By Raphael Satter
WASHINGTON (Reuters) – Cybersecurity expert Steven Adair and his team were in the final stages of cleaning up hackers from a think tank network earlier this year when a suspicious pattern in the log data spotted them.
Not only had the spies managed to break in – a common occurrence in the world of cyber incident response – but they had sailed straight through to the client’s email system and rolled past the recently updated password protection as if they did not exist.
“Wow,” Adair reminded me to think in a recent interview. “These guys are smarter than the average bear.”
It was only last week that Adair’s company – Reston, Virginia-based Volexity – realized that the bears it had struggled with were the same set of advanced hackers who compromised Texas-based software company SolarWinds.
Using a subverted version of the company’s software as a makeshift skeleton key, the hackers sneaked into a number of U.S. government networks, including the Ministries of Finance, Homeland Security, Commerce, Energy, Government, and other agencies in addition.
When the news of the hack broke, Adair immediately thought back to the think tank where his team had tracked one of the burglary efforts to a SolarWinds server but never found the evidence they needed to nail the exact entry point or alert the company. Digital indicators published by cybersecurity firm FireEye (NASDAQ 🙂 on December 13 confirmed that the think tank and SolarWinds had been hit by the same actor.
Senior U.S. officials and lawmakers have claimed Russia is to blame for the hacking storm, an accusation the Kremlin denies.
Adair – who spent about five years defending NASA against hacking threats before eventually founding Volexity – said he had mixed feelings about the episode. On the one hand, he was glad that his team’s assumption of a SolarWinds connection was correct. On the other hand, they had been at the outer edge of a much larger story.
Much of the U.S. cybersecurity industry is now in the same place as Volexity was earlier in the year, trying to figure out where the hackers have been and eliminate the various secret access points that hackers have likely planted on their victims’ networks. Adair’s colleague Sean Koessel said the company sent about 10 calls a day from companies that were concerned that they might have been targeted or worried that the spies were in their network.
His advice to everyone else chasing the hackers: “Do not let any stone be unconverted.”
Koessel said efforts to remove the hackers from the think tank – which he refused to identify – stretched from late 2019 to mid-2020, leading to two renewed burglaries. Performing the same task across the U.S. government is likely to be many times more difficult.
“I could easily see that it took half a year or more to find out – if not in the years for some of these organizations,” Koessel said.
Pano Yannakogeorgos, an associate professor at New York University who served as founder of the dean of Air Force Cyber College, also predicted an extended timeline, saying some networks would have to be ripped out and replaced wholesale.
In any case, he predicted a big price when caffeinated experts were brought in to pore over digital logs for traces of compromise.
“There’s a lot of time, treasury, talent and Mountain Dew involved,” he said.
Fusion Media or anyone involved in Fusion Media assumes no responsibility for any loss or damage resulting from reliance on the information, including data, offers, charts and buy / sell signals contained on this site. Be fully informed about the risks and costs associated with trading in the financial markets, it is one of the most risky forms of investment.