December 15, 2020
The United States recently announced that they were among the many countries and organizations targeted in an ongoing cyberattack that likely originated as far back as March or June of 2020. The U.S. Department of Homeland Security – who was specifically compromised as part of this cyberattack – has issued a directive to all federal agencies to immediately stop using SolarWinds products. SolarWinds Orion is a computer network tool utilized by the Federal Government and is believed to be the tool that was being exploited by the hackers. Cyberattacks against governments are unfortunately common, and there is a long history of countries spying on other countries.
Dr. Tom Holt, a cybercrime and cybersecurity expert in the School of Criminal Justice at Michigan State University, discusses how these attacks are discovered, why they take so long to identify, and what the United States can do to prevent these attacks in the future.
In cyberattacks, identifying a potential source of the attack is done through triangulating multiple pieces of information obtained through forensic analysis of affected computers, as well as other tools like Intrusion Detection Systems (IDS) and reviews of network traffic usage. Looking at when a computer was affected, and retracing the path of unusual or malicious traffic, including when users are logging in, can all help to paint a picture of potential attribution. Another key tool in identification is reverse engineering, or disassembling the malicious software and code involved in an attack. There are often details in the code that may point to a specific place or actor, such as character sets unique to a specific language (like Cyrillic or Chinese characters). This information can then be compared to tools used in prior identified attacks and help match unknown attacks to potential sources of an attack.
Typically, nation states will use tactics that make it deliberately hard to identify what exactly they are doing for a long period of time – essentially, they are covering their tracks as they go along. The hackers may try to obtain login credentials of existing employees through phishing attempts, malware, or social engineering. With this attack in particular, malware was utilized through patches from a trusted source (SolarWinds Orion). Then the hackers will move within an organization slowly, from system to system, working during off processing hours to try to conceal their activities as they work.
This is a challenge, as the United States is taking active steps to improve the national posture towards cyberattacks. One of the key aspects of this work is to actively lock down as many points of vulnerability as is possible. This is hard to achieve, because too much security can make it hard for employees to get their tasks completed. Too little makes it easy for targets to be hacked. As technologies also change, security professionals face a constant demand of balancing security with usability. Attackers recognize this dilemma and are always applying creative strategies to gain inroads into targets through the least visible points in an organization. That is what you can see in this instance – attackers using a supposedly trusted source to gain backdoor access into sensitive systems. If we can’t trust what was otherwise trustworthy, how do we operate? Thus, cybersecurity professionals will now have to find ways to ensure that their trustworthy sources have not been compromised so that they can reduce additional threats to their organizations.