SolarWinds hack: How Sunburst hackers infiltrated highest levels of US government

Support truly
independent journalism

Support Now

Find out moreClose

Our mission is to deliver unbiased, fact-based reporting that holds power to account and exposes the truth.

Whether $5 or $50, every contribution counts.

Support us to deliver journalism without an agenda.

Louise Thomas

Editor

The largest hack of a Western government in recent memory appears to have stemmed from an innocuous-looking pop-up message.

In March, IT staff at up to 18,000 companies and organisations using SolarWinds software clicked on a link to download the latest version of a product called Orion. SolarWinds makes technology that allows organisations – including US federal agencies and some of the world’s biggest companies – to manage their computer systems and networks, and so updated of this kind arrive regularly.

What neither SolarWinds nor the IT workers knew was that the new version of the software was laced with a malicious form of malware that would grant hackers “God-view” access to any infected networks.

So how did hackers manage to infiltrate the highest levels of the US government and go unnoticed for so long?

The hack, known as Sunburst, may have happened in the spring but the groundwork for the attack most likely began much earlier. In order to booby-trap the pop-up, the hackers first needed to gain access to SolarWinds’ computer systems.

Once inside the US firm, the hackers were able to secretly insert the malware into a standard security update, which would have looked identical to numerous other updates issued by the popular IT management software.

SolarWinds counts all five branches of the US military, the Pentagon, the State Department and the Office of the President of the United States among its 300,000 global customers.

All were advised to update their software immediately in order to address the security vulnerability, though for many it will already be too late.

In a security advisory published this week, SolarWinds described it as a “very sophisticated” attack that “could potentially allow an attacker to compromise the server” of the victims, meaning sensitive information would have already been exposed.

Not only that, the fact the hackers had a nine month headstart before being discovered means they could have already developed new and much harder to detect methods of lurking within victims’ computer systems.

As such, uncovering the malware and issuing an update is just the beginning of the process of routing out any malignant actors still probing the networks.

It is not yet known, at least not publicly, whether any state secrets of highly classified information was breached, though US senators have called for a full list of any federal agency impacted by the attack.

It is expected to take months to uncover the full extent of the attack, with forensic investigations aiming to figure out which emails, files and other data were accessed, and whether they were copied or transmitted to other systems.

The sophisticated nature of the hack points to a nation state, with US adversaries in the cyber domain most commonly being China, Iran, North Korea and Russia.

“We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker,” SolarWinds explained in its advisory.

Some security experts believe it has the hallmarks of a Russian hacking collective known as Cosy Bear, which has links to Russia’s Foreign Intelligence Service SVR. 

Former Homeland Security adviser Thomas Bossert said that “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”

Cyber security firm FireEye, which was the first to report the hack after falling victim to it, also said it was likely a Russian operation, using “top-tier operations tradecraft and resources”, though Russia has denied any involvement.

“I reject these statements, these accusations,” said Vladimir Putin’s press secretary Dmitry Peskov.

“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away. We have nothing to do with this.”