Tech Tent: Hacking the heart of the US government

Getty Images American flag with codeGetty Images
The attack on key US agencies has been described as one of the biggest in history

Since March, hackers have had access to key parts of the US government - and only in the last week has their presence been uncovered.

On Tech Tent we assess the damage done by what may be the most successful act of cyber-espionage yet seen.

Podcast available now
  • Listen to the latest Tech Tent podcast on BBC Sounds
  • Listen live every Friday at 15.00 GMT on the BBC World Service
line

It was last Sunday when it emerged that a company called SolarWinds had been hacked and its customers were being advised to disconnect from one of its key products, the Orion Platform, used to monitor networks.

I'm sure many people yawned and thought this was just another hack but to cyber-security experts the name of the company targeted was a red flag. "The moment I heard SolarWinds was involved, the alarm bells went off," Rick Holland, chief information security officer at Digital Shadows, tells Tech Tent.

That was because customers of SolarWinds network monitoring tools include many branches of the US government. "You have the highest tiers of both the military side of the government, as well as the civilian agencies in the government, as well."

Through the week it seemed each day brought news of another key agency whose defences had been breached since the attackers tampered with an update to the SolarWinds Orion platform.

The Departments of Treasury and Commerce were named first, then Homeland Security, the National Institute of Health and even the Los Alamos nuclear weapons lab were said to have been compromised.

Reuters American flags wave outside the J Edgar Hoover FBI Building in Washington, December 2, 2020.Reuters
The FBI is among those investigating the hacking campaign

At an early stage Reuters news agency said three sources had told it Russia was behind the attack - an allegation the Russian Foreign Ministry described as baseless.

The US government has been cautious about attributing the attack to the Russians, although the FBI has said it is investigating "in order to attribute, pursue, and disrupt the responsible threat actors".

In the New York Times on Thursday President Trump's former homeland security adviser, Tom Bossert, was clear about who he thinks is responsible. "The magnitude of this ongoing attack is hard to overstate," he wrote. "The Russians have had access to a considerable number of important and sensitive networks for six to nine months."

But whoever did it, how did they manage to get through the defences of a company like SolarWinds with what the company describes as a " very sophisticated supply-chain attack"?

Rick Holland has a theory: "We do know that SolarWinds, in their filing to the Security and Exchange Commission this week, alluded to Microsoft, which makes me think that the initial access into the SolarWinds environment was through a phishing email. So someone clicked on something they thought was benign - turned out it was not benign."

If it did all start with a phishing email, that won't sound too sophisticated to many people.

But in a blog post, calling for a global response to what he describes as a moment of reckoning, Microsoft's president, Brad Smith, says his own company's investigations confirm that this was an attack "remarkable for its scope, sophistication and impact".

Reuters President TrumpReuters
President Trump has yet to comment on the hack which security experts see as hugely significant

While not attributing the attack to Russia in so many words, he notes the country's involvement in previous hacks and calls this latest one "an act of recklessness that created a serious technological vulnerability for the United States and the world".

Much of the language used about this attack by both American government officials and private companies sounds like that used during periods of tension during the Cold War. But so far, the man who leads the United States has been silent.

President Trump was swift in sacking US cyber-security chief Chris Krebs after he described the November election as the most secure in American history. But he has not said a word about what looks like the modern equivalent of an armed raid on the United States mainland by a foreign power.