The hack of U.S. government and private computers was far worse than originally suspected, affecting potentially millions of computers. Authorities now say that the hackers not only breached the SolarWinds software but other applications as well.
Only about two-thirds of the affected systems were penetrated via Solar Winds software with the other third being hacked through a variety of applications.
The attackers “gained access to their targets in a variety of ways. This adversary has been creative,” said Mr. Wales, whose agency, part of the U.S. Department of Homeland Security, is coordinating the government response. “It is absolutely correct that this campaign should not be thought of as the SolarWinds campaign.”
The hackers exploited known bugs in software products, guessing online passwords, and taking advantage of the way Microsoft Azure was configured. All told, the hack — which was probably the work of several independent criminal outfits, including the Russian government — penetrated millions of machines.
“This is certainly one of the most sophisticated actors that we have ever tracked in terms of their approach, their discipline and range of techniques that they have,” said John Lambert, the manager of Microsoft’s Threat Intelligence Center.
In December, Microsoft said that the hackers who targeted SolarWinds had accessed its own corporate network and viewed internal software source code—a lapse of security but not a catastrophic breach, according to security experts. At the time, Microsoft said it had “found no indications that our systems were used to attack others.”
For Russia, the information stolen was probably valuable. But the attack has done far more damage to the trust that government and businesses place in outside software vendors. That kind of psychological harm is a dream outcome for foreign PsyOps who seek to sow confusion, mistrust, and fear in their enemy.
Mr. Wales said that the hacking operation was “substantially more significant” than a previous hacking spree against cloud providers, known as Cloud Hopper and linked to the Chinese government, widely considered to be one of the largest-ever corporate espionage efforts. The hackers in this campaign have been able to compromise core infrastructure of government and private sector victims in a way that dwarfs that attack, Mr. Wales said.
If we’re doing the same thing to Russia and China, they aren’t talking. It’s fairly easy when you control the media, but just because it isn’t public doesn’t mean it isn’t being done.
This is a rare instance where the global cyberwar has made headlines in the U.S. But make no mistake: this is a daily battle with winners, losers, and casualties. And it’s not a war on the cheap. The U.S. Cyber Command gets in excess of $9 billion a year.
As cyber warfare grows in importance, we can expect that number to rise substantially.