December 24, 2020
By Raphael Satter
WASHINGTON (Reuters) – Cybersecurity expert Steven Adair and his team were in the final stages of kicking hackers out of a think tank network earlier this year, when a suspicious pattern in the registration data caught his eye.
The spies not only managed to hack – a common occurrence in the world of cyber incident response – but they navigated straight to the customer’s email system, going through the newly updated password protections as if they didn’t exist.
“Wow,” reminded Adair of thinking about a recent interview. “These guys are smarter than the average bear.”
It was only last week that Adair’s company – Volexity of Reston, Virginia – realized that the bears it struggled with were the same group of advanced hackers that compromised Texas-based software company SolarWinds.
Using a subverted version of the company’s software as an improvised skeleton key, hackers have infiltrated a range of U.S. government networks, including the Departments of the Treasury, Homeland Security, Commerce, Energy, State and other agencies.
When news of the hack broke, Adair immediately thought of the think tank, where his team tracked one of the hacking efforts on a SolarWinds server, but never found the evidence he needed to find the precise entry point or alert the company. The digital indicators published by cybersecurity company FireEye on December 13 confirmed that the think tank and SolarWinds were hit by the same actor.
US officials and lawmakers have claimed that Russia is to blame for the wave of hackers, an accusation the Kremlin denies.
Adair – who spent about five years helping defend NASA from hacker threats before finally founding Volexity – said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was right. On the other hand, they were on the verge of a much bigger story.
A large part of the United States ‘cybersecurity industry is now in the same place as Volexity was earlier this year, trying to find out where the hackers were and eliminate the various secret access points that hackers likely planted in their victims’ networks. Adair’s colleague Sean Koessel said the company was receiving about 10 calls a day from concerned companies that might have been targeted or that the spies were on their networks.
His advice to anyone looking for hackers: “Don’t leave a stone unturned.”
Koessel said the effort to remove hackers from the think tank – which he declined to identify – stretched from late 2019 to mid-2020 and led to two further break-ins. Performing the same task across the United States government is likely to be much more difficult.
“I could easily see that it would take half a year or more to find out – if not the years for some of these organizations,” said Koessel.
Pano Yannakogeorgos, an associate professor at New York University who served as the founding dean of Air Force Cyber College, also foresaw an extended timetable and said that some networks would have to be removed and replaced at wholesale.
In any case, he predicted a high price, as caffeine experts were brought in to examine digital records for signs of compromise.
“There is a lot of time, treasure, talent and Mountain Dew involved,” he said.
(Reporting by Raphael Satter; Editing by Andrea Ricci)