WASHINGTON ― Some of the country’s leading defense firms are likely among the 18,000 SolarWinds customers that may have been swept up in one of the country’s worst cyber espionage failures, but investigations to determine the scope of the hackers’ reach will take significant time.
Experts say there simply are not enough skilled threat-hunting teams to identify all the government and private-sector systems that may have been probed. FireEye, the cybersecurity company that discovered the intrusion into U.S. agencies and was among the victims, has already tallied dozens of casualties. It’s racing to identify more but already, Lockheed Martin, Microsoft, and Booz Allen Hamilton have acknowledged they use SolarWinds products.
“We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they left,” said Bruce Schneier, a prominent security expert and Harvard fellow.
A major part of the problem is that the SolarWinds’ network management platform at the center of the hack was “not the only initial infection vector,” as the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency acknowledged last week. One fear is the attackers were able to migrate from SolarWinds into the supply chains of other programs.
A malicious actor, widely suspected to be Russia, discovered a way to compromise SolarWinds’ software update service for the Orion IT management platform.
The cyberattack operated undetected for months and reportedly hit multiple government agencies, including the State Department, the Treasury Department, the Department of Homeland Security, and the Pentagon ― though the Pentagon has not confirmed this. Leading defense contractors are among the firms searching for answers.
The breadth of the attack points to the need for a governmentwide approach to a fix, said David Berteau, CEO of the Professional Services Council, which represents more than 400 government contracting firms.
“This is not just the government’s problem ― what agencies got penetrated and how much damage ― but I think it’s also clear that this went into a lot of companies. And when it’s a problem that’s more than the government, it needs a solution that’s bigger than just the government,” Berteau said, adding: “It really needs a national fix, not just a government fix.”
SolarWinds provided services to Lockheed Martin, General Dynamics, Booz Allen Hamilton, Microsoft and more than 400 companies in the U.S. Fortune 500, according to the company’s client list. Lockheed is the country’s largest defense contractor and all of the companies have sizable defense portfolios. Still, the acknowledgement of affected companies is expected to expand, and the cybersecurity community is expected to learn more about what systems the hackers compromised, what secrets they were hunting and what tools they used. General Dynamics declined to comment.
“We have been informed that one or more updates to a software application developed by the IT infrastructure software company SolarWinds may have been used by a foreign adversary to breach the networks of SolarWinds clients,” said a Booz Allen spokesperson. The company is the prime contractor on the department’s cybersecurity and IT network support.
“Like hundreds of other companies, organizations and government agencies, we use some SolarWinds products. We have been closely tracking the release of information related to this situation, reviewing the products we use, and working with clients to respond to the situation.”
A person familiar with Lockheed’s response to SolarWinds said the affected software was not an enterprise tool at the company and thus not used widely on its networks. The department’s largest contractor “at this point” has “not seen any data exfiltration or unusual activity,” the person said. Lockheed works on missile defense, radar, naval warfare technology and fighter jets, including $1 trillion deal for the F-35 Joint Strike Fighter.
Microsoft, which provides much of the department’s office software and is set to become its cloud computing provider, disclosed in a Dec. 17 blog post that more than 40 of its customers were “targeted more precisely and compromised through additional and sophisticated measures.” Of those, 9 percent were government contractors that support defense and national security organizations.
“It’s certain that the number and location of victims will keep growing,” the company said, adding that its own ongoing investigation had so far, “found absolutely no indications that our systems were used to attack others.”
Security teams then have to assume that the patient is still sick with undetected so-called “secondary infections” and set up the cyber equivalent of closed-circuit monitoring to make sure the intruders are not still around, sneaking out internal emails and other sensitive data.
“When the enemy is deep inside, you’ve got to watch the henhouse very carefully, for that one minute of the day where that chicken moves like a fox,” said Jamil Jaffer, a senior vice president at IronNet Cybersecurity and founder of the National Security Institute at George Mason University Law School. “The question is are they inside my network, how deep are they, where are they, and how do I find them in the network when they look like me?”
Because the hackers have had months to burrow into their targets’ information technology infrastructures, completely eliminating their access to the network will be tough, if not impossible, according to Herbert Lin, leading cybersecurity expert at Stanford University. It’s an agonizing choice, but the only option for some infected IT systems will be to rebuild them from scratch.
Not even the victims know all the damage at this early stage, and some undetected portions of the attack could still be in operation. “God would know, but there’s no way of having the God’s-eye view,” said Lin.
While companies are still trying to uncover intrusions and their potential impacts, don’t expect them to be transparent to the public. Until they determine they have an obligation to shareholders to disclose the damage from any breaches, government contractors may want to keep quiet about potential impacts to protect their reputations with customers and the public ― and to avoid both potential legal liability and sharing information about that might benefit the attackers.
“If I were in their position, it makes sense to give out the most vague and uninformative statement that sounds like you’re getting information,” Lin said. “There’s another question: Are they telling anybody, the FBI or Homeland Security for example? You would want them to share information with U.S. government cybersecurity authorities and law enforcement.”
However unlikely, the worst-case scenarios for the defense industry involve hackers finding their way into classified systems or even manipulating data to make weapons systems malfunction.
With the stakes so high, experts say there must be better collaboration between the government and industry, and among companies, to conduct collective defense, especially when it comes to the defense industrial base. The trick is finding a middle ground where companies are given cybersecurity expectations but aren’t over-regulated, said Jaffer.
“The big primes have to help defend their smaller contractors, and the smaller contractors have to work with the primes to get that capability. The government can’t shed responsibility for this either,” Jaffer said, adding: “It’s not just about information sharing, but actually operating and working together in real time.”
Complex attacks require that industry and government patch together a response based on the strengths of all parties, but even then there’s no guaranteed 100 percent fix, said Greg Conti, founder at cybersecurity firm Kopidion and former chief of the U.S. Army Cyber Institute.
“Maybe I don’t have the specialized expertise analyzing network traffic or reversing malware, but another company does. Maybe the intelligence community can be leveraged because they have global intelligence collection,” Conti said. “If you can put all of that together, with tremendous effort, you can probably piece together pretty much everything that happened, but maybe not everything, and that’s what’s scary.”
The Associated Press contributed to this report.