A hack of the U.S. Treasury and Commerce departments last week, described by The New York Times as one of the most “sophisticated and perhaps largest hacks in more than five years,” was likely perpetrated by Russian “state actors,” according to Paulo Shakarian, an Arizona State University (ASU) Schools of Engineering associate professor and researcher for the Global Security Initiative.
The National Security Council and the Department of Homeland Security acknowledged the intrusion without identifying the hackers, but it is widely believed to have originated in Russia. The breach involved tampering with updates released by SolarWinds, a network management company for a wide range of government agencies, including the military, intelligence agencies and the executive branch. The hackers hid malicious code in legitimate SolarWinds updates that, according to the company, were released between March and June.
Shakarian also is the CEO and co-founder of ASU spinout company CYR3CON, which uses machine learning technology to predict exploits before hackers use them. CYR3CON’s customer base includes Fortune 500 companies and financial institutions.
“This attack was orchestrated at a very sophisticated level by attackers likely sponsored by the Russian government,” Shakarian said. “They were dead set on breaking in.”
Cybersecurity provider FireEye, which also has top national security clients, said last week that it also had been a target of Russia-sponsored hacking, specifically targeting its vulnerability testing tools.
In conversation with Shakarian about these national security breaches.
Question: Was there anything that could have been done to prevent these breaches?
Answer: These security breaches aren’t like the Equifax breach in 2017 where the breach could have been avoided. This was an act likely conducted by a nation-state.
If an actor like Russia or China is determined to break in to a company or a government agency, they are likely going to be successful. They are going to pay enough professional hackers for as long as necessary to figure it out.
Typical cybercriminals launching attacks such as ransomware or cryptocurrency mining are looking for a quick way in for near-term financial gain.
These nation-state hackers are looking to steal information. They are people who show up for work at a government facility every day and focus on executing attacks. It’s a very different type of focus than that of a cybercriminal.
Q: You sound secure that it was the Russians. Do you have insight?
A: FireEye has built a business around identifying techniques and procedures primarily from Russian and Chinese actors, so there’s a lot of incentive for them to hit FireEye. Another thing is that to hack FireEye takes a lot of sophistication because they are one of the top security vendors.
Also, the press reported that it was FBI specialists who focus on Russia doing the investigating, which is also telling.
Q: Are these SolarWinds and FireEye breaches from the same bad actors?
A: We don’t know that for sure, but there is wide suspicion that it is the same Russian hacking group. The reason they are all lumped together is based on what we call tactics, techniques and procedures that may appear common among targets for that group. It’s not known, publicly at least, if the same tactics were used both against the Treasury and FireEye, but they do note that the tactics were those typically used by this group of hackers.
Q: What stands out about the hacks announced in the past week?
A: These are very sophisticated attacks directed against difficult targets. It does not appear that these hacks were the result of negligence. This is much more deliberate action beyond the normal, run-of-the-mill computer breach.
There’s a reason we’re hearing about this in the media. The parties involved want it to be known that another country has been targeting very sensitive companies and government institutions within the U.S.
Q: How long were the breaches undetected?
A: It will be interesting to find out. The mean time between breach and discovery varies widely between industries. It varies even more widely between attacker type. Your typical criminal hacker will persist on a computer system for a much shorter time than a nation-state attacker, who is going to design their malicious software to sort of camp out at their target for as long as they possibly can.
FireEye was probably on the shorter end of the spectrum because they are likely more aggressive about their own internal security.
Q: FireEye went public about its breach and released one of its tools to the public. What has been learned about the FireEye breach?
A: From what I’ve seen, FireEye has been quite responsible about how it handled the breach.
In particular, FireEye disclosed that the hackers stole the proprietary tools used for penetration testing for its very high-end clients. This is a testing scenario in which FireEye pretends to be the bad guy and breaks into systems in order to identify and correct security problems. These penetration testing tools are the exactly what you would use if you want to break into a system. Think of it as essentially a tool to pick locks that got stolen.
Since FireEye knew those tools were stolen, it took the step of releasing signatures to all, not just its clients, to protect against its own hacking tools, as well as listing software vulnerabilities that those tools exploited.
FireEye clients themselves would be less vulnerable to these tools because, having already been tested using them, they subsequently will have protected themselves.
It’s the clients who have not gone through the penetration test in a security testing procedure that were at risk by the Russian hackers because they can take those FireEye testing tools and use them for malicious purposes.
At the end of last week, FireEye essentially gave away how to counteract that lock-picking tool to everyone. By doing so, they essentially lost all of the time and research that went into creating the toolkit.
That was a very responsible thing to do.