On 16 December 2020, the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) announced that they have become aware of a significant and ongoing cybersecurity campaign requiring a “whole of government” response.
While much about the attack remains unknown, it appears to represent a large and sophisticated hacking campaign that affected many US federal agencies, including the energy department, the treasury and commerce departments and the agency responsible for the US nuclear weapons stockpile.
Experts are alarmed by the depth and scale of the attack, warning that it threatens federal, state and local governments, as well as certain critical infrastructure entities.
As part of the national response, CISA has instructed federal civilian agencies to disconnect or power down affected SolarWinds Orion products from their network. SolarWinds sells network monitoring software to large corporations and US government departments. It appears that a sophisticated, potentially nation state, hacker, successfully infiltrated SolarWinds’ systems and managed to add their own tools to software updates. It is believed this occurred during the first half of 2020. The hackers were finally discovered this week when they attacked FireEye, a security company, who detected them and identified the entry point.
At this stage, it is unknown exactly how many customers have been breached and how many other security weaknesses have been created or exploited in the networks of SolarWinds and their customers. What we do know is that Cisco, Intel, Nvidia, Belkin, and VMware have all had computers on their networks infected with the malware. But we expect there to be far more: SolarWinds recently confirmed that “fewer than 18,000” companies were impacted.
This episode serves as timely reminder that cybersecurity is now the preferred battleground between many enemy nation states. It also demonstrates that while workers remain an organisation’s most vulnerable point of attack, the design and management of network security must also continue to improve or perhaps it too, will be brought inside the regulatory perimeter?