Skip to Content

How Russian hackers infiltrated the US government for months without being spotted

And why it could take months more to discover how many other governments and companies have been breached.
The Treasury Department in Washington, DC.The Treasury Department in Washington, DC.
The Treasury Department in Washington, DC.The US Treasury Department" by *rboed* is licensed under CC BY 2.0

Thousands of companies and governments are racing to discover whether they have been hit by the Russian hackers who reportedly infiltrated several US government agencies. The initial breach, reported on December 13, included the Treasury as well as the Departments of Commerce and Homeland Security. But the stealthy techniques the hackers used mean it could take months to identify all their victims and remove whatever spyware they installed.

To carry out the breach, the hackers first broke into the systems of SolarWinds, an American software company. There, they inserted a back door into Orion, one of the company’s products, which organizations use to see and manage vast internal networks of computers. For several weeks beginning in March, any client that updated to the latest version of Orion—digitally signed by SolarWinds, and therefore seemingly legitimate—unwittingly downloaded the compromised software, giving the hackers a way into their systems. 

SolarWinds has around 300,000 customers around the world, including most of the Fortune 500 and many governments. In a new filing with the Securities and Exchange Commission, the firm said “fewer than” 18,000 organizations ever downloaded the compromised update. (SolarWinds said it’s not clear yet how many of those systems were actually hacked.) Standard cybersecurity practice is to keep your software up to date—so most SolarWinds customers, ironically, were protected because they had failed to heed that advice.

The hackers were “extremely clever and strategic,” says Greg Touhill, a former federal chief information security officer. Even once they had gained access through the back door in Orion, known as Sunburst, they moved slowly and deliberately. Instead of infiltrating many systems at once, which could easily have raised suspicions, they focused on a small set of selected targets, according to a report from the security firm FireEye. 

Sunburst stayed quiet for up to two full weeks before it woke up and began communicating with the hackers, according to the report. The malware disguises its network traffic as the “Orion Improvement Program'' and stores data inside legitimate files in order to better blend in. It also searches for security and antivirus tools on the infected machine in order to avoid them.

To further cover their traces, the hackers were careful to use computers and networks to communicate with the back door at a given target only once—the equivalent of using a burner phone for an illicit conversation. They made limited use of malware because it’s relatively easy to spot; instead, once they had initial access through the back door, they tended to opt for the quieter route of using real stolen credentials to gain remote access to a victim’s machines. And the malware they did deploy doesn’t reuse code, which made the espionage harder to catch because security programs hunt for code that has shown up in previous hacks.

Months undetected

Signs of the intrusion campaign date back to March, according to security reports from Microsoft and FireEye, which disclosed a related breach of its own networks just last week. That means any organization that suspects it might have been a target must now sift through at least 10 months of systems logs looking for suspicious activity—a task that’s beyond the capacity of many security teams. 

To help organizations figure out whether their systems have been hacked, FireEye and Microsoft have published a lengthy list of “indicators of compromise”—forensic data that could show evidence of malicious activity. The indicators include the presence of Sunburst itself, as well as some of the IP addresses identifying the computers and networks that the hackers used to communicate with it. If a team finds any of these IP addresses in its network logs, it’s a real sign of bad news. But since the hackers used each address only once, their absence is no guarantee of safety. Nor does the discovery that they are residing on a network mean it is easy to successfully evict them, since they can scour the network for new hiding spots.

The suspected hackers are from Russia’s SVR, the country’s primary foreign intelligence agency. Known alternately as Cozy Bear and APT29, they have compiled a long list of breaches, including the hack of the Democratic National Committee in 2016. Russia denies involvement.

“It’s given them the ability to backdoor into major networks,” says Touhill, who is now president of Appgate Federal Group, a secure infrastructure company. “They have the ability to sit there, slurp up all the traffic, analyze it. We need to be paying close attention to what else are these actors looking for? Where else may they be? Where else may they be lurking? If they’ve got access, they’re not giving it up easily.”