But what little we know is that cybersecurity experts are extremely concerned, and some describe the attack as a literal wake-up call.
“Last night I woke up at midnight with a stomach ache,” said Theresa Payton, who served as White House chief of information under President George W. Bush. “On a scale of 1 to 10, I’m on a 9, and it’s not what I know; it’s what we don’t know yet.”
Since then, more details have emerged that suggest a much broader pattern of engagement. As many as 18,000 SolarWinds customers – out of a total of 300,000 – may have been running software that contained the vulnerability that allowed hackers to break into the Commerce Department, the company said in an investor presentation this week.
According to analysts contacted by CNN Business and published security reports, according to analysts contacted by CNN Business and published security reports, this is why the cyberattacks reported this week keep experts at night depending on who was target, suspicions of identity of the attackers and their game book.
All federal agencies on alert
One of the reasons the attack is so troubling is the cause of who may have been the victim of the espionage campaign.
At least three U.S. agencies have publicly confirmed they were committed: the Department of Commerce, the Department of Homeland Security and the Department of Agriculture.
But the range of potential casualties is much, much larger, which raises the disturbing prospect that the U.S. military, the White House or public health agencies responding to the pandemic may also have been subjected to foreign espionage . Security experts have cited that the Department of Justice, the National Security Agency and even the U.S. Postal Service are potentially vulnerable.
Security experts say this is just the beginning. In the coming days, we may learn that many more companies and agencies have been compromised than we initially suspected. And we still don’t know what information may have been lost or stolen.
Extraordinarily skilled attackers
Another cause for concern is that the attackers appear to have been extraordinarily skillful and determined.
“The campaign demonstrates top-tier operational commercial resources and resources that are compatible with state-sponsored threat agents,” FireEye said, adding that the violations appear until spring. “Each of the attacks requires meticulous planning and manual interaction.”
Attributing any cyberattack is difficult in the best of circumstances and is even more difficult when a sophisticated actor works to cover their tracks, as they did. But U.S. officials have provisionally said the culprit may have ties to Russia.
That agents of a foreign government had been responsible for the offenses is a worrying sign not only of the attackers ’abilities, but also of their motives. These were not opportunistic cybercriminals who indiscriminately investigated any targets they might find in hopes of extorting their victims for a day of quick pay. These were highly motivated attackers who selected each of their victims for a specific purpose that is still unknown.
“If you engage someone’s network for 6 months, there are many opportunities,” said James Lewis, a cybersecurity expert at the Center for Strategic and International Studies, a security think tank. “It’s an incredible coup for the Russians, really impressive.”
An unusual and creative hack
A third cause for concern is the unusual and creative way the attackers carried out their operation: disguising the initial attack within legitimate software updates issued by SolarWinds.
“SolarWinds is one of the most widely used and effective tools for network control, including federal networks and large corporations,” said Jamie Barnett, retired Navy Rear Admiral and senior vice president of cybersecurity firm RigNet. “It takes a statewide cyberattack to get into SolarWinds updates and patches.”
By responding to otherwise reliable software updates, attackers intelligently took advantage of normal and recommended best practices to keep software up to date. Thousands of companies and government agencies could have been exposed simply to do the right thing.
That’s what’s scary: it’s not clear what could be done differently in this case, because the same process that wanted to assure users that “this software can be trusted” was compromised.
The increasing frequency and intensity of state-sponsored piracy is leading some cybersecurity leaders to reiterate calls for a global treaty on cyberwarfare.
“We need a set of binding rules,” Microsoft President Brad Smith said at an event Tuesday by the Ronald Reagan Foundation and Institute. “And we need a commitment from the world’s democracies to hold the authoritarian regimes accountable, so that they keep the hands of civilians in this moment of peace with regard to cyberspace.”
Other experts increasingly question the dependence of many companies on a handful of external suppliers and say that perhaps society facilitates access to or dissemination of data, especially during a pandemic, when working remotely is normal for countless individuals. .
“The question is,‘ In cybersecurity, do we have a situation ‘too big to fail’? And it happened right under the nose, while we were telling everyone to spend more, to equip themselves, to get products? “Payton said.