8 April 2021

Lessons of the SolarWinds hack


Russia’s SolarWinds hack appears to constitute reconnaissance and espionage of the sort that the US itself excels at, not an act of war, writes Marcus Willett.

In late 2020, the American cyber-security community discovered a widespread breach of private-sector and government networks. A primary vector for the breach appeared to be the hacking of software provided by the US information-technology company SolarWinds. The United States government identified the likely perpetrator as a Russian intelligence agency. Ever since, complex and painstaking technical investigations have been under way into the precise nature and extent of the breach. At the same time, debate has raged about the intent behind the hack and the implications for the cyber policies of the US, and states in general, including whether some form of retaliation is justified. This article examines issues raised by the SolarWinds hack with respect to the cyber-security, offensive-cyber and broader national-security policies of the US and its allies.

What we know

The story first broke when FireEye, a top US cyber-security company involved in many major investigations and responsible for publicly identifying the perpetrators of numerous attacks (including the Russian intelligence services), announced in December 2020 that it had been hacked by a state with ‘top tier’ capabilities. Its own ‘red-team’ tools – developed by FireEye to test client defences based on previously detected capabilities – had been accessed. FireEye further discovered that the vector used by the hackers was the IT company SolarWinds and that there were many other victims.

SolarWinds is a Texas-based company that supports its clients by supplying software called Orion to monitor and manage IT networks, including by aggregating, analysing and visualising large amounts of data. Investigations following FireEye’s initial discovery showed that the hackers had infected SolarWinds’ Orion software as early as October 2019, allowing them to use a routine software security update from SolarWinds in March 2020 to install malicious software in the company’s clients’ networks. The hackers may have taken advantage of lax security practices to penetrate SolarWinds in the first instance and, by hiding within that security update, evaded the clients’ cyber-security defences. In that sense, it was an ingenious attack, with Microsoft suggesting that it might have taken ‘1,000 very skilled, very capable engineers’ to design and execute it. According to SolarWinds, 18,000 of its clients downloaded the infected software.

No comments: