Orion hack exposed vast number of targets – impact may not be known for a while

Analysis: eavesdropping on high-value targets is labour intensive so hackers may not have made most of access

An exterior view of the building of US Department of the Treasury in Washington, DC.
The most compelling temptation appeared to be to eavesdrop on the US treasury and commerce departments. Photograph: Olivier Douliery/AFP/Getty
The most compelling temptation appeared to be to eavesdrop on the US treasury and commerce departments. Photograph: Olivier Douliery/AFP/Getty
UK technology editor

Last modified on Mon 14 Dec 2020 23.37 EST

If there is one silver lining to the months-long global cyber-espionage campaign discovered when a prominent cybersecurity firm learned it had been breached, it might be that the sheer numbers of potentially compromised entities offers them some protection.

By compromising one piece of security software – a security tool called Orion developed by the Texan company SolarWinds – the attackers gained access to an extraordinary array of potential targets in the US alone: more than 425 of the Fortune 500 list of top companies; all of the top 10 telecommunications companies; all five branches of the military; and all of the top five accounting firms.

But they are just a fraction of SolarWinds’ 300,000 global customers, which also include UK government agencies and private sector companies.

For now, we only have only confirmation from investigators that the US Treasury and commerce departments were attacked. The hack, attributed to Russian state actors, took the form of a so-called supply chain attack. Rather than directly attacking the US government, the attackers succeeded in compromising the automatic update function built into Orion.

That breach provided the foothold the attackers needed to begin monitoring internal emails at the departments. By hacking SolarWind and inserting weaknesses into the Orion software at source, the attackers simply had to wait until their targets downloaded and ran a fake software security update.

Thankfully, even then, the full attack was a technically challenging manoeuvre. In order to stay below the radar of the US government’s own security teams, the update was programmed to sit silently for two weeks after it was installed, and then to only upload stolen data in small quantities so that it could be disguised as normal Orion traffic.

That, investigators say, means it is unlikely that the perpetrators made the most of the widespread access they could have gained. Rather than exfiltrating untold gigabytes of stolen data to peruse at their leisure, the attackers had to operate in a much more labour-intensive fashion, navigating through the government network as quietly as possible, and only uploading data already presumed to be valuable.

At the moment it is not clear how much information was taken, and what other departments and entities the hackers chose to enter.

Nevertheless, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive late on Sunday night advising all federal civilian agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately”. The acting director, Brandon Wales, said the compromise “poses unacceptable risks” to the security of federal networks.

The long-term impact of the hack is unlikely to be known for a while, if at all. Although journalists and the public think about the impact of attacks simply in terms of any striking secrets revealed, cyber-warfare tends to have multiple goals.

As well as looking for ill-guarded secrets of individuals, this sort of attack can be used to map how organisations work and their structural vulnerabilities, with a view to potentially exploiting them at a later point..

More broadly, cyber operations like this undermine confidence in existing security measures and hand a propaganda coup to the country directing the attack.

Silently eavesdropping on high-value targets is a labour-intensive job – particularly if the attacker wants to stay hidden, and for now it appears that the temptation to eavesdrop on internal communications at the US treasury and commerce departments was the most compelling.

If other customers of SolarWinds do not find evidence that they were under surveillance, they will take solace in the fact that the US government was too big a target to pass up.