Jan 6, 2021 - Politics & Policy

Russia’s SolarWinds hackers likely burrowed deep

Illustration of a magnifying glass over the US flag stripes revealing a password
Illustration: Eniola Odetunde/Axios

Russian cyber operators are almost certainly still rummaging through U.S. networks, potentially lifting data or setting traps for future havoc even as officials scramble to assess the damage Moscow's hack has already dealt.

Why it matters: The hack, powered by malicious code inserted into an update of SolarWinds network management software, could be among the most significant in the country’s history, perhaps on par with China’s hack of the Office of Personnel Management or Russia’s 2014 hack of the State Department.

Driving the news: The FBI, NSA, CISA and office of the DNI in a joint statement Tuesday confirmed what has been widely accepted in the cybersecurity world: The hack was likely the work of Russia. (Specifically, Russia's SVR intelligence agency is thought to be behind it, though the statement stopped short of such specific attribution.)

  • The agencies also said that, although the update went out to some 18,000 SolarWinds customers, far fewer public or private entities were actually compromised.
  • So far, fewer than 10 government bodies have been identified as having been breached, the agencies said.

Yes, but: Even if the cyber operation narrowly focused on just a handful of targets, its impact could far exceed its footprint.

  • Already, experts say Russia may have used the exploit to breach critical U.S. infrastructure like power plants.
  • Microsoft, meanwhile, said hackers viewed some of the company’s source code.
  • And the federal agencies that are known to have been affected are among those responsible for some of the nation's most vital and sensitive work, including the State, Treasury, Energy, Commerce and Defense departments.

The intrigue: Nation-state groups — called “Advanced Persistent Threats” in cybersecurity jargon — aim to achieve persistent and long-standing access to desired targets.

  • Once they burrow into a network, they almost always surreptitiously develop contingencies for how to stay there, even if their initial point of entry is discovered.

That prospect of persistent access is complicated further by the fact that we still don't know exactly what the Russian cyber spies were looking for. Broadly speaking, there are three possibilities:

1. The hackers deliberately cast a wide net as cover to obscure the fact that they were after a specific target.

  • While U.S. cyber defenders continue puzzling over just how many doors have been wrenched open, Russia may have devoted, or may still be quietly devoting, intensive resources to extracting information from one particular agency, department or dataset.

2. The hack was aimed at compromising the maximum number of U.S. government (and perhaps other) targets simultaneously, allowing Moscow to sift through vast troves of likely unclassified, but still sensitive, data.

  • Down the line, such data may prove useful in, for instance, giving Russia — or China, Iran or another hostile foreign power, should Russia trade it away — a strategic advantage in diplomatic negotiations.
  • Or if an American intelligence operation halfway around the world is blown, U.S. counterintelligence officials may be left wondering if somehow it is related to information stolen in the hack.

3. The hack began as a narrow operation but, after Russia got what it was after, broadened, with the hackers fully expecting to get caught.

  • The SVR could then sit back and let the long afterlife of its compromise commence, driving stateside panic and distracting U.S. cyber warriors as Russia moves on to future operations.

The bottom line: No matter what, Russia now knows that the SolarWinds hack may tie U.S. counterintelligence experts into knots for many years to come.

Go deeper