Published on :
The main US intelligence agencies estimated on Tuesday that Russia was “very likely” to be behind the cyber espionage operation discovered in mid-December, and not China, as Donald Trump insisted. They also confirmed the severity of the attack.
At least ten US government agencies affected, around 18,000 federal structures and private companies affected, and one ultimately officially named culprit: “most likely” Russia. The main US intelligence services – the FBI, the NSA, the CISA (Cybersecurity and Infrastructure Security Agency) and the Office of the Director of National Intelligence (ODNI) – issued their findings on Tuesday, January 5, concerning a vast cyber espionage operation in the United States, discovered in mid-December and which is “still in progress”, according to the joint press release.
The accusing finger pointed in the direction of Moscow represents a snub for outgoing President Donald Trump. He had challenged the Russian track, already mentioned shortly after the discovery of the piracy on December 17, preferring to make China its number 1 suspect.
The weakest link
However, no evidence has been provided by US agencies to support the accusations against Russian cyber spies. This is not, in itself, surprising: “The United States rarely provides evidence in such cases so as not to give clues as to their modus operandi,” explains Ivan Kwiatkowski, cybersecurity researcher at Kaspersky France, contacted by France 24.
Still, Americans have to take their word for it right now. “Nothing concrete has yet been published – neither by the intelligence services, nor by the partners of the private sector who cooperate in the investigation – allowing to make the link with Russia”, specifies this researcher of Kaspersky, a company IT security officer, which is also actively working to trace this cyberattack.
But beyond this political wave of arms around the attribution of the attack, these official conclusions above all confirm its scale. “This is one of the largest cyber espionage operations orchestrated in the United States,” said Gérôme Billois, cybersecurity specialist for the specialist consulting firm Wavestone, contacted by France 24.
It is primarily through the sophistication of computer intrusion techniques. The attackers took the time to identify the weak link among the software vendors used by the US administration. They opted for an American company, Solarwinds, which sells programs to manage networks. A virus has been installed in one of their products, Orion, used by nearly 40,000 companies and administrations, including Microsoft, the State Department, the New York Times and telecommunications groups.
This first piece of malware was designed to spread over the computer networks of Solarwinds customers when they performed an update to Orion. About 18,000 of them have done so, providing a gateway for hackers. But that’s not all: these cyber spies then identified more than 250 structures of particular interest to them and installed other viruses there that allow them to monitor the entire computer network and, if necessary, to steal sensitive information.
Stinging setback for the United States
And they had access to some of the most important administrations in the country, such as the State Department (the Ministry of Foreign Affairs), the Treasury, National Security, and even Commerce and Energy. These hackers have managed to stay there without arousing suspicion since March 2020. This is the other aspect that sets this cyber espionage operation apart. “More than the number of victims, it is their quality that counts here,” emphasizes Ivan Kwiatkowski.
Succeeding in such a coup “requires substantial human and technical resources, if only to constantly monitor the pirated networks, and to escape the detection measures put in place by these administrations”, considers Gérôme Billois. “It is clear that for the country behind this attack, this was an operation of great importance,” confirms Ivan Kwiatkowski.
For the United States, this is a bitter setback. This case shows how poor control over the software used by the administration can be. Since the first revelations concerning this attack, we have indeed “learned that IT security within Solarwinds had already been called into question in the past”, recalls Gérôme Billois.
The extent of the damage is also reflected in what the intelligence services are careful not to say in their joint statement. “It is absolutely unclear what information these spies may have had access to,” said the expert from Wavestone. Usually, authorities do everything to be reassuring, indicating that attackers, for example, did not have access to critical infrastructure or sensitive information. Nothing like it this time around. “There are two possible explanations: either they don’t know anything about it yet, which is bad enough, or it is too sensitive to be said publicly,” Gérôme Billois analyzes.
And then, by the authorities themselves, the attack is not over. “Which means that investigators are still identifying all the victims and making sure that there is no trace of the presence of these spies anywhere,” says Ivan Kwiatkowski.
It’s painstaking work. “Succeeding in removing attackers from the hacked network is often complicated,” notes the researcher from Kaspersky France. This includes making sure that the hackers do not install other back doors allowing them to return discreetly after being ejected the first time. A big cleaning “which will very probably not be finished before the end of the month”, estimates Ivan Kwiatkowski. In other words, during the handover between Donald Trump and Joe Biden on January 20, there will probably still be one or two Russian spies in the virtual corridors of several ministries.