December 24, 2020
By Raphael Satter
WASHINGTON (Reuters) – Cybersecurity expert Steven Adair and his team were in the final stages of purging network hackers from a think tank earlier this year, when a suspicious boss to the data of the record drew attention.
The spies had not only managed to re-enter, a fact quite common in the world of cyber incident response, but had gone directly to the client’s email system, passing the newly renewed password protections as if they did not exist. .
“Wow,” Adair recalled thinking about a recent interview. “These guys are smarter than the average bear.”
It was only last week that Adair’s company, Volexity, based in Reston, Virginia, realized that the bears he had been fighting with were the same group of advanced hackers that plagued the company. Texas-based SolarWinds software.
Using a subverted version of the company’s software as a makeshift skeleton key, hackers broke into a number of U.S. government networks, including the Treasury, National Security, Commerce, Energy, State, and other agencies. .
When the news of the hack was released, Adair immediately thought of the think tank, where his team had located one of the introductory efforts on a SolarWinds server but never found the evidence they needed to nail the exact entry point or alert the company. Digital indicators released by cybersecurity company FireEye on December 13 confirmed that the think tank and SolarWinds had been hit by the same actor.
Senior US officials and lawmakers have alleged that Russia is to blame for the piracy, an accusation the Kremlin denies.
Adair, who spent about five years helping defend NASA from threats of piracy before finally founding Volexity, said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was correct. On the other hand, they had been at the end of a much bigger story.
A large chunk of the U.S. cybersecurity industry is now in the same place where Volexity was earlier this year, trying to find out where the hackers were and remove the various secret access points that the hackers they planted in the nets of their victims. Ada’s colleague Sean Koessel said the company sent out about ten calls a day from companies worried about the possibility of being targeted or that spies were on their networks.
His advice to anyone looking for hackers: “Don’t leave a stone unturned.”
Koessel said the effort to rip hackers from the think tank (which he did not want to identify) spanned from late 2019 to mid-2020 and caused two renewed breaches. It is likely that performing the same task across the entire U.S. government will be many times more difficult.
“I easily saw that it would take half a year or more to figure out – if not in the years of some of these organizations,” Koessel said.
Pano Yannakogeorgos, an associate professor at New York University who served as the founding dean of the Air Force Cyber College, also predicted an extended timeline and said some networks should be torn down and replaced. ‘wholesale.
In any case, he predicted a very high price as it led caffeine experts to examine digital records to find traces of compromise.
“There’s a lot of time, cash, talent and Mountain Dew,” he said.
(Report by Raphael Satter; Edited by Andrea Ricci)