With Microsoft, Equifax and others acknowledging that the SolarWinds hack of U.S. government entities had affected their holdings, security teams and vendors have put the holiday aside while continuing around-the-clock surveillance to ensure no financial services or payments networks have been hacked.
The allegations against a Russia-backed group, citing a monthslong campaign, mark the most devastating defeat in cybersecurity for the U.S. in years. U.S. officials caught on when the hackers were probing the IT systems at FireEye, a Silicon Valley cybersecurity company. The broader campaign was designed to breach the software of SolarWinds, which is based in Austin, Texas.
It is believed that at least 1,800 organizations, including banks, corporations and dozens of government departments, downloaded the compromised software. And even if banks and payment networks have not caught any intrusions, it would be too soon to declare that they are in the clear.
"SolarWinds provided software to a huge swath of Fortune 500 companies, but so far we have not seen any banks infer that they have detected malware related to the breach," said Julie Conroy, research director and fraud expert with Aite Group.
"Forensics thus far have indicated there have been no breaches related to this hack, as of yet," Conroy added. "The back door was open, but nobody used it."
For the most part, the hack has ruined the season for cybersecurity personnel.
"This is not going to be the most enjoyable holiday season for a lot of professionals in cybersecurity," Conroy said. "Many of them are working around the clock to analyze their systems and make sure that there is not something they are missing."
Chris Roberts, hacker in residence at the identity protection company Semperis, has been actively working with various government entities on the SolarWinds attack. He's not ruling out some concerns for financial services or payments down the road.
"Several financial services organizations have been involved in this attack," Roberts said. "The number of companies 'infected' " is large. "We've seen elements of adversarial activity in more than a dozen of those impacted so far."
In supply chain attacks like these, Roberts added, it is not surprising to see an impact across any networks connected to these organizations.
Companies will have to continue focusing on remediation activities to prevent further damage, he said. "It is important to understand that just because a company was initially affected or showed indication of activity, that doesn't mean they were directly a part of the ongoing intelligence-gathering efforts."
When an attack of this magnitude is exposed, it's definitely an all- hands-on-deck mode to counter the potential damages.
"The security industry has rallied to address this attack from several angles, and in many cases organizations impacted are working around the clock to determine and implement any necessary fixes," Roberts said.
Most companies will undertake complete end-to-end third-party code reviews in an attempt to get people feeling safe again, he added.
