The Ghost in the Network

In October 2019, hackers working for Russian foreign intelligence inserted malicious code into a software update for SolarWinds Orion, a network monitoring tool used by approximately 33,000 organizations worldwide, including most of the United States federal government.

The update was distributed automatically. Organizations installed it themselves, trusting that it came from a legitimate vendor. It did. The vendor had been compromised.

For the next nine months, the attackers moved through the networks of the Treasury Department, the State Department, the Department of Homeland Security, the Department of Commerce, and parts of the Pentagon. They read emails. They accessed systems. They were present in the most sensitive corners of the US government for three quarters of a year.

FireEye discovered the breach while investigating their own intrusion. The signal that tipped them off was a single anomalous multi-factor authentication enrollment, an extra device registered to an employee account that the employee hadn't registered themselves. The entire apparatus of US federal cyber defense had not caught it. One unexpected phone on one account did.

The total number of organizations compromised was never fully established. The full extent of what was accessed, read, or copied was never publicly disclosed. Eighteen thousand organizations had installed the compromised update. How many of those were fully investigated remains unknown.

The attackers are assessed with high confidence to be Cozy Bear — SVR, Russian Foreign Intelligence Service.