Thousands of companies and governments are racing to discover whether they have been hit by the Russian hackers who reportedly infiltrated several US government agencies. The initial breach, reported on December 13, included the Treasury as well as the Departments of Commerce and Homeland Security. But the stealthy techniques the hackers used mean it could take months to identify all their victims and remove whatever spyware they installed.
To carry out the breach, the hackers first broke into the systems of SolarWinds, an American software company. There, they inserted a back door into Orion, one of the company’s products, which organizations use to see and manage vast internal networks of computers. For several weeks beginning in March, any client that updated to the latest version of Orion—digitally signed by SolarWinds, and therefore seemingly legitimate—unwittingly downloaded the compromised software, giving the hackers a way into their systems.
SolarWinds has around 300,000 customers around the world, including most of the Fortune 500 and many governments. In a new filing with the Securities and Exchange Commission, the firm said “fewer than” 18,000 organizations ever downloaded the compromised update. (SolarWinds said it’s not clear yet how many of those systems were actually hacked.) Standard cybersecurity practice is to keep your software up to date—so most SolarWinds customers, ironically, were protected because they had failed to heed that advice.
The hackers were “extremely clever and strategic,” says Greg Touhill, a former federal chief information security officer. Even once they had gained access through the back door in Orion, known as Sunburst, they moved slowly and deliberately. Instead of infiltrating many systems at once, which could easily have raised suspicions, they focused on a small set of selected targets, according to a report from the security firm FireEye.
Sunburst stayed quiet for up to two full weeks before it woke up and began communicating with the hackers, according to the report. The malware disguises its network traffic as the “Orion Improvement Program” and stores data inside legitimate files in order to better blend in. It also searches for security and antivirus tools on the infected machine in order to avoid them.