subcontractor to tunnel through to a prime target.
Confused? We’ll share this handy explanation from the New York Times in which they said that if you wanted to, say, destroy a bunch of military tanks, you could either break into the tank factory and sabotage the tanks directly (for which you would probably get caught and imprisoned) or you could figure out who sells, say, ball bearings to the tank factory – and then break into their factory and flatten all the ball bearings on one side.
In that scenario the tanks would still be sabotaged, but you would have a much lower likelihood of being caught and punished. The ball bearings are part of the supply chain for making the tanks… and, similarly, the SolarWinds software is part of the supply chain for network monitoring at a lot of really impressive companies and government agencies.
Here’s how the hackers broke into the supply chain:
Extra bad news: On December 17, 2020, CISA announced that SolarWinds may not have been the only software affected by the poisoned supply chain software attack. Other third-party software solutions are also likely to have been affected… but we don’t know which ones yet.
It’s time to be extra diligent about your cybersecurity.
Whether or not you use SolarWinds software, you may have become the victim of a cybersecurity breach in 2020. To secure your systems against further attack, or to prevent an attack in the first place, it’s a smart idea to hire an expert cybersecurity team that works with small and mid-sized businesses and organizations like yours.