The suspected Russian hack of US government agencies may have been in the works for longer than suggested, as it's revealed hackers may have conducted a 'dry run' of their massive cyber attack over a year ago.
US officials on Friday said hackers appeared to have targeted SolarWinds Corp back in October 2019, five months before executing a more destructive and malicious breach in March that was only detected recently.
The hackers are believed to have tested their ability to insert malicious code into the company's network management software on October 10 which was later delivered to some 18,000 of the company's customers.
The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds' premier software product, Orion. The Austin-based software company provides vital computer network monitoring services to major corporations and government agencies worldwide
The list of victims from the devastating and long-undetected hack on US government agencies and companies continues to grow ever since the sprawling cyber-espionage campaign was disclosed earlier this week. This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US
Officials said a version of the SolarWinds Orion product had been tampered with around that time, however it did not contain the secret network backdoor - which authorities are calling SUNBURST - as the subsequent breach, according to the U.S. Cybersecurity and Infrastructure Security Agency.
The tampered files went undetected, and in March of 2020, the hackers began using Orion updates to deliver their backdoor.
'We're thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run,' a source familiar with the investigation told Yahoo News.
'They took their time. They decided to not go out with an actual backdoor right away. That signifies that they're a little bit more disciplined and deliberate,' the person added.
The evidence also points to a more concerning suggestion that the hackers may have had access to the company's software prior to October 2019.
'This tells us the actor had access to SolarWinds' environment much earlier than this year. We know at minimum they had access October 10, 2019. But they would certainly have had to have access longer than that,' the source told Yahoo.
'So that intrusion [into SolarWinds] has to originate probably at least a couple of months before that - probably at least mid-2019 [if not earlier].'
Secretary of State Mike Pompeo has become the first U.S. official to publicly attribute a massive hacking campaign to Russia. He is seen above with Putin in 2019
SolarWinds, which disclosed its unwitting role at the center of the global hack on Monday, has said that up to 18,000 users of its Orion software downloaded a compromised update containing malicious code planted by the attackers.
The attack was believed to be the work of an 'outside nation state,' SolarWinds said in a regulatory disclosure.
In addition to major federal agencies and critical infrastructure, the hackers targeted entities as various as a county government in Arizona and a cable television company.
The Pima County, Arizona government and Cox Communications Inc were identified as victims of the intrusion by Reuters after running a publicly available coding script.
Sources familiar with the US investigation have said the hack was likely carried out by Russia's foreign intelligence service. Moscow has denied involvement.
Secretary of State Mike Pompeo on Friday became the first US official to publicly attribute the massive hacking campaign to Russia.
'There was a significant effort to use a piece of third-party software to essentially embed code inside of US government systems,' Pompeo told The Mark Levin Show on Friday.
'This was a very significant effort, and I think it's the case that now we can say pretty clearly that it was the Russians that engaged in this activity.'
Russian President Vladimir Putin's spokesman later denied Kremlin involvement, and the Russian embassy said in a statement that the country 'does not conduct offensive operations in the cyber domain.'
The sprawling attack, which went undetected for nearly nine months, compromised the Departments of Homeland Security, Justice, Treasury, State and Energy, as well as a growing list of companies and local governments across the country.
Officials with the nation's cybersecurity agency warn that the breach could be difficult to undo, saying the hackers 'demonstrated sophistication and complex tradecraft' and that it was likely that they had built additional secret backdoors while active inside the compromised networks.
Experts say there simply are not enough skilled threat-hunting teams to properly identify all the government and private-sector systems that may have been hacked, and warn infected networks may have to be 'burned to the ground' and rebuilt from scratch.
Post a Comment