The suspected Russian hackers behind the recently discovered hack of IT contractor SolarWinds’ Orion software tools may have started their hacking efforts from within U.S. servers, allowing them to better avoid detection by U.S. cyber defense systems.
FireEye, a private cybersecurity firm, told the New York Times that the hackers appeared to stage their hacking attacks from U.S.-based servers, in some instances located in the same cities and towns as their victims. The hacking method would have allowed the hackers to avoid detection, as the National Security Agency (NSA) and the Department of Homeland Security (DHS) are currently prohibited from being able to enter private U.S. networks.
The suspected Russian hackers are believed to have gained access to SolarWinds software update systems, where they inserted cyber vulnerabilities into more than a dozen SolarWinds Orion products. The hack potentially affects an estimated 18,000 users who used the hacked products, including government agencies and numerous Fortune 500 companies.
The New York Times reported the hacking methods also allowed the hackers to circumvent early warning systems built by the U.S. Cyber Command and the NSA, which look within foreign networks to detect developing cyber attacks. By targeting the SolarWinds software update systems the hackers would likely have been able to go undetected by the “Einstein” detection system, another cyber defense system used to detect malware and other suspicious activity directed at U.S. government networks.
The vulnerability to SolarWinds software products reaches as far back as March of 2020, raising the potential that hackers have been able to target SolarWinds product users for at least nine months. The hacking effort was so covert that it remained undetected by government agencies and was instead revealed only recently by FireEye, the private cybersecurity firm.
Sen. Mark Warner (D-VA), the ranking member of the Senate Intelligence Committee told the New York Times, “This is looking much, much worse than I first feared. The size of it keeps expanding. It’s clear the United States government missed it, and if FireEye had not come forward, I’m not sure we would be fully aware of it to this day.”
While initial reports estimated only a few dozen of the 18,000 users of the compromised SolarWinds products, the list of potentially affected agencies and businesses has grown to about 250, according to the New York Times.
Former employees and government investigators told the New York Times that SolarWinds has a history of poor security for its software products. A history of vulnerabilities could have made SolarWinds a particularly enticing target for foreign hackers.