Cyber security expert Steven Adair and his team were in the final stages of eliminating hackers from a think tank network earlier this year when they saw a suspicious pattern in the log data.
Not only had the spies managed to break in again – a common enough in the cyber incident response world – but they had sailed straight through to the client’s email system and bypassed the recently updated password protections as if they were did not exist.
“Wow,” Adair recalled in a recent interview. “These guys are smarter than the average bear.”
Just last week, Adair’s company – Reston, Virginia-based Volexity – realized that the bears it had wrestled with were the same advanced hackers who compromised Texas-based software company SolarWinds.
Using an infiltrated version of the company’s software as a makeshift backbone, the hackers sneaked into a variety of US government networks, including the departments of finance, homeland security, trade, energy, state and other agencies.
When the news of the hack broke, Adair immediately thought back to the think tank where his team had traced one of the break-in attempts to a SolarWinds server but never found the evidence needed to find the exact entry point or that Alert companies. Digital indicators released on December 13 by cyber security firm FireEye confirmed that the think tank and SolarWinds were hit by the same actor.
Senior US officials and lawmakers have alleged Russia was responsible for the hacking attack, an allegation the Kremlin denies.
Adair, who helped protect NASA from hacking threats for about five years before eventually founding Volexity, said he had mixed feelings about the episode. On the one hand, he was pleased that his team’s assumption about a SolarWinds connection was correct. On the other hand, they had been on the edge of a much larger story.
Much of the U.S. cyber security industry is now in the same spot that Volexity was earlier this year, trying to find out where the hackers were and to get rid of the various secret entry points the hackers are likely to be in established networks of their victims. Adair colleague Sean Koessel said the company took about 10 calls a day from companies who feared they were being targeted or concerned that the spies were on their networks.
His advice to everyone else looking for hackers: “Leave no stone unturned.”
Koessel said efforts to uproot the think tank hackers, whom he refused to identify, stretched from late 2019 to mid-2020 and resulted in two more break-ins. Doing the same job across the US government is likely to be many times more difficult.
“I could easily see that it took six months or more to figure it out – if not into the years of some of these organizations,” said Koessel.
Pano Yannakogeorgos, a New York University associate professor who served as the founding dean of the Air Force Cyber College, also predicted an extended schedule, saying some networks would need to be ripped out and replaced at wholesale.
In any case, he predicted a high price tag as caffeinated experts were brought in to search digital logs for traces of compromise.
“It’s a lot of time, treasure trove, talent and mountain dew,” he said.
© Thomson Reuters 2020
Is the MacBook Air M1 the portable beast of a laptop you’ve always wanted? We discussed this on Orbital, our weekly technology podcast, which you can subscribe to via Apple Podcasts, Google Podcasts, or RSS, Download the episodeor just hit the play button below.
Source link : https://gadgets.ndtv.com/internet/news/solarwinds-hack-russia-us-cleanup-could-take-months-cyber-security-expert-steven-adair-2343379#rss-gadgets-all