All during 2020, as the coronavirus pandemic swept around the world, another novel virus with devastating long-term effects spread unnoticed worldwide. Sometime in late 2019 or early 2020, at least one group of advanced hackers inserted malware into network software supplied by SolarWinds, a maker of information technology infrastructure software based in Austin, Texas. The decision to target SolarWinds looks strategic given the company’s vast U.S. and global clientele in the public, private, and nonprofit sectors. Publicly exposed in December 2020, the infectious malware—dubbed Sunburst by the cybersecurity firm FireEye and Solorigate by Microsoft—may turn out to be the most audacious cyberespionage campaign in history. For months, attackers stealthily infiltrated governments and businesses via a Trojan horse-style update to SolarWinds’ Orion cybersecurity management software. Like the coronavirus, Sunburst and another recently discovered piece of malware reveal the downside of global connectivity and the failure of global cooperation to deal with contagion.
What sets the SolarWinds attack apart from previous incidents is its sheer scale. The company has over 300,000 customers worldwide, according to filings made to the U.S. Securities and Exchange Commission. Throughout 2020, SolarWinds sent out software updates to roughly 18,000 of them. To date, at least 250 networks have reportedly been affected by the booby-trapped file. Shortly after being downloaded, the virus executes commands that create a backdoor in the network to transfer files, disable services, and reboot machines. Targeted institutions include the U.S. departments of Defense, Homeland Security, State, Energy, and the Treasury; all five branches of the U.S. military; the National Nuclear Security Administration, and 425 of the Fortune 500 companies, including Cisco, Equifax, MasterCard, and Microsoft. There have been other major cyberattacks in the past, but none has achieved this kind of penetration. By compromising powerful governments and businesses, including some of the most successful technology companies, the SolarWinds exploit shatters the illusion of information security. The hack has also spooked the financial services sector.
Within hours of the attack’s discovery, U.S. government officials and cybersecurity experts singled out Russia’s Foreign Intelligence Service (known as the SVR) as the likely culprit. Its elite hacking unit, known in cybersecurity circles as APT29 or “Cozy Bear,” is a familiar adversary. It was reportedly behind digital breaches of the White House, State Department, and Joint Chiefs of Staff in 2014 and 2015, as well as the infamous hack of the Democratic National Committee during the 2016 election campaign. The SVR hacked the party’s servers alongside another Russian team, APT28 or “Fancy Bear,” which is overseen by Russia’s military intelligence agency, commonly known as the GRU. It was the GRU that reportedly stole Democratic campaign emails and dumped them online; in 2018, the U.S. Department of Justice indicted 12 Russians suspected of involvement. A few days after the SolarWinds compromise became public, the U.S. Cybersecurity and Infrastructure Security Agency warned that the hack “poses a grave risk” to federal, state, and local governments, as well as to private companies.
This is not an open-and-shut case, however. One of the most frustrating challenges for victims of cyberespionage and cyberwarfare is the difficulty of attributing an attack. While the SolarWinds exploit was linked to the SVR in a joint statement by U.S. intelligence agencies, it is by the attack’s very nature impossible to be certain. Complicating matters, another piece of malware that targeted SolarWinds at around the same time—dubbed Supernova by Palo Alto Networks’ Unit 42—appears to have been planted by another actor.Meanwhile, US investigators are exploring the possible involvement of JetBrain, a Czech firm founded in Russia that counts SolarWinds among its clients, in spreading infected code via its TeamCity product. For its part, the Russian Embassy in Washington posted a statement on Facebook denying responsibility and claiming that the attacks were opposed to Russia’s foreign-policy interests. It also added that “Russia does not conduct offensive operations in the cyber domain.” Contradicting his own secretary of state and intelligence services, U.S. President Donald Trump agreed with the Russians, hinting that China might be to blame.
What also makes the SolarWinds breach different from past attacks was how it was delivered, and the way it could serve as a beachhead for future attacks. Unlike in the case of high-profile phishing and hacking exploits against companies such as Equifax and Sony, it is exceedingly difficult to trace how the SolarWinds compromise occurred and determine which data was accessed and pilfered. That’s because the victims of the SolarWinds attack were not confined to a single organization or department, and it is not possible to simply eliminate the malware by wiping the system clean. To the contrary: Hackers ensured that they would have long-term access by adding new credentials and using administrative privileges to grant themselves permissions to access various parts of their victims’ IT infrastructure. What this means is that this hyper-sophisticated campaign—including the theft of information from protected networks—could go on for years.
Even more ominously, the SolarWinds attack is what’s known in security circles as a cascading supply chain compromise—which means that it stretches far beyond the company’s own direct clients. While no one yet knows just how many governments and businesses are affected, tens of thousands of other entities are at risk, many of which have little to do with SolarWinds. And because the company’s products are designed to monitor digital networks and are therefore at the very heart of IT infrastructure, they have extensive access and few constraints on their reach. Making matters worse, SolarWinds reportedly encouraged customers to relax existing antivirus and security restrictions, which means that even more of the network was accessible than usual. Attackers made use of this unrestricted access to steal permissions and source code from companies such as Microsoft and compromise even more targets.
The exploit is a reminder of the blurred lines between espionage and warfare, and the difficulty of formulating a proportional response. As diplomats know well, there is no established international norm against espionage—clandestine information collection is a tolerated feature of international relations. When spying is publicly exposed, what typically follows are some form of condemnation, sanctions, and a focus on shoring up defenses to keep it from happening again. However, the vast scale of the SolarWinds exploit—and the strong probability of others like it that have yet to be detected—should force a rethink. The potential for weaponizing compromised systems, including by sabotaging public utilities (as was the case in a recent cyberattack tit-for-tat between Israel and Iran), poses an existential threat.
The SolarWinds compromise raises even more urgent questions about the governance of the internet. It offers a disturbing reminder of the absence of recognized global safeguards to prevent and respond to cyberattacks. States are operating in a cybernetic Wild West, and this is becoming more dangerous in our interconnected world. The status quo suited the main cyberespionage and cyberwar combatants, such as the United States, China, Israel, North Korea, and Russia. But these latest revelations expose the systemic risks of adopting a laissez-faire approach to managing the digital commons. A determined attacker can wreak havoc on just about any target and then just as quickly cover their tracks and disappear into the digital ether. For two decades a governmental group of experts convened by the United Nations has tried to nail down basic norms for cyber-governance, but the major powers still cannot agree on first principles. The implications of having no established rules are more dangerous than ever.
A major upgrade of internet governance is required. A coalition of like-minded countries, industry, and civil society groups need to push forward a model that ensures, at minimum, protections for critical infrastructure. Current efforts, such as the multi-stakeholder approach for internet governance undertaken by the United Nations, may be necessary, but they have clearly been insufficient in a digital era where massive compromises are likely to become routine. Not waiting for these efforts and their uncertain outcomes, some countries are trying to establish cyberdeterrence, leading to the emergence of de facto rules of engagement. Yet the risks of catastrophic miscalculation are likewise growing. Norms related to cyberespionage also need to be established lest it contributes to unintended outcomes with global ramifications.
Ultimately, the SolarWinds hack and its still-unclear aftermath underline some uncomfortable trade-offs hanging over the future of the internet. The latest incident is a reminder that the internet was built for openness, not security. Attempts to build more secure systems on top of the existing internet are going to be weak almost by definition. The Sunburst malware is case in point: It effectively owned the security infrastructure designed to detect incoming attacks. Is a new internet required, one that already has security protocols designed into it? China and Russia certainly think so, and they have already built parallel systems with this in mind. The SolarWinds disaster—and its repercussions as governments realize that the current architecture of the internet makes them too vulnerable—may thus mark the beginning of the end of the open internet as we know it today. If, after the SolarWinds breach, governments decide that fragmenting the internet is the only viable option for protecting against attacks, then that will lead to a whole new set of repercussions. Among others, a closed and controllable internet will reinforce the authoritarian and anti-democratic tendencies of some governments and put an end to U.S. dominance of the digital domain.