Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer
By Raphael Satter
WASHINGTON (Reuters) - Cyber security researcher Steven Adair and his team were in the final stages of eliminating the hackers from a think tank network earlier this year when they saw a suspicious pattern in the log data.
Not only had the spies managed to break in again - a common enough occurrence in the cyber incident response world - they'd sailed straight through to the customer's email system, leaving the recently updated password protection behind them, as if it didn't exist.
Scroll to continue with the content
Microsoft and Redis
Meet the fast and fully managed in-memory data store.
Don't miss the opportunity to hear the unique perspectives from Microsoft and partner specialists and learn more about Azure Cache for Redis.
"Wow," recalled Adair in a recent interview. "These guys are smarter than the average bear."
Just last week, Adair's company - Reston, Virginia-based Volexity - realized that the bears it was wrestling with were the same advanced hackers who compromised Texas-based software company SolarWinds.
Using an infiltrated version of the company's software as a makeshift backbone, the hackers sneaked into a variety of US government networks, including the departments of finance, homeland security, trade, energy, state and other agencies.
When the news of the hack broke, Adair immediately thought back to the think tank, where his team had traced one of the break-in attempts to a SolarWinds server but never found the evidence they needed to find the exact entry point or that Alert companies. Digital indicators released on Dec. 13 by cybersecurity firm FireEye confirmed that the think tank and SolarWinds were hit by the same actor.
Senior US officials and lawmakers have alleged Russia was responsible for the hacking Spree, an accusation the Kremlin denies.
Adair, who helped protect NASA from hacking threats for about five years before eventually founding Volexity, said he had mixed feelings about the episode. On the one hand, he was pleased that his team's assumption about a SolarWinds connection was correct. On the other hand, they had been on the edge of a much larger story.
Much of the U.S. cybersecurity industry is now in the same spot that Volexity was earlier this year, trying to find out where the hackers were and to get rid of the various secret entry points the hackers are likely to be on the networks their victims have set up. Adair colleague Sean Koessel said the company took about 10 calls a day from companies who feared they were being targeted or concerned that the spies were on their networks.
His advice to everyone else who is looking for hackers: "Leave no stone unturned."
Koessel said efforts to uproot the think tank hackers, whom he refused to identify, stretched from late 2019 to mid-2020 and resulted in two more break-ins. Doing the same job across the US government is likely to be many times more difficult.
"I could easily see that it took six months or more to figure it out - if not the years of some of these organizations," Koessel said.
Pano Yannakogeorgos, a New York University associate professor who served as the founding dean of the Air Force Cyber College, also predicted an extended schedule, saying some networks would need to be ripped out and replaced at wholesale.
In any case, he predicted a high price tag as caffeinated experts were brought in to search digital logs for traces of compromise.
"It's about a lot of time, treasure trove, talent and mountain dew," he said.
(Reporting by Raphael Satter; editing by Andrea Ricci)
You should check here to buy the best price guaranteed products.
Rise in human bird flu cases in China shows risk of fast-changing variants - health experts
Chicago Bulls Undeafeated at 4-0
Nassir Little with a deep 3 vs the LA Clippers
Asst. Director Who Handed Alec Baldwin Prop Gun Terminated from Previous Film After Firearm Incident: Reports
Buccaneers fan gave up $500,000 football because he couldn't 'say no to Tom Brady'
San Francisco residents hire private security, citing safety concerns