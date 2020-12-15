Russian President Vladimir Putin attends a meeting with participants of the We Are Together nationwide volunteer campaign via video conference at the Novo-Ogaryovo residence outside Moscow, Russia on December 5, 2020.

On September 25 Russia’s president, Vladimir Putin, warned that “one of the main strategic challenges of our time is the risk of a large-scale confrontation in the digital sphere”.

He proffered a solution. “In a mutually acceptable form,” he said, Russia and America would “exchange guarantees of non-interference in each other's internal affairs, including electoral processes, including using ICT and high-tech methods”–in other words, a cyber-truce.

Even as he spoke, a team of Russian hackers was apparently deep inside some of America’s most sensitive networks.

The team, known as APT29 or more evocatively as Cozy Bear, thought to be part of the SVR, Russia’s foreign intelligence service, are reported by several media outlets to have penetrated America’s Treasury, Commerce and Homeland Security departments, among others, where they could read internal emails at will.

READ MORE:

* Russians and Belarusians are tired of backwards-looking autocrats

* Russia accused of hacking Covid-19 virus vaccine trials



One former cyber-security official says the intrusion is one of the largest he has ever seen. It is believed to be the latest front in a broader Russian campaign. In October America and Britain accused a different Russian hacking group, Fancy Bear, of a string of cyber-attacks during 2015-19 against everything from Ukraine’s power grid to the Winter Olympics in South Korea.

The latest intrusion took a circuitous route. The malware used by the attackers hitches a ride on a legitimate piece of software called Orion, a tool written by SolarWinds, a Texan company that helps organisations monitor their computer networks.

Somehow, the attackers gained access to SolarWinds’ computers. Between March and June this year, the company posted official software updates containing the malware. Once downloaded, the software can impersonate an organisation’s system administrators, who typically have the run of the entire network.

SolarWinds says that “this vulnerability is the result of a highly sophisticated, targeted... attack by a nation state”.

According to FireEye, a cyber-security firm that was also a target, the malware lies dormant for two weeks and then cleverly funnels away data by disguising it as legitimate network traffic, while also parrying anti-virus tools.

This is “really good tradecraft”, notes Dmitri Alperovitch of the Silverado Policy Accelerator, who was previously at CrowdStrike, another cyber-security company. “They brought their A-game,” he adds. A key question in any investigation is likely to be how the state in question compromised Orion in the first place.

However it was done, subverting software updates is a good strategy. Standard security advice, after all, is to install them as soon as possible. This is not the first time it has been used. The NotPetya malware in 2017, which spread worldwide, used compromised updates from a Ukrainian maker of tax-accounting software.

David Ramos/Getty-Images Hackers were able to pretend to be Microsoft.

In 2012 researchers discovered that attackers, presumed to be Western, had found a way to cryptographically impersonate Microsoft, allowing them to push malware-laden software to the company’s customers in Iran.

The latest intrusion does not seem to be quite that fancy, but it is cunningly written and goes to considerable lengths to hide its presence from its targets.

On December 13th America’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency order instructing federal agencies to disable SolarWinds software immediately, “the only known mitigation measure currently available”.

Orion’s ubiquity may explain why so many organisations appear to be affected. The hackers would have had their “pick of targets across government and the private sector worldwide”, says Alperovitch.

For now, at least, cyber-security experts think most are merely collateral damage, and were not deliberate targets. That is one downside of choosing software updates as an attack path: if the software is used widely, then many different companies will be infected, which raises the likelihood of detection.

© 2020 The Economist Newspaper Limited. All rights reserved. From The Economist published under licence. The original article can be found on www.economist.com