Casting a Wide Intrusion Net: Dozens Burned With Single Hack

BOSTON (AP) -
FireEye CEO Kevin Mandia, SolarWinds CEO Sudhakar Ramakrishna and Microsoft President Brad Smith talk to each other before a Senate Intelligence Committee hearing. (Demetrius Freeman/The Washington Post via AP, Pool)

The SolarWinds hacking campaign blamed on Russian spies and the “grave threat” it poses to U.S. national security are widely known. A very different — and no less alarming — coordinated series of intrusions also detected in December has gotten considerably less public attention.

Nimble, highly skilled criminal hackers believed to operate out of Eastern Europe hacked dozens of companies and government agencies on at least four continents by breaking into a single product they all used.

The victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-powered U.S. law firm Jones Day — whose clients include former President Donald Trump — the rail freight company CSX and the Kroger supermarket and pharmacy chain. Also hit was Washington state’s auditor’s office, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.

The two-stage mega-hack in December and January of a popular file-transfer program from the Silicon Valley company Accellion highlights a threat that security experts fear may be getting out of hand: intrusions by top-flight criminal and state-backed hackers into software supply chains and third-party services.

The casualties keep piling up, with many being extorted by the Russian-speaking Clop cybercriminal gang, which threat researchers believe may have bought pilfered data from the hackers. Their threat: Pay up or we leak your sensitive data online, be it proprietary documents from Canadian aircraft maker Bombardier or lawyer-client communications from Jones Day.

The hack of up to 100 Accellion customers, who were easily identified by the hackers with an online scan, puts in painful relief a digital age core mission at which both governments and the private sector have been falling short.

“Attackers are finding it harder and harder to gain access via traditional methods, as vendors like Microsoft and Apple have hardened the security of the operating systems considerably over the last years. So, the attackers find easier ways in. This often means going via the supply chain. And as we’ve seen, it works,” said Mikko Hypponen, chief research officer of the cybersecurity firm F-Secure.

Members of Congress are already dismayed by the supply-chain hack of the Texas network management software company SolarWinds that allowed suspected Russian state-backed hackers to tiptoe unnoticed — apparently intent solely on intelligence-gathering — for more than half a year through the networks of at least nine government agencies and more than 100 companies and think tanks. Only in December was the SolarWinds hacking campaign discovered, by the cybersecurity firm FireEye.

France suffered a similar hack, blamed by its cybersecurity agency on Russian military operatives, that also gamed the supply chain. They slipped malware into an update of network management software from a firm called Centreon, letting them quietly root around victim networks from 2017 to 2020.

Both those hacks sneaked malware into software updates. The Accellion hack was different in one key respect: Its file-transfer program resided on victims’ networks either as a stand-alone appliance or cloud-based app. Its job is to securely move around files too large to be attached to email.

Too often, software companies with hundreds of programmers have just one or two security people, said Katie Moussouris, CEO of Luta Security.

“We wish we could say that organizations were uniformly investing in security. But we’re actually seeing them just dealing with the breaches and then vowing to do better in the future. And that’s been sort of the business model.”

Cybersecurity threat analysts hope the snowballing of supply-chain hacks stuns the software industry into prioritizing security. Otherwise, vendors risk the fate that has befallen SolarWinds.