It’s the nightmare scenario that has worried cybersecurity experts for years.

Since at least March, hackers likely working for Russian intelligence have embedded themselves without detection inside the unclassified networks of several U.S. government agencies and hundreds of companies. Sen. Richard Blumenthal appeared to confirm in a tweet that Russia was to blame, citing a classified congressional briefing.

It began Tuesday with news of a breach at cybersecurity giant FireEye, which confirmed it was hacked by a “sophisticated threat actor” using a “novel combination of techniques not witnessed by us or our partners in the past.” The hackers, FireEye said, were primarily interested in information on its government customers, but that they also stole its offensive hacking tools that it uses to stress test its customers’ systems against cyberattacks.

Since the hackers had several months of undetected access to several federal agencies, it’s going to be virtually impossible to know exactly what sensitive government information has been stolen.

The FireEye breach was nothing short of audacious; FireEye has a reputation for being the first company that corporate cyberattack victims will call. But then the news broke that the U.S. Treasury, State, Commerce, the National Institute of Health and Homeland Security — the agency tasked with protecting the government from cyberattacks — had all been infiltrated.

Each of the victims has one thing in common: All are customers of U.S. software firm SolarWinds, whose network management tools are used across the U.S. government and Fortune 500 companies. FireEye’s blog explaining the breach — which didn’t say how it discovered its own intrusion — said the hackers had broken into SolarWinds’ network and planted a backdoor in its Orion software, which helps companies monitor their networks and fleets of devices, and pushed it directly to customer networks with a tainted software update.

SolarWinds said up to 18,000 customers had downloaded the compromised Orion software update, giving the hackers unfettered access to their networks, but that it was unlikely all or even most had been actively infiltrated.

Jake Williams, a former NSA hacker and founder of Rendition Infosec, said hackers would have gone for the targets that got their “biggest bang for their buck,” referring to FireEye and government targets.

“I have no doubt in my mind that had the Russians not targeted FireEye we would not know about this,” Williams said, praising the security giant’s response to the attacks. “We’re going to find more government agencies that were breached. They’re not detecting it independently. This only got discovered because FireEye got hit,” he said.

The motives of the hackers aren’t known, nor do we know yet if any other major private companies or government departments had been hacked. Microsoft on Wednesday seized an important domain used by the attackers, which may give the company some visibility into other victims that have been actively infiltrated.

Russia, for its part, has denied any involvement.

A distant view of Russia's foreign intelligence service compound.

A far view of the Russian Foreign Intelligence Service (SVR) headquarters outside Moscow taken on June 29, 2010. Image Credits: Alexey SAZONOV/AFP via Getty Images

These kinds of so-called “supply chain attacks” are difficult to defend against and can be near impossible to detect. You might imagine someone sneaking a hardware implant into a device on the manufacturing line. In this case, hackers injected backdoor code in the software’s development process.

Supply chain attacks are rare but can have devastating consequences. Last year hackers broke into computer maker Asus’ network and similarly pushed a backdoor to “hundreds of thousands” of Asus computers through its own software update tool. The NotPetya ransomware attack that spread across the globe in 2017 spread by pushing malicious code through the update feature in a popular Ukrainian accounting software, used by almost everyone who files taxes in the country.

Source: TechCrunch