The Free Russia Forum was established to unite Russians, both inside the country and abroad, who believe in democracy, freedom, and human rights.
How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
Bill Whitaker reports on how Russian spies used a popular piece of software to unleash a virus that spread to 18,000 government and private computer networks.
President Biden inherited a lot of intractable problems, but perhaps none is as disruptive as the cyber war between the United States and Russia simmering largely under the radar. Last March, with the coronavirus spreading uncontrollably across the United States, Russian cyber soldiers released their own contagion by sabotaging a tiny piece of computer code buried in a popular piece of software called “SolarWinds.” The hidden virus spread to 18,000 government and private computer networks by way of one of those software updates we all take for granted. The attack was unprecedented in audacity and scope. Russian spies went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce and for nine months had unfettered access to top-level communications, court documents, even nuclear secrets. And by all accounts, it’s still going on.
Brad Smith: I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.
Brad Smith is president of Microsoft. He learned about the hack after the presidential election this past November. By that time, the stealthy intruders had spread throughout the tech giants’ computer network and stolen some of its proprietary source code used to build its software products. More alarming: how the hackers got in… piggy-backing on a piece of third party software used to connect, manage and monitor computer networks.
Bill Whitaker: What makes this so momentous?
Brad Smith: One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it. What this attacker did was identify network management software from a company called SolarWinds. They installed malware into an update for a SolarWinds product. When that update went out to 18,000 organizations around the world, so did this malware.
“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks. Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.
Brad Smith: When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Bill Whitaker: You guys are Microsoft. How did Microsoft miss this?
Brad Smith: I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Bill Whitaker: Is it still going on?
Brad Smith: Almost certainly, these attacks are continuing.
The world still might not know about the hack if not for FireEye, a three-and-a-half billion dollar cybersecurity company run by Kevin Mandia, a former Air Force intelligence officer.
Kevin Mandia: I can tell you this, if we didn’t do investigations for a living, we wouldn’t have found this. It takes a very special skill set to reverse engineer a whole platform that’s written by bad guys to never be found.
FireEye’s core mission is to hunt, find, and expel cyber intruders from the computer networks of their clients – mostly governments and major companies. But FireEye used SolarWinds software, which turned the cyber hunter into the prey. This past November, one alert FireEye employee noticed something amiss.
Kevin Mandia: Just like everybody working from home, we have two-factor authentication. A code pops up on our phone. We have to type in that code. And then we can log in. A FireEye employee was logging in, but the difference was our security staff looked at the login and we noticed that individual had two phones registered to their name. So our security employee called that person up and we asked, “Hey, did you actually register a second device on our network?” And our employee said, “No. It wasn’t, it wasn’t me.”
Suspicious, FireEye turned its gaze inward, and saw intruders impersonating its employees snooping around inside their network, stealing FireEye’s proprietary tools to test its clients defenses and intelligence reports on active cyber threats. The hackers left no evidence of how they broke in – no phishing expeditions, no malware.
Bill Whitaker: So how did you trace this back to SolarWinds software?
Kevin Mandia: It was not easy. We took a lotta people and said, “Turn every rock over. Look in every machine and find any trace of suspicious activity.” What kept coming back was the earliest evidence of compromise is the SolarWinds system. We finally decided: Tear the thing apart.
They discovered the malware inside SolarWinds and on December 13 informed the world of the brazen attack.
Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.
Bill Whitaker: So, what does that target list tell you?
Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.