Just how bad is that hack that hit US government agencies?

Spoiler: It's a nightmare scenario

It’s the nightmare scenario that has worried cybersecurity experts for years.

Since at least March, hackers likely working for Russian intelligence have embedded themselves without detection inside the unclassified networks of several U.S. government agencies and hundreds of companies. Sen. Richard Blumenthal appeared to confirm in a tweet that Russia was to blame, citing a classified congressional briefing.

It began Tuesday with news of a breach at cybersecurity giant FireEye, which confirmed it was hacked by a “sophisticated threat actor” using a “novel combination of techniques not witnessed by us or our partners in the past.” The hackers, FireEye said, were primarily interested in information on its government customers, but that they also stole its offensive hacking tools that it uses to stress test its customers’ systems against cyberattacks.

Since the hackers had several months of undetected access to several federal agencies, it’s going to be virtually impossible to know exactly what sensitive government information has been stolen.

The FireEye breach was nothing short of audacious; FireEye has a reputation for being the first company that corporate cyberattack victims will call. But then the news broke that the U.S. Treasury, State, Commerce, the National Institute of Health and Homeland Security — the agency tasked with protecting the government from cyberattacks — had all been infiltrated.

Each of the victims has one thing in common: All are customers of U.S. software firm SolarWinds, whose network management tools are used across the U.S. government and Fortune 500 companies. FireEye’s blog explaining the breach — which didn’t say how it discovered its own intrusion — said the hackers had broken into SolarWinds’ network and planted a backdoor in its Orion software, which helps companies monitor their networks and fleets of devices, and pushed it directly to customer networks with a tainted software update.

SolarWinds said up to 18,000 customers had downloaded the compromised Orion software update, giving the hackers unfettered access to their networks, but that it was unlikely all or even most had been actively infiltrated.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, said hackers would have gone for the targets that got their “biggest bang for their buck,” referring to FireEye and government targets.

“I have no doubt in my mind that had the Russians not targeted FireEye we would not know about this,” Williams said, praising the security giant’s response to the attacks. “We’re going to find more government agencies that were breached. They’re not detecting it independently. This only got discovered because FireEye got hit,” he said.

The motives of the hackers aren’t known, nor do we know yet if any other major private companies or government departments had been hacked. Microsoft on Wednesday seized an important domain used by the attackers, which may give the company some visibility into other victims that have been actively infiltrated.

Russia, for its part, has denied any involvement.

A distant view of Russia's foreign intelligence service compound.

A far view of the Russian Foreign Intelligence Service (SVR) headquarters outside Moscow taken on June 29, 2010. Image Credits: Alexey SAZONOV/AFP via Getty Images

These kinds of so-called “supply chain attacks” are difficult to defend against and can be near impossible to detect. You might imagine someone sneaking a hardware implant into a device on the manufacturing line. In this case, hackers injected backdoor code in the software’s development process.

Supply chain attacks are rare but can have devastating consequences. Last year hackers broke into computer maker Asus’ network and similarly pushed a backdoor to “hundreds of thousands” of Asus computers through its own software update tool. The NotPetya ransomware attack that spread across the globe in 2017 spread by pushing malicious code through the update feature in a popular Ukrainian accounting software, used by almost everyone who files taxes in the country.

This attack is one of the most daring and brazen in years, one that would have required considerable skill and planning, but also patience to carry off, Williams said. “Supply chain attacks play the long game,” he said, often sitting dormant in networks for weeks to avoid detection.

While the incident is ongoing as government cyber-defenders work to expel the hackers from their networks, the damage and impact on national security likely won’t be fully understood for months or even years. The government admitted as much in a statement issued four days after the hackers were found, saying it continues to “work to understand the full extent of this campaign” that targeted federal agencies.

So far there’s no evidence that the separate classified networks have been breached.

The Russian intelligence group likely behind the attack is known as APT 29, or Cozy Bear, and has been linked to several espionage-driven attacks, like attempting to steal coronavirus vaccine research. APT 29 tends to operate quieter and stealthier than another Russian intelligence unit, APT 28 or Fancy Bear, blamed for the breach at the Democratic National Committee during the 2016 U.S. presidential election.

Fancy Bear was also blamed for several offensive operations against the World Anti-Doping Agency and hacking into a U.K. TV station. Other Russian intelligence units, like Sandworm, which was behind the NotPetya attack, focuses almost entirely on disruptive and destructive cyberattacks. Sandworm was blamed for a cyberattack that took down the Ukraine power grid just days before Christmas in 2015.

Since the hackers had at least several months of undetected access to several federal agencies, it’s going to be virtually impossible to know exactly what unclassified, but nevertheless sensitive government information, has been stolen.

“The latency and hidden fallout from the compromise of this information is cause for great concern,” said Erin Kenneally, director of cyber risk analytics at Guidewire who previously served in the cybersecurity division at Homeland Security.

In a briefing note shared with TechCrunch, Kenneally said: “Given that potential victims include defense contractors, telecoms, banks, and tech companies, the implications for critical infrastructure and national security, although untold at this point, could be significant.”

“There’s not a single organization who can claim cybersecurity perfection. This serves as [an example of] where a weak link was introduced and exploited by adversaries,” she told TechCrunch.

The discovery of this intelligence gathering operation “could not come at a worse time” for the attackers, Williams said, because of the loss of access to the incoming Biden administration. Had the hackers kept hidden past January 20, they could have unprecedented access to what the new government was working on. The Biden administration is likely to have a much different relationship with Russia than the Trump administration.

“If you are watching the decisions being made and you have someone else’s playbook ahead of a negotiation, you’re finding things out before it breaks. You come in with an amazing advantage.” he said.

“There’s no question that the Russians are in panic mode after getting booted out of some of these networks,” he said. But the amount of intelligence that could have been siphoned out of government networks could be “orders of magnitude worse” had it gone undetected for longer.