Although the Russia hack was discovered last month, we will be feeling its reverberations for a long time. On December 13th, the US government announced that various government networks, including the Treasury and Commerce Departments, had been hacked. The Department of Homeland Security gave swift orders to government agencies to shut down all network management software created by SolarWinds. The software giant had discovered malicious code in one of its programs, which had been sent to its entire network of customers, potentially tens of thousands.
The US government is not the only victim of the Russian hack, known as the SolarWinds hack. Big tech companies like Cisco, Intel, Nvidia, Belkin, VMware, and Microsoft have been affected, along with the city network of Austin, Texas and the US nuclear weapons agency. Education systems, think tanks, and international governments have also been compromised. While this is not the first international espionage campaign, it is quite possibly the largest ever to hit the US. The exact number of victims is unknown, but it could range between 18,000 and 33,000.
How the attack was carried out
The SolarWinds hack is a classic but sophisticated “supply-chain attack.” The attackers did not target individual organizations, but succeeded in compromising one company, SolarWinds, which designs software for large organizations. The company has tens of thousands of customers, so when the hackers implanted a malicious code into the software’s automatic updates, all of the company’s customers were infected. There was no hint of foreign actors because the code had come from a trusted U.S. source.
Taking immediate action
SolarWinds has traced the hack back to March. With nine months of being embedded in the system, it is likely the hackers have already created additional entry points or backdoors in case the original entry point was shut down.
Victims are now faced with two very unpleasant choices: combing through their computers to locate the malware and destroy it, or building their networks from scratch. For companies, either choice means a huge expenditure of time and money. For the US government, however, the ramifications may be far worse. At this point, it is unclear exactly what the fallout will be, but it is evident the hackers were able to amass an incredible amount of confidential information over an extended period of time. What they will do with that information is yet to be seen.
Taking preventative action
From this point forward, the government will need to include cybersecurity in its list of top priorities. The current cybersecurity tools used by the Cybersecurity and Infrastructure Security Agency (CISA) are more reactive than active, so when attackers wanted to invade, they only needed to bypass known security barricades. Implementing a zero-trust network, in which networked devices like laptops and phones are not trusted by default, is one step toward preventing this from happening again.
Companies and organizations will also need to upgrade their cybersecurity systems, not only with a zero-trust network but with meticulous human vigilance. Adding a cybersecurity professional to the staff should not be viewed as a luxury, but a necessity. If you cannot find one due to the shortage in this field, look into training current employees. It is a costly and time-consuming investment, but the payoff can be invaluable.
We have learned from the Russian hack that we can never let our guard down when it comes to maintaining the integrity of our networks. Cybersecurity is a dynamic field that develops defenses and then evolves when new threats are found. There is no room for complacency.
For additional resources and guidance, the Interfor team is here to help.