Hacks against U.S. agencies could be 'most successful cyber-espionage campaign' ever, says expert
Alex Stamos, director of the Stanford Internet Observatory, says the hacks have Russian fingerprints
For months, the U.S. government has been under attack by a foreign power, and no one knows just how much damage has been done.
Hackers targeted software updates to the hugely popular server software SolarWinds, which is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies. Cybersecurity experts widely suspect Russia is behind the attacks.
In doing so, they found their way into the networks of some of the most sensitive places in the U.S. government, including those overseeing the power grid and maintaining the country's nuclear stockpile.
The campaign was first discovered when a prominent cybersecurity firm, FireEye, learned it had been breached. The U.S. Department of Homeland Security later said the spies used other techniques as well.
It's unclear at this point how many companies and agencies are affected, or what information has been stolen.
Alex Stamos, director of the Stanford Internet Observatory and former chief security officer at Facebook, says this could turn out to be "the most successful cyber-espionage campaign in history."
Here is part of his conversation with As It Happens host Carol Off.
In terms of previous attempts at cyber-espionage against the United States, how does this one compare?
We don't have all the facts yet because this situation is still unfolding. We don't even know all of the victims. And there are probably some companies that the Russian intelligence agency is still inside of.
But from what we've seen so far, this very possibly could be the most successful cyber-espionage campaign in history.
How did these hackers ... get so deeply into the networks, not only of government, but also of business and corporations?
What they did was something very smart, which is they broke into one company, SolarWinds, that makes products that are used by tens of thousands of companies and government agencies around the world. And they implanted a back door in that one product.
What that product does is it manages the devices on your network. So it has lots and lots of capabilities on the networks it's installed in. And so it's a great foothold, a first place to be inside of a network. They were starting effectively at the top by having this backdoor implanted.
Now how many of the 18,000 companies and government agencies that were affected were actually breached is an interesting question right now. It looks like a very small fraction of these companies that the Russians actually go and try to steal anything. But the fact that they had such an incredible shopping list to work off of is what makes this such a powerful attempt.
Was it directed? Does it seem like the hackers were looking to go into a specific room, specific places, or were they just infecting whatever they could infect with this?
No, they were very careful.
The initial stage was to implant the back door and to get it into tens of thousands of machines. And then once they had the list of all of the organizations they could break into, they were very careful to pick the organizations they cared about. And then the next steps they took were very, very subtle.
So it was pretty clear that the agency involved here, the SVR [Russian Foreign Intelligence Service], they are known as the most capable of the Russian intelligence agencies from a cybersecurity perspective. And this is one of the differences between them and the GRU, which is the organization that people often talk about, in that the SVR doesn't want to get caught. The GRU is a little bit like a sledgehammer, and the SVR is like a scalpel.
The [U.S.] Energy Department says the hackers were not able to access mission-essential national security functions. Is that reassuring to you?
It is true that classified networks in the United States are generally air-gapped. They are physically disconnected from the Internet. And while there are ways to jump an air gap, this specific attack has not demonstrated any of those mechanisms quite yet. So it is possible that they [were not] able to use this to get into any classified networks.
That being said, a lot of really important stuff happens on unclassified networks, right? And there's a long history here, especially of Chinese espionage, where the Chinese government has demonstrated a real knack of stealing unclassified data from the U.S. government and private companies that, when you put it all together, allows you to do really powerful things.
And I think the Russians are making the same bet here that the normal day-to-day business of the Department of Defence, the Department of Homeland Security, the Department of Energy, that they have to conduct on the Internet using email and normally connected devices ... is sensitive enough to be worthwhile.
OK, you've said that you believe that it has all the fingerprints of a Russian agency on this. Why are you so convinced that Russia is behind it?
There are of a number of agencies that are providing that attribution, including private companies that have a very good track record in this area. So I trust those people who have done the hands-on attribution. It is also consistent with what I have personally seen out of this specific Russian agency.
But also the White House is not saying that they believe it's the [Russians]. In fact, what we're hearing is that [there] could be other other players, not necessarily Russia. Are you concerned that we haven't even heard anything from Donald Trump about this?
I'm not sure what the White House is doing here. I mean, their National Security Council has said that this is incredibly important. Their Cybersecurity and Infrastructure Security Agency is deeply engaged. It has come from a number of government sources off the record that it's definitely Russia. Why the president would not comment or take it seriously, I can't speak to.
Do have reason to believe that Joe Biden is taking this seriously?
We have yet to find out who will be taking leadership in the Biden administration on this issue. And so as a result, I think they're a little bit hamstrung from the fact that they don't have an established voice that's credible on these issues.
They did put out a pretty good, strong statement. It will be interesting to see in January who they pick for these jobs.
OK, but at the same time, the United States is in a very vulnerable position, isn't it? You're in the middle of a very, very bizarre presidential transition. Some very strange things have happened. You have a devastating public health crisis.
And now you have possibly one of the worst hacks in your history. So what do you fear might come of this?
I think one way you can think of this is effectively the Biden administration is inheriting a cyber recession. If you were part of the Treasury Department or the economic advisors and you were handed an economy that had a dropping stock market and huge unemployment, you would see your job as digging out of that problem for the next couple of years. And I think that's effectively where we are in cyber because of this.
This specific hack will be the centrepiece of one of the, as you mentioned, many emergencies that the administration is going to have to deal with. And it is going to be incredibly challenging for them to deal with the COVID crisis, which is only worsening in the United States, economic issues that are caused by COVID, the political dysfunction in Washington, D.C., and now the activities of Russian intelligence agencies all at the same.
Written by Sheena Goodyear with files from The Associated Press. Interview produced by Chris Harbord. Q&A edited for length and clarity.
