Accusations against Russia and a still incalculable extent: The major cyber attack on the USA is causing fundamental discussions. How could it happen that attackers gained access to the IT systems of numerous US ministries – and what is the consequence now? The most important questions and answers at a glance.
What happened?
Almost every day, the list of affected companies and authorities continues to grow, which are said to be affected by the major cyberattack on targets, primarily in the USA.
It is said to have started in March of this year at the latest: attackers hacked into the US software company SolarWinds, which provides network management services for many private and public customers. There, they secretly prepared software updates with malware. If customers downloaded and installed these updates from SolarWinds, the hackers gained access to the victims’ network via a backdoor. And that was until the time of discovery now, more than six months later.
According to SolarWinds, the malware was included in the software and distributed to 18,000 customers until June.
All of this was discovered not because any of the affected U.S. government agencies raised the alarm, but because the high-profile IT security firm FireEye made the attack public. FireEye had also been compromised via a malware-infected update of SolarWinds, but had discovered the backdoor and made it public. In the meantime, the company is working to fix the problem.
Since the attackers remained undetected for several months, it is conceivable that they could place further malware in some of the attacked systems via the backdoor. Such access points are often more difficult to detect because the attackers were able to cover their tracks at their leisure – or they picked up information there unnoticed.
Since attacks have to be done manually in the second step, i.e. after the backdoor has been obtained, IT security expert Alex Stamos assumes that the attackers are likely to have prioritized which targets they are particularly interested in. Stamos, who was once Facebook’s IT security chief and now heads Stanford University’s Internet Observatory, told the U.S. podcast Political Gabfest.
Dmitri Alperovitch, co-founder and former chief technology officer of the IT security firm Crowdstrike, also does not believe that the attackers have illuminated each of the 18,000 companies that downloaded the SolarWinds update: He wrote on Twitter that there simply may not have been enough human resources to do so.
Who is all affected and what have the attacks achieved?
That is difficult to assess at this point.
So far, the Departments of Homeland Security, Commerce and Treasury and the Pentagon are among the victims. Affected systems have been disconnected from networks, the department said. Key national security functions are not believed to have been affected, according to investigations so far. At the Department of Commerce and Treasury, it is said to have become possible to view internal email histories. Microsoft said 40 of its customers were targeted by the attackers using sophisticated measures.
In the nature of the attacks, however, it is not yet clear, nor can it be clear, which systems in which government agencies and companies are affected. A spokesman for the oversight committee in the House of Representatives also said Friday that the scope of the attack is so broad that even cybersecurity experts cannot yet provide an overview of the breadth of the infiltration.
After all, while not every SolarWinds customer who inadvertently introduced malware into their systems via software update has necessarily been further heckled by the attackers. And yet, of course, all those affected must potentially be prepared for the fact that it could have happened, but has not yet been discovered. Or will only become apparent in the future – when corresponding malware left behind by the attackers is subsequently awakened. After all, the attackers have had more than half a year to make their way into the systems and cover their tracks.
Security researcher Stamos wrote in the Washington Post that he expects it to take months, if not years, for the full extent of the attack to become apparent – only then will thousands of companies be able to determine that they were affected by the attack and what was taken.
After all, more than 400 of the Fortune 500 companies in the U.S. also use SolarWinds software, including AT&T and Comcast. At least the customer base of SolarWinds also includes two DAX-listed companies, Siemens and Deutsche Telekom, according to Handelsblatt. Whether they actually also use the compromised software still seems unclear. The Federal Ministry of the Interior had confirmed on Friday upon request that German companies and authorities were also using the infected software. However, according to current knowledge, the number of people affected was small – and according to the Federal Office for Information Security, there were no indications that the attackers were active in the affected networks.
NATO also uses the software for its headquarters in Belgium, but there is so far no evidence of an intrusion into NATO systems, a spokesman said, according to the AFP news agency. The affected SolarWinds software is also said to have been used in the EU Commission, but no intrusion has been detected.
In its report, Microsoft continues to speak of a “successful attack on confidential information of the US government”. However, it is still unclear what information could have been tapped – and will probably remain so to the full extent in the coming weeks and months. Because here, too: Because the attackers had months of time to move around in their victims’ systems, it will probably only become clear bit by bit what all could be accessed.
Microsoft and FireEye are already working on solutions to render the attackers’ backdoors harmless. However, the solution found so far apparently does not yet eliminate the attackers from their victims’ systems in all cases.
How is the U.S. now responding to the attacks?
Outgoing U.S. President Trump was silent on the attacks for a long time, and when he finally spoke out about them, he mainly talked them down. Joe Biden, the president-elect and incoming president of the U.S., promised to impose “significant costs on those responsible for such malicious attacks” – whatever that means in detail.
Although the scale of the attack is immense, truly serious reactions are not to be expected. After all, it is important to note: The USA is no stranger to attacks against foreign government networks. One only has to think of the corresponding activities of the NSA.
Many observers from the security scene are now concerned about two questions in particular: How such an attack could have gone undetected or at least unpublicized for so long within the U.S. authorities – and what can be done in the future to prevent attacks of this kind. In the Washington Post, for example, IT security researcher Stamos recommended, among other things, that defense in the area of IT security be prioritized just as highly as the offensive area and obtaining information. For example, he said, CISA, the agency responsible for cyber and infrastructure security, was established only two years ago – and staffed at a fraction of the level of the NSA.
In addition, he called on the Biden administration to involve cybersecurity experts more in the decision-making processes surrounding such incidents, rather than relying primarily on legal expertise, as has been the case in the past.
by Jeremy Abbott – American Correspondent