Russian hack was ‘classic espionage’ with stealthy, targeted tactics

Some kinds of online aggression are "noisy," almost certain to draw attention, as the multifaceted Russian attack on the 2016 presidential election was. And some are "quiet," more reminiscent of the subtle spy-vs.-spy operations fictionalized in the novels by the great John le Carré, who died Dec. 12.

The far-reaching Russian hack that sent U.S. government and corporate officials scrambling in recent days appears to have been a quietly sophisticated bit of online spying. Investigators at cybersecurity firm FireEye, which itself was victimized in the operation, marveled that the meticulous tactics involved "some of the best operational security" its investigators had seen, using at least one piece of malicious software never previously detected.

"This is classic espionage," said Thomas Rid, a political science professor at the Johns Hopkins School of Advanced International Studies who specializes in cybersecurity issues. "It's done in a highly sophisticated way. … But this is a stealthy operation."

The impact may ultimately prove to be profound. SolarWinds, the maker of widely used network-management software that the Russians manipulated to enable their intrusions, reported in a federal filing Monday that "fewer than 18,000" of its customers may have been impacted. That's a small slice of the company's more than 300,000 customers worldwide, including the Pentagon and the White House, but still represents a large number of important networks worldwide. (Russia has denied any role in the attacks.)

FireEye, in a blog post explaining the nature of the attack on Sunday, described the victims as including "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."

In the U.S. government, the known targets included the Treasury, Commerce and Homeland Security departments, and the impact is likely to be far broader, given the wide use of network tools by SolarWinds, which is based in Austin.

But the potentially good news is that quiet attackers tend to prioritize surreptitious entrances and exits, while avoiding wholesale ransacking of computer systems that could tip off defenders. Quiet hackers typically are more focused on covering their tracks than simply backing up a digital truck and taking everything they can.

The potential bad news, however, is that quiet attacks can be effective at gathering highly specific, sensitive information over the course of months or even years. While the details of what was taken and from whom are not yet public — the agencies and companies themselves may not even know for a while — the Russian operation dates at least as far back as March and was described as active as recently as Sunday.

That nine-month stretch included, to name just a few of the most important events that would have created copious computer files interesting to spies: the worst of the coronavirus pandemic, the historically fast development of vaccines using novel technology and, of course, the U.S. presidential and congressional elections.

"It's not about quantity, it's about quality" of targets, said John Hultquist, manager of analysis at FireEye.

"SolarWinds was clearly a door that they could walk through," he added. "We're shutting this door. But they're still in these organizations. There are a lot of information security teams right now who are probably going to be working on this problem through Christmas."

But as Rid pointed out, this so far appears to be classic digital spying of the sort that major nations, including the United States, engage in every day to gain geopolitical edges of various sorts. And it has been vastly less noisy and disruptive, so far, than a range of Russian efforts in 2016. That year, Russian hackers penetrated U.S. state election systems, infiltrated American social media conversations with hundreds of fictitious accounts and stole sensitive emails from Democrats and dumped them online at key moments in a hotly contested presidential campaign.

The 2016 effort, spearheaded by the Russia military's intelligence unit, the GRU, and the semi-independent Internet Research Agency, left copious evidence behind that government and corporate investigators found. The 2020 effort, by contrast, appears to be the work of Russia's SVR foreign intelligence service, which specializes in digital spying but has little known record for pushing online disinformation campaigns.

The recent hack was, by all accounts, targeted and careful, emerging only after FireEye — one of the nation's leading cybersecurity firms — was itself targeted by the hackers, who stole potent cyberattack tools that FireEye used for research purposes.