Fallout from SolarWinds breach keeps growing
One of the most concerning consequences of the SolarWinds hack is that neither U.S. Cyber Command nor the National Security Agency uncovered the breach, which was first found by the cybersecurity firm FireEye.
“If FireEye had not come forward, I’m not sure we would be fully aware of it to this day,” Sen. Mark Warner (D-Va.), ranking member of the Senate Intelligence Committee, told The New York Times. “The size of it keeps expanding. It’s clear the United States government missed it.”
According to The Times, the breach is much broader than first estimated, with experts now saying Russia exploited as many as 250 government and private-sector networks. The Department of Homeland Security’s Einstein sensors failed to flag suspicious activity, and the government’s focus on election security, combined with SolarWinds’ “lackluster security for its products,” likely contributed to the failure to detect the breach for more than a year after the infiltration began.
The attack highlights the vulnerabilities inherent in IT supply chains. Companies like SolarWinds that install software on clients’ networks “can be an ideal Trojan horse for Russia’s hackers,” according to The Times, which suggested the company’s lax security policies and its Eastern European-engineered software may have created vulnerabilities.
Tracking down the breadth of the attack will be difficult enough, but rooting the Russians out of government networks will require a massive effort.
“Some security experts said that ridding so many sprawling federal agencies of the S.V.R. [Russia’s foreign intelligence service] may be futile and that the only way forward may be to shut systems down and start anew,” The Times said. Other experts countered, saying that rebuilding networks during the pandemic would be too time-consuming and expensive. Plus, they said, the Biden administration “would have to work to identify and contain every compromised system before it could calibrate a response.”
Intelligence officials told The Times that “it could be months, years even, before they have a full understanding of the hacking.”
Connect with the GCN staff on Twitter @GCNtech.