Was the United States the victim of the most important computer espionage operation in the last twenty years? Since Sunday, December 13 and the discovery of spyware hidden in the heart of a computer tool used by dozens of American administrations and companies, a wind of panic has blown over Washington.
The National Security Council, the equivalent of the French defense council, met twice in three days. Donald Trump’s national security adviser had to cut short a trip to Europe. The White House “cyber” crisis unit, a body created under the Obama administration, has been activated, while parliamentarians from the Senate and House of Representatives intelligence committees have been briefed by the intelligence services.
After the Treasury and Commerce departments, it is in fact the US Department of the Interior, the Department of Health and parts of the Pentagon that have been visited by the pirates, according to information from the US press. In some cases, emails were reportedly exfiltrated. The FBI, the US cybersecurity agency and the director of intelligence acknowledged Wednesday, December 16, in a joint and minimalist statement, a “Compromise affecting networks within the federal government”.
Page Contents
A magnitude impossible to determine
To penetrate into these networks, the hackers advanced in masks. They notably succeeded in inserting Sunburst, a malicious software of their own, in certain versions of the Orion platform, a tool for monitoring computer networks marketed by the American company SolarWinds. The maneuver, difficult to detect, is incredibly effective: since March, companies installing certain versions of Orion in their computer networks have unwittingly opened a door for hackers.
But, four days after this high-flying operation was made public, no one is able to measure exactly the damage. On paper, they have something to make you dizzy. SolarWinds has estimated that just under 18,000 customers have installed the compromised version of their software since March. But this number doesn’t tell you who the hackers actually spied on. The FBI has opened an investigation to identify the victims in the United States.
Indeed, Sunburst was just an entry point. It is likely that the hackers only used this stealth access in certain cases, the most interesting from an intelligence gathering point of view. But where ? And for how long? Experts navigate by sight. “We believe that the number [de victimes] really compromised to a few dozen “, declared to New York Times Charles Carmakal, technical director of the company FireEye, specializing in the hunt for elite hackers. Bloomberg, citing anonymous sources, mentioned Tuesday 25 identified victims.
Weeks, months of investigation to plan
While the list of actual hackers’ victims is limited, the severity of the spy operation will remain unclear until the nature of the information exfiltrated is accurately identified. And the task is arduous: hackers have been able to survey the networks made accessible by Sunburst for months. Enough to move, hide, and erase their tracks. “Removing this malicious actor from compromised networks will be a highly complex task and a challenge for organizations” warned, in a warning bulletin released Thursday, the US cybersecurity agency.
All over the world, experts are therefore at work to try to identify the victims who welcomed Sunbust into their midst, and even more difficult will be to know if their perpetrators used it. Including in France. “I spoke with CAC40 companies that use Orion. They are urgently patching the vulnerability and trying to determine if it was used and what was taken. They keep a close eye on what the hacked American agencies will give as information ”, says Loïc Guézo, general secretary of Clusif, a specialized association bringing together cybersecurity managers from large groups.
Weeks, even months of investigation are now opening. Especially since in its alert bulletin, the American cybersecurity agency revealed, without further details, that the hackers had used, for their espionage operation, another vector than the compromise of SolarWinds.
A snub for American cyber defense
The fact that prominent departments and agencies in the United States have been targeted raises fears in the United States of a top-notch intelligence snub. The pirates seem to have operated under the nose of the American authorities, perhaps too busy protecting the elections. In their statement, the FBI, the cybersecurity agency and the director of intelligence confirm between the lines that they have only detected the spy operation in recent days.
President-elect Joe Biden on Thursday announced his “Great concern” about the events. “Managing this leak will be a major priority from the moment we get to business”, he continued, without naming anyone responsible. For its part, the Trump administration has not spoken directly to the facts.
Ron Wyden, one of the senators who spoke to intelligence services, said he feared “A massive national security failure, which could have ramifications for years to come”. “I am afraid that the damage will be more serious than what we know today”, he continued in a statement. “The magnitude of this ongoing attack is hard to overstate. It will take years to know which networks the Russians control and which they only occupy ” judged in the New York Times Thomas Bossert, Donald Trump’s former cybersecurity adviser.
Russia suspected
Eyes quickly turned to Russia, and more specifically the group of hackers APT29, reputed to be very close to the foreign intelligence service, cited as responsible by several anonymous sources in the press. And all the more so after the Democratic Senator Richard Blumenthal, at the end of a secret meeting with the intelligence services, mentioned the “Russian cyberattack”. The senator at the intelligence committee said to himself “Deeply alarmed, and even downright frightened”. “Americans deserve to know what’s going on. Declassify what we know and what we do not “, he asked the Trump administration on Twitter.
Yet public clues as to the perpetrators of these computer intrusions are scant, if not nonexistent. SolarWinds claimed to be the victim of “Nation state”. FireEye, at the forefront of the analysis of the infiltration, did not attribute it to anyone, nor the US government. However, many experts are inclined to say that behind this operation hides a state intelligence service, the only one capable of operating at such a level of discipline and discretion.
