Much remains unknown about what is now being called the Sunburst hack, the cyber attack against US government agencies and corporations. American officials widely believe that hackers sponsored by the Russian state are responsible.
The attack gave perpetrators access to numerous major American companies and government organizations. The immediate effects will be difficult to judge and full damage accounting is unlikely. However, the nature of the affected organizations alone makes it clear that this is perhaps the most consequential cyber attack on the United States to date.
An act of cyberwar is generally not like a bomb, which causes immediate and well-known damage. Instead, it is more like cancer – it is slow to detect, difficult to eradicate and causes significant and continuous damage over a long period of time. Here are five points that cybersecurity experts – oncologists in the cancer analogy – can make with what is known so far.
1. The victims were nuts that were hard to break
From top-tier cyber security firm FireEye to the United States Treasury, Microsoft, Intel and many other organizations, the victims of the attack are mostly companies with comprehensive cyber security practices. The list of organizations using the compromised software includes companies like MasterCard, Lockheed Martin and PricewaterhouseCoopers. SolarWinds estimates that some 18,000 companies have been affected.
As CEO of cybersecurity company Cyber Reconnaissance Inc. and associate professor of computer science at Arizona State University, I met security professionals from many of the target organizations. Many of the organizations have world-class cyber security teams. These are some of the most difficult targets to achieve in corporate America. Sunburst victims were specifically targeted, probably with a primary focus on intelligence gathering.
2. This was almost certainly the work of a nation – not criminals
Criminal hackers focus on short-term financial gain. They use techniques like ransomware to extort money from their victims, steal financial information and harvest computing resources for activities such as sending spam emails or cryptocurrency mining.
Criminal hackers exploit known security vulnerabilities that, if victims had been more meticulous in their security, could have been prevented. Hackers typically target weaker security organizations, such as healthcare systems, universities and city governments. University networks are notoriously decentralized, difficult to protect and often with insufficient cybersecurity. Medical systems tend to use specialized medical devices that run older, vulnerable software that is difficult to update.
Hackers associated with national governments, on the other hand, have entirely different reasons. They seek long-term access to critical infrastructure, gather intelligence and develop the means to disable certain industries. They also steal intellectual property – especially intellectual property that is expensive to develop in areas such as high technology, medicine, defense and agriculture.
SOPA / LightRocket images via Getty Images
The huge effort to infiltrate one of the Sunburst’s victim companies is also a sign that it was not just a criminal hack. For example, a company like FireEye is an inherently bad target for a criminal attacker. It has fewer than 4,000 employees and yet computer security is comparable to the world’s leading financial and defense companies.
3. The attack exploited trusted third-party software
Hackers gained access by inserting their malware into software updates to SolarWinds’ Orion software, widely used to manage large organizational networks. The Sunburst attack relied on a trusted relationship between the target organization and SolarWinds. When Orion users updated their systems in the spring of 2020, they involuntarily invited a Trojan horse to join their computer networks.
Aside from a report on loose security at SolarWinds, very little is known about how hackers gained initial access to SolarWinds. However, the Russians used the tactic of compromising a third-party software update process earlier in 2017. This was during the infamous NotPetya attack, which was considered the most financially damaging cyber attack in history.
4. The extent of the damage is unknown
It will take some time to discover the extent of the damage. The investigation is complicated because attackers gained access to most victims in the spring of 2020, which gave hackers time to expand and hide their access and control of victims’ systems. For example, some experts believe that a vulnerability in VMWare, software widely used on corporate networks, was also used to gain access to victims’ systems, although the company denies it.
Raimond Spekking, CC BY-SA
I hope that the damage will be distributed unevenly among the victims. This will depend on several factors, such as the extent of the organization’s use of SolarWinds software, the segmentation of its networks and the nature of the software maintenance cycle. For example, Microsoft reportedly had limited Orion deployments, so the attack had limited impact on its systems.
In contrast, the reward hackers stole from FireEye included penetration testing tools, which were used to test the defenses of leading FireEye customers. Theft of these tools was probably valued by hackers to increase their resources in future attacks and also to gain information about what FireEye customers are protecting.
5. Consequences can include real-world damage
There is a very fine line, often nonexistent, between gathering information and causing damage in the real world. What can start as espionage or espionage can easily turn into war.
The presence of malware on a computer system that gives an attacker greater user privileges is dangerous. Hackers can use the control of a computer system to destroy computer systems, as was the case with Iran’s cyber attacks against Saudi Aramco in 2012, and damage the physical infrastructure, as was the case with the Stuxnet attack against nuclear installations Iranians in 2010.
In addition, real damage can be caused to individuals with only information. For example, the Chinese breach of Equifax in 2017 placed detailed financial and personal information about millions of Americans in the hands of one of the U.S.’s largest strategic competitors.
No one knows the full extent of the Sunburst attack, but the scope is large and the victims represent important pillars of the United States’ government, economy and critical infrastructure. The information stolen from these systems and malware that hackers likely left on them can be used for subsequent attacks. I believe that the Sunburst attack is likely to result in harm to Americans.
[Get the best of The Conversation, every weekend. Sign up for our weekly newsletter.]