Dec 21, 2020 - Technology

Blame game begins over massive SolarWinds hack

Illustration of two hands made out of cursors pointing at each other. The shirt worn by each hand designates their party. 

Illustration: Aïda Amer/Axios

President Trump's reluctance to name and shame Russia for the SolarWinds cyberattack will hamper companies and government agencies as they begin the long and daunting job of assessing and repairing the hack's damage.

Why it matters: Experts say Russia's fingerprints are all over the attack, but the president's dissent will hobble any U.S. response — at least until Jan. 20.

Catch up quick: Security officials and experts share a broad consensus that the "Cozy Bear" group, also known as APT29, overseen by Russia's SVR intelligence service, was responsible for the hack.

  • The Cybersecurity and Infrastructure Security Agency (CISA) described the attackers as "a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks."

White House officials had readied a statement Friday calling Russia "the main actor" in the attack, but were ordered not to release it, the Associated Press reports.

Between the lines: Some security experts fear the president's position will transform what should be a unified government response to a hostile act by a foreign power into yet another personal loyalty test.

  • Last month Trump fired CISA director Christopher Krebs after Krebs affirmed that the 2020 election had been secure.
  • Anything involving "Russia, Russia, Russia" (as Trump put it in his tweet) has been a sore point for the president since Russia's hacks during the 2016 election became the foundation for years of investigations into his administration's relationship with Moscow.

Yes, but: Leaders from both parties, including Sen. Mitt Romney (R-Utah), have called for holding Russia accountable and launching a significant response.

  • President-elect Joe Biden said in a statement: "I will not stand idly by in the face of cyber assaults on our nation."
  • Incoming White House chief of staff Ron Klain told CBS' "Face the Nation" that the new administration's response to an "attack like this" would go beyond sanctions and include steps "to degrade the capacity of foreign actors to repeat this sort of attack."

With all this going on, the administration is also pushing a plan to separate the leadership of the Cyber Command from the National Security Agency, according to a story in Defense One.

  • The "dual hat" arrangement has long been under review, but the SolarWinds crisis seems a strange moment to start a big reorg in the world of cyber defense.
  • The New York Times reports some observers are questioning the timing and whether the move is "retribution" against Gen. Paul Nakasone, who now runs both agencies.

Breaking: Private-sector victims of the hack include Cisco, Intel, Nvidia, Deloitte, VMware and Belkin, according to the Wall Street Journal, which identified infected systems at those firms.

  • Each company told the Journal they'd found no evidence of actual harm from the intrusions.

How it worked: Microsoft, in a fascinating weekend post, provided details of how the hackers hid their break-in, using a software update for SolarWinds' Orion network management platform to gain access to thousands of institutions' systems.

  • "The threat actors were savvy enough to avoid give-away terminology like 'backdoor', 'keylogger,' etc.," the Microsoft post says. Instead, they gave their tampered code an innocuous name — "OrionImprovementBusinessLayer" — that would fit right into a marketing brochure.
  • The attack's crucial, door-opening exploit was a small chunk of "poisoned code" (as Microsoft dubbed it) all of five lines long, or roughly 160 characters.
  • This could well be the most damage per character yet achieved in the short history of cyber warfare.
Go deeper