One Month Since the Largest Recorded Cyberattack on the U.S: What We Know and How We Got Here

Credit: Stephen Foskett / Flickr

Several of the software company SolarWinds’ customers — including multiple U.S. government agencies — suffered breaches in a December 2020 hack.

James Connor, Contributor

Espionage, hackers, and Russians: all the makings of a decent action movie. But when those forces came together in mid-December, the results were messier than a typical Bond flick, and highlighted a dangerous truth about the United States government: a distinct failure to keep pace with modern cybersecurity.

On December 8, 2020, cybersecurity firm FireEye announced that they had suffered a massive security breach. As a company that directly interfaces with the networks of its clients — including through government contracts — the potential impacts of such a hack were not unappreciated. In the announcement, FireEye stated that “the attacker targeted and accessed certain Red Team assessment tools that we use to test our customers’ security”, although none of the accessed tools contained “zero days”, a term used to refer to previously unidentified security vulnerabilities.

That attack would prove to be just the beginning of a much larger hacking campaign. In another blog post on December 13, FireEye revealed something that sent the information security community into a frenzy. The company stated that after having conducted an independent investigation into the breach, they had discovered the source of the intrusion: a supply chain attack. This type of hack is complex; it involves attacking a company’s tools and resources rather than it’s direct infrastructure to indirectly gain access to that company. In this case, it was determined that a program titled Orion had been hacked. FireEye describes this software, a product of SolarWinds, as “a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration”. The supply chain attack succeeded in hacking SolarWinds and compromising the updates for the Orion software, rendering anyone using Orion vulnerable to attack the moment they updated to the compromised version. By the time the hack was announced, it was far too late. Several of SolarWinds’ customers — including multiple U.S. government agencies — had suffered breaches.

The National Security Council held an emergency meeting that same day, after the U.S. Treasury and Commerce departments had discovered that they too had been hacked. It was later announced that the Departments of State, Defense, and Homeland Security had also suffered breaches. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive ordering government users of the software to immediately shut it down on their systems while the FBI and DHS launched an investigation. But this warning was too little too late, as further announcements from SolarWinds revealed that the vulnerable version had been published since at least June. The questions remained: who was responsible? And how could the government remain vulnerable for so long without knowing?

The Washington Post identified the culprits as a Russian hacking group formally classified as Advanced Persistent Threat Group 29 (APT29), but better known as “Cozy Bear”. Secretary of State Pompeo confirmed this accusation, stating that “we can say pretty clearly that it was the Russians that engaged in this activity”. President Trump, however, conjectured in a Tweet that China could be responsible, claiming, “Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China”. This isn’t the first time that the White House and intelligence officials have disagreed over Russian cyberattacks. In 2018, President Trump went against the FBI’s findings on Russian interference in the 2016 election, sayin, “President Putin says it’s not Russia. I don’t see any reason why it would be.” Once again, the president has sided with Russian assertions over U.S. intelligence. But a refusal to adopt U.S. intelligence findings is far from the most dangerous White House actions on cybersecurity in the past four years.

Since taking over in 2017, the Trump Administration has consistently undermined the digital strength of the United States. In 2017, President Trump appointed former New York City mayor Rudy Giuliani as cybersecurity adviser. As Vice reported at the time, however, Giuliani lacked the technological qualifications for such a role; his cybersecurity firm was primarily aimed at reducing legal liability involving cybersecurity incidents.

The attacks on government cybersecurity continued in 2018, when the president eliminated the role of national cybersecurity coordinator, and again in 2020, when he fired CISA director Christopher Krebs, who had led CISA in creating a blog to debunk electoral fraud claims. While President Trump did enhance the U.S. military’s cyber capabilities, and consequently encourage deterrence of foreign cyber attacks, with the damage dealt to key cybersecurity policies and leadership, it’s no wonder that five key U.S. agencies suffered a breach.

The federal government’s inability to tackle cybersecurity extends beyond the Trump Administration’s undercutting of executive efforts at defense. For years, the U.S. government has failed to properly address cybersecurity — which the Obama Administration’s fumble of the Russian hack of the DNC emphasizes.

With new developments likely to appear for months as the full scope of this attack continues to come to light, the stage has been set to see how the Biden Administration will tackle this and other important cybersecurity issues in its first 100 days.