The depth of the latest Russian hack into the e-mail systems of the Treasury Department, State Department, and other U.S. government agencies is stunning, but the strategy of manipulating a third party to infiltrate computer networks is not, according to Engin Kirda, a professor of computer science at Northeastern who studies computer security.
“It highlights the problem of I.T. outsourcing and also relying on other people’s software to manage your networks,” says Kirda, who holds joint appointments in Northeastern’s Khoury College of Computer Sciences and College of Engineering. “Outsourcing and having professional management software is great, but then your security also depends on their security. If they fail, the implications of this failure might affect thousands of organizations.”
The hackers are believed to have injected malicious code earlier this year into the software updates of SolarWinds, a Texas company that helps manage computer networks for virtually all of the Fortune 500 companies and a wide variety of government clients—including Los Alamos National Laboratory, a designer of U.S. nuclear weapons.
The coordinated attack, which appears to have been waged on a number of fronts, was far more sophisticated than the typical spear-phishing campaigns that trick users into accessing links that appear to be authentic.
Though 18,000 users unwittingly downloaded the updates with the embedded Russian code, the hacks focused mainly on “the highest-value targets,” according to FireEye, a private cybersecurity firm that discovered the attacks. (FireEye itself was targeted and compromised as well.) The precise goals of the hackers, who are thought to represent the Russian intelligence agency S.V.R., remain unknown.
U.S. intelligence agencies have blamed Russian hackers for attempting to influence the 2016 presidential election. Two years earlier, the U.S. State Department’s unclassified email systems were penetrated by Russian intelligence agencies.
“The fact that they were able to gain access to emails of government organizations would mean that they can look for opportunities to extract information, to see what else they can collect that is very valuable,” Kirda says. “You’re able to hack into this one company, play around with their updates, smuggle your own code into all of these other organizations—that’s very powerful.
“When you inject yourself into these organizations, what you will do as an attacker is just wait and see what sensitive information you can get access to,” Kirda says. “You’re also interested in moving ‘laterally’ within the organization to compromise as many other targets as possible.”
It can be difficult to come up with appropriate responses to state-sponsored hacks, says Julie Garey, an assistant teaching professor of political science who specializes in international relations and U.S. foreign policy.
“Of the many possible responses, I think the United States would be most likely to pursue something along the lines of economic sanctions, together with its NATO allies and other powerful Russian trading partners,” Garey says.
“And beyond that it may be that the best offense is actually the good defense of building up resilience and other internal measures, a lot of which won’t really be seen publicly but will make it harder for Russian and other actors to carry out these attacks in the future.”
Garey believes Russia may wish to remind the world of its capabilities to undermine the systems of other countries. In addition to inciting fear, attacks like these also turn into fluid and unpredictable burglaries in which the hackers search for secrets and figure out how to exploit them later. Any number of systems, including the COVID-19 vaccine supply chain, could be vulnerable.
“I’m sure that the [U.S.] government knows what the attackers had access to and they’re investigating it,” Kirda says. “I wouldn’t be surprised if some pharmaceutical companies were also using this product, so there’s a good chance that [hackers] might have access to intellectual property. The damage can be huge, but we can only speculate without knowing the full details.”