There are many notable and notorious hacker groups from the self-styled digital pirates, but now defunct LulzSec, to the infamous Anonymous and Fancy Bear which operates out of Eastern Europe and Russia and is believed to have launched 200 cyber-attacks on the Trump and Biden campaigns over the past year.
But late last year another group was identified, one whose actions stand out in the hacking landscape like meteoric craters and one that sent seismic shock waves through governments and led to much nail chewing in boardrooms of some the world’s top companies. The attack didn’t receive the mainstream media coverage it warranted because when the news first surfaced the implications weren’t clearly obvious and nor was the scale of the attacks understood.
Known by the banal placeholder name UNC2452, this single group of hackers has caused serious digital carnage over the past year and revealed just how fragile and vulnerable our networked world is to those with the will, means and tools to exploit it.
UNC2452 breached government agencies and companies, all via hijacked software updates of a single product, the IT management tool Orion, distributed by tech firm SolarWinds. The hacker group is widely believed to be working on behalf of Russia’s SVR foreign intelligence agency, one of the world's oldest and most extensive espionage agencies, formerly known as the KGB.
Up to 18,000 organisations were infected but the hacker’s cherry picked nine US federal agencies and about 100 US companies, most from the Fortune 500, to compromise and steal information. The federal agencies included the US State Department, the National Institute of Health and the Department of Energy among many others.
- It’s believed that the attack enabled access to hundreds of thousands of federal government computers, as well as private companies' networks. Serious damage has been inflicted on US national security.
- It’s fair to say that never before have so many high-value victims been compromised by a single hacking technique.
The malware used by UNC2452 to infiltrate the Orion management tool is characterised by its complexity and sophistication.
It includes a number of different elements that carry out different tasks. For instance one component monitors the Orion build server for build commands that assemble Orion. Another is an implant that works as a back door while another is designed to evade alarms in security systems. And it was all hidden in a software update to the Orion tool. In short this isn’t the work of ordinary hackers rather it has been developed by programmers with deep expertise, knowledge, time and patience.
- The malware was delivered via a pop-up message urging an update to Orion that hit the screens of IT staff. About 18,000 workers in companies and governments diligently downloaded the update for their offices.
- After lying dormant for a couple of weeks, the malware sprang to life inside thousands of computer networks in government, technology and telecom organisations across mainly North America but Europe, Asia and the Middle East too.
In terms of an intelligence gathering operation the hack has been hugely successful. The hackers have had access to at least emails, documents and passwords. The private details of many government employees were also probably accessed and economic intelligence certainly siphoned off.
That said, deeply sensitive, secret information is unlikely to have been accessed because systems that store classified material have additional layers of security and are protected by internal controls. Russia has denied it was responsible and to date the US has not come out with an official response, no doubt because it is carrying out a detailed forensic study of the attack.
Virtual skirmishes between rival nation states are an on-going feature of the larger political, economic and military landscape but this attack is less of a skirmish and more of a broadside. As such this attack is a landmark event and represents an escalation that could have serious real-world consequences.