Primero fue SolarWinds, un ataque de espionaje atribuido a Rusia que se remonta a casi un a\u00f1o y que ha derribado al menos nueve agencias gubernamentales de EE. UU. e innumerables empresas privadas. Ahora es Hafnium, un grupo chino que ha estado atacando por medio de una vulnerabilidad en Microsoft Exchange Server para colarse en las bandejas de entrada de correo electr\u00f3nico de las v\u00edctimas y mucho m\u00e1s. A\u00fan se est\u00e1 descubriendo el alcance y costo de estas incursiones de espionaje. La magnitud es tan amplia, que puede que nunca se sepa por completo.<\/p>\n
irst it was SolarWinds<\/a>, a reportedly Russian hacking campaign that stretches back almost a year and has felled at least nine US government agencies and countless private companies. Now it\u2019s Hafnium, a Chinese group that\u2019s been attacking a vulnerability in Microsoft Exchange Server to sneak into victims\u2019 email inboxes and beyond. The collective toll of these espionage sprees is still being uncovered. It may never be fully known.<\/p>\n Countries spy on each other, everywhere, all the time. They always have. But the extent and sophistication of Russia’s and China\u2019s latest efforts still manage to shock. And the near-term fallout of both underscores just how tricky it can be to take the full measure of a campaign even after you\u2019ve sniffed it out.<\/p>\n By now you\u2019re probably familiar with the basics of the SolarWinds attack<\/a>: likely Russian hackers broke into the IT management firm\u2019s networks and altered versions of its Orion network monitoring tool, exposing as many as 18,000 organizations. The actual number of SolarWinds victims is assumed to be much smaller, although security analysts have pegged it<\/a> in at least the low hundreds so far. And as SolarWinds CEO Sudhakar Ramakrishna has eagerly pointed out<\/a> to anyone who will listen, his was not the only software supply chain company that the Russians hacked in this campaign, implying a much broader ecosystem of victims than anyone has yet accounted for.<\/p>\n \u201cIt\u2019s become clear that there\u2019s much more to learn about this incident, its causes, its scope, its scale, and where we go from here,\u201d said Senate Intelligence Committee chair Mark Warner (D-Va.) at a hearing related to the SolarWinds hack last week. Brandon Wales, acting director of the US Cybersecurity and Infrastructure Agency, estimated in an interview<\/a> with MIT Technology Review this week that it could take up to 18 months for US government systems alone to recover from the hacking spree, to say nothing of the private sector.<\/p>\n That lack of clarity goes double for the Chinese hacking campaign that Microsoft disclosed Tuesday. First spotted by security firm Volexity, a nation-state group that Microsoft calls Hafnium has been using multiple zero-day exploits<\/a>\u2014which attack previously unknown vulnerabilities in software\u2014to break into Exchange Servers, which manage email clients including Outlook. There, they could surreptitiously read through the email accounts of high-value targets.<\/p>\n \u201cYou wouldn\u2019t fault anyone for missing this,\u201d says Veloxity founder Steven Adair, who says the activity they observed began on January 6 of this year. \u201cThey\u2019re very targeted, and they\u2019re not doing much to raise alarm bells.\u201d<\/p>\n This past weekend, though, Veloxity observed a marked shift in behavior, as hackers began using their Exchange Server foothold to aggressively burrow deeper into victim networks. \u201cIt was really serious before; someone having unrestricted access to your email at will is in a sense a worst-case scenario,\u201d says Adair. \u201cThem being able to also breach your network and write files steps it up a notch in terms of what someone can get to and how hard the cleanup can be.\u201d<\/p>\n \u201cSpray-and-pray\u201d<\/strong><\/p>\n Neither SolarWinds nor the Hafnium attacks have stopped, meaning the very concept of cleanup, at least broadly, remains a distant dream. It\u2019s like trying to mop up an actively gushing oil tanker. \u201cIt is apparent that these attacks are still ongoing, and the threat actors are actively scanning the Internet in a \u2018spray-and-pray\u2019 type fashion, targeting whatever looks to be vulnerable,\u201d says John Hammond, senior security researcher at threat detection firm Huntress, about the Hafnium campaign.<\/p>\n Microsoft has released patches<\/a> that will protect anyone using Exchange Server from the assault. But it\u2019s only a matter of time before other hackers reverse engineer the fix to figure out how to exploit the vulnerabilities themselves; you can expect ransomware and cryptojacking groups<\/a> to get in on the action posthaste.<\/p>\n \u201cIt could become a complete free for all,\u201d says Adair. \u201cI would guess it could be trivial for someone to figure out components of this now that the patch is out.\u201d<\/p>\n The patch will protect anyone who installs it, but if past is prologue, that list will be far from comprehensive. Microsoft pushed a patch for the EternalBlue vulnerability in March 2017; two months later the WannaCry virus used the leaked NSA tool<\/a> to rip through the Internet. A full two years after that, over a million devices<\/a> were still vulnerable globally. Which means that Hafnium and the criminal groups it inspires have a very long belt they can add notches to.<\/p>\n \u201cThe impact will be long-lasting\u201d<\/strong><\/p>\n At the same time, none of this activity should be surprising. \u201cThere is definitely always a background level of state-sponsored espionage that is occurring through cyberspace,\u201d says J. Michael Daniel, who previously served as cybersecurity coordinator in the Obama administration and is currently the president and CEO of the nonprofit Cyber Threat Alliance. The SolarWinds and Hafnium hackers just happened to get caught. And while the US has been increasingly willing to indict nation-state hackers\u2014including from Russia<\/a> and China<\/a>\u2014they typically do so for intellectual property theft or other flagrant violations of international norms. Spying? Not so much. That also makes deterrence a little trickier; in the Cold War you could just kick spies out of your country, an option that\u2019s not available when they\u2019re sitting behind a keyboard thousands of miles away.<\/p>\n Which means you can expect the threads of SolarWinds and Hafnium to keep unspooling, probably for years, without ever reaching the end.<\/p>\n \u201cWill we find out more as time goes on that there was another supply chain compromise from SolarWinds, or more agencies? Maybe, maybe not,\u201d says Volexity\u2019s Adair. \u201cThey could have devastated a ton more and you never find out about it, either because the victims never know or they know but it doesn\u2019t become public.\u201d The same, he says, is true for Hafnium. \u201cI don\u2019t know that we\u2019ll keep hearing about it forever, but the impact will be long-lasting,\u201d Adair says. \u201cIt already is long-lasting, just based on what they\u2019ve done so far.\u201d<\/p>\n<\/div>\n