First it was SolarWinds, a supposedly Russian hacking campaign that dates back almost a year and toppled at least nine US government agencies and countless private companies. Now it's Hafnium, a Chinese group that attacked a vulnerability in Microsoft Exchange Server to sneak into victims' email inboxes and beyond. The collective number of these espionage sprees is yet to be revealed. It can never be fully known.
Countries spy on each other anywhere, anytime. You always have. However, the scale and sophistication of Russia and China's recent efforts are still shocking. And the short-term fallout of both underscores how difficult it can be to get the full extent of a campaign, even after you've sniffed it out.
By now, you are probably familiar with the basics of the SolarWinds attack: Russian hackers likely broke into the IT management company's networks and changed versions of its Orion network monitoring tool, exposing up to 18,000 companies. The actual number of SolarWinds casualties is believed to be much lower, although security analysts have so far put them at at least the low hundreds. And as SolarWinds CEO Sudhakar Ramakrishna eagerly pointed out to anyone who will listen, he wasn't the only software supply chain company the Russians hacked in this campaign, implying a much wider ecosystem of victims than anyone has previously stated Has.
"It has become clear that there is much more to this incident, its causes, its scope, its extent and where we need to proceed from here," said Mark Warner (D-Va.), Chairman of the Senate Intelligence Committee, at one Hearing related to the SolarWinds hack last week. Brandon Wales, acting director of the U.S. agency for cybersecurity and infrastructure, estimated in an interview with MIT Technology Review this week that it could take up to 18 months for U.S. government systems to recover from the hacking spree alone, not to mention the private sector.
That ambiguity doubles for the Chinese hacking campaign Microsoft released on Tuesday. First discovered by security firm Volexity, a nation-state group Microsoft calls Hafnium, it has used several zero-day exploits that target previously unknown vulnerabilities in software to infiltrate Exchange servers that manage email clients including Outlook . There they could secretly read through the email accounts of high quality destinations.
"You wouldn't blame anyone for missing this," says Steven Adair, founder of Veloxity, who says the activity they observed began on January 6 of this year. "They're very focused and don't do much to raise alarm bells."
However, last weekend, Veloxity saw a significant change in behavior when hackers began aggressively penetrating victims' networks with their Exchange Server booth. “It was really serious before; Someone who has unlimited access to your email at their convenience is in some ways a worst-case scenario, "says Adair. "If they are able to breach your network and write files as well, that will improve even further in terms of what someone can accomplish and how difficult it can be to clean up."
"Spray and Pray"
Neither SolarWinds nor the hafnium attacks have stopped, which means the concept of cleanup, at least by and large, remains a distant dream. It's like trying to mop up an actively bubbling oil tanker. "It is evident that these attacks are still ongoing and that threat actors are actively scanning the Internet in a 'spray-and-pray' manner to target anything that appears to be vulnerable," said John Hammond, senior security researcher on detection Threats to Huntress Company, via the Hafnium Campaign.
Microsoft has released patches that protect anyone who uses Exchange Server from the attack. However, it is only a matter of time before other hackers reverse engineer the update to find out how to exploit the vulnerabilities themselves. You can expect ransomware and cryptojacking groups to jump into the action after the rush.
"It could be completely free for everyone," says Adair. "I'd guess it might be trivial for someone to figure out components of it once the patch is out."
The patch protects anyone who installs it, but if the past is a prologue this list is far from comprehensive. Microsoft released a patch for the EternalBlue vulnerability in March 2017. Two months later, the WannaCry virus used the leaked NSA tool to scour the internet. A full two years later, over a million devices worldwide were still vulnerable. That means that hafnium and the criminal groups that it inspires have a very long belt to add notches to.
"The effects will be long-lasting"
At the same time, none of these activities should come as a surprise. "There is definitely always a background level of government-sponsored cyberspace espionage," said J. Michael Daniel, who previously served as cybersecurity coordinator in the Obama administration and is currently president and CEO of the nonprofit Cyber Threat Alliance. The SolarWinds and Hafnium hackers were caught accidentally. And while the US has been increasingly willing to indict national hackers – including those from Russia and China – it usually does so for theft of intellectual property or other blatant violations of international norms. Espionage? Not as much. That also makes deterrence a little more difficult; In the Cold War, you could just throw spies out of your country, an option not available when they are sitting behind a keyboard thousands of kilometers away.
That said, you can expect the SolarWinds and Hafnium's threads to likely unwind for years without ever reaching the end.
“Will we find out more over time that there was another tradeoff in the supply chain from SolarWinds or more agencies? Maybe, maybe not, ”says Adole from Volexity. "They could have devastated a ton more and you don't find out about it, either because the victims never know or they know, but it doesn't get public." The same, he says, is true of hafnium. "I don't know we'll hear about it forever, but the effects will be long-lasting," says Adair. "It's been going on for a long time just based on what you've done so far."
This story originally appeared on wired.com.