1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

Cyberattack shakes the United States

Matthias von Hein
December 18, 2020

The full extent of this year's devastating cyberattack on the US is only now becoming clear. Other countries have also been affected, possibly including Germany. Here are the most important questions — and answers.

A person works on a computer that shows code
The Sunburst cyberattack is one of the most sophisticated of its kindImage: picture-alliance/dpa/A. Malgavko

A large-scale cyberattack, named "Sunburst," has infiltrated parts of the US government, research institutions and private companies for months. On Thursday, the National Nuclear Security Administration (NNSA), part of the Department of Energy, also confirmed that it had been the victim of a large hacking attack. The NNSA is responsible for US nuclear weapons.

The announcement comes after several other US government agencies discovered that hackers had penetrated their systems, among them the Departments of Homeland Security, Commerce, State, and the Treasury.

The US Department of Homeland Security's Cybersecurity and Infrastructure Agency (CISA) classifies the latest hacking attack as a "serious threat." The US news agency AP quotes US officials who wish to remain anonymous, saying this is "the most serious hacking attack in America's history."

The tech giant Microsoft revealed Thursday that more than 40 government agencies think tanks, non-governmental organizations and IT companies had been infiltrated by hackers. Four out of five were in the US and nearly half were tech companies. But they said there had also been victims in Canada, Mexico, Belgium, Spain, the UK, Israel and the United Arab Emirates.

In a company blog, Microsoft President Brad Smith stressed that the attack is ongoing. The number of victims and the number of affected countries will certainly increase, he said. "This is not 'espionage as usual,' even in the digital age," he wrote.

The US Chamber of Commerce
The US Chamber of Commerce was among the victims of the Sunburst attackImage: Manuel Balce Ceneta/AP/picture alliance

How was the attack carried out?

The first attack by the hackers came when they infiltrated the US software firm SolarWinds in Austin, Texas, this spring. That was the first step in their "supply chain attack."

SolarWinds provides technology for managing and securing computer networks and was not the actual target of the attack, but was instead used as a channel to carry out the attack. The attackers were able to hide their malware in an update for the Orion software downloaded by about 18,000 SolarWinds customers. In this way, the victims effectively installed their malware themselves.

SolarWinds has a long list of illustrious customers: In addition to a plethora of government agencies, 425 of the Fortune 500 companies in the US use the affected software, including major defense contractors like Lockheed Martin and major cell phone operators and universities.

Screenshot showing SolarWinds customers
Screenshot showing SolarWinds customersImage: SolarWinds

Protected by the appearance of the trusted IT service provider, the intruders had more than eight months to follow e-mail communications and gain control of certain targeted systems.

In the end, it was not government cyberdefense organizations that discovered the hackers but the private cybersecurity firm FireEye, which had also been attacked.

"We are witnessing an attack by a nation with top-tier offensive capabilities. This attack is different from the tens of thousands of incidents we have responded to throughout the years," FireEye CEO Kevin Madia wrote in a blog post. "They used a novel combination of techniques not witnessed by us or our partners in the past."

A banner at the New York Stock Exchange reads SolarWinds
SolarWinds was part of supply chain cyberattackImage: BRENDAN MCDERMID/REUTERS

Who is behind the attack?

Such a sophisticated and prolonged attack is almost certainly the work of a state actor. The Washington Post and the New York Times quoted unnamed US officials who point to Russia as the perpetrator. Democratic Senator Richard Blumenthal also accused Russia in a tweet on Tuesday, after attending a briefing that left him "deeply alarmed, in fact downright scared."

The government has not yet officially named Russia as the hacker. In a radio interview Monday, Secretary of State Mike Pompeo did acknowledge that Russia was constantly trying to penetrate US servers, AP reported. But he was quick to change the subject to discuss the threat from China and North Korea.

Russia denies the allegations. "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations," the Russian Embassy to the US wrote on Facebook. "Russia does not conduct offensive operations in the cyber domain."

Is Germany affected?

SolarWinds' compromised Orion software is also used by authorities and companies in Germany. A spokeswoman for Germany's Federal Office for Information Security (BSI) explained that the number of people affected is low according to current information.

The BSI recommends that companies and authorities do not stop applying security patches but instead analyze whether the vulnerability can be exploited and if there are any further attack activities in their IT systems. Overall, the BSI warns against relying on digital supply chains in this closely-connected world.

"Attackers are using increasingly professional methods to look for the weakest link in the chain, so that even with a very high standard of security, attack attempts can occur," the BSI spokesperson said.

What will happen next?

US President Donald Trump's former domestic security adviser Thomas Bossert believes the scope of the attack is difficult to overstate. In an opinion piece in the New York Times, Bossert warned it could take years to determine which networks the hackers gained control over.

As a first step, the cybersecurity agency CISA has issued an emergency order. It requires all federal agencies to act immediately: Computers with old versions of the affected software must be shut down without delay. CISA went on to add that removing the attacker from affected systems is expected to be "highly complex." The perpetrator or perpetrators would have demonstrated "patience, operational security and complex craftsmanship skills."

US President-elect Joe Biden
US President-elect Joe Biden has promised to deal with the cyberattacksImage: Susan Walsh/AP Photo/picture alliance

Meanwhile, a discussion about possible retaliation is beginning. US President-elect Joe Biden said cyberattacks would not go unchecked under his administration and that those responsible would be held accountable in coordination with allies.

A whole array of opportunities are open to him — among them sanctions or covert US cyber operations. Former national security adviser John Bolton told reporters at a 2018 briefing that offensive cyber operations against foreign rivals would now be part of the US arsenal and that the US response would no longer be primarily defensive.

Columbia University cyber-conflict expert Jason Healey told AP, "We could completely melt their systems."

Embarrassing revelations about the private wealth of Russian President Vladimir Putin and members of his circle would also be possible. Though it may take a while, Washington will certainly issue a response.

This article was translated from German.