The hacking campaign that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.
In addition to the critical infrastructure companies, the SolarWinds software also infected three firms that provide services for such companies, says Rob Lee, CEO of Dragos, Inc., which specializes in industrial control system security and discovered some of the infections.
The service companies are known within the industry as original equipment manufacturers, or OEMs. They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.
“If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”
But compromising an OEM does magnify the potential risks to infrastructure.
“[I]t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” said Lee, a former critical infrastructure threat intelligence analyst for the NSA. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.”
“Compromising one OEM could lead to access to thousands of organizations.”
Lee notes that in some cases the OEMs don’t just have access to customer networks — they actually directly infected their customers with the SolarWinds software. That’s because some of them use SolarWinds not just on their own networks, but also have installed it on customer networks to manage and monitor those, sometimes without the customers being aware this was done.
Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in them.
SolarWinds was compromised in March, modified with a so-called “backdoor” to provide an attacker access to the network of anyone who downloaded it. Government officials have linked the hack to Russia. The backdoor, which security researchers at cybersecurity company FireEye have dubbed SUNBURST, gathers information about the infected network, then waits about two weeks before sending a beacon to a server owned by the hackers, along with information about the infected network, to signal that the infected system is open for them to surreptitiously enter. The hackers would have used that information to determine which targets they wanted to burrow into further. Once inside an infected system, the hackers could download more malicious tools and steal employee credentials to gain access to more critical parts of the network — collecting information or altering data or processes there.
Kevin Mandia, CEO of FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.
Lee said the infections in the critical infrastructure sector occurred not just on companies’ IT networks but also sometimes on actual industrial control system networks that manage critical functions.
There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.
“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”
He says all of the infected companies are “doing the necessary hunting and [are] assuming they are compromised.” But without logging to catch the infection and track the hackers’ movements through the network, the companies have to hunt for what looks like malicious behavior. “And this is an adversary that burrows in deep and is very very hard to root out.”
“Almost none of them have network logs.”
If the hackers came in through the infected OEMs instead, using those companies’ credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers’ activity since it would look legitimate.
Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden’s incoming administration. An alert published last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn’t indicate which industries were affected and didn’t note that this included the OEMs for critical infrastructure.
It’s not the first time an OEM in the industrial control system has been hacked. In 2012, hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada, as well as some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.
“When you look at industrial networks, many people still believe them to be highly segmented, but that only means segmented from the” corporate enterprise network, Lee said. “While they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].”
The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.
Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven’t indicated what has led them to this conclusion.
“It’s so many different people in the government [attributing this to Russia], you wouldn’t get this sort of statement if there wasn’t something there,” says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. “[T]he forensic guys are looking at what’s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven’t discovered it isn’t determinative; they don’t have the full picture.”
Russia has denied responsibility for the hacking operation.
The scope of the hacking operation is still unknown, but so far reports indicate that the departments of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency, which maintains the nation’s stockpile of nuclear weapons, were all infected. Microsoft, Cisco, and Intel are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.
Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.
In 2015, Russia hacked several Ukrainian power distribution plants and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine’s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed to refine hacking techniques that could be used in other countries, such as the U.S.
On Sunday, speaking on CNN’s “State of the Union,” Sen. Mitt Romney said, “What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.” He continued, “This is the same sort of thing one can do in a wartime setting, and so it’s extraordinarily dangerous, and it’s an outrageous affront on our sovereignty and one that’s going to have to be met with a very strong response.”
But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn’t the same as having the ability to cause disruption or damage.
“But you can [still] get a lot of information … that can help you to plan a truly disruptive attack,” she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.
“You can get a lot of information … that can help you to plan a truly disruptive attack.”
But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.
“It’s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,” she said. “[But] we don’t know that that’s what they’re doing.”
In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. “So I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” Spaulding said. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”
Spaulding says this doesn’t mean anyone should take the SolarWinds campaign lightly.
“I don’t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,” she said. “Particularly because we have been told that over half the victims were not government, but were private sector. And if it’s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that’s very serious.”
Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. “I’m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.”
Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, “you assume they could [disrupt operations] but you don’t know [if they have the knowledge and ability],” Lee said. But if Russia is behind the SolarWinds attack, “Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?”