Hackers may have obtained sensitive tax information on employees at Atlantic Media, the company said Wednesday.
Saying it became aware of a breach last month, the publisher – whose affiliated companies include The Atlantic and National Journal – announced an internal investigation had found “no evidence that any subscribers’, customers’, or clients’ financial or sensitive information was involved.”
Current and former employees were not so lucky. They were informed this week that “unauthorized actors” had gained access to a server with their tax forms, “which contain names and Social Security numbers.”
There is no evidence that the information has been exploited or publicly disclosed, the company said.
The statement did not identify any suspects. A company spokesperson, Anna Bross, told Insider that the statement reflects the “most complete information that we are making available.”
The FireEye hack and the rioters who breached Capitol Hill were two more visible signs of a growing conflict in cyberspace being waged by state actors and private individuals.
Government and private entities, high-profile officials, and everyday people are all targets in that conflict, but there are many things that they can do to improve their security online and in real life.
As the turbulent 2020 came to an end, US officials discovered that Russian intelligence had penetrated the US’s cyber armor for months without anyone noticing.
In December, FireEye, a private cybersecurity firm, revealed that Russian hackers had stolen hacking tools the company used during “Red Team” evaluations, which are used in the military and intelligence communities to test security and find potential vulnerabilities by simulating attacks.
FireEye’s discovery triggered an avalanche of revelations about the Russian intrusion. The NSA, FBI, Department of Homeland Security, and US Cyber Command were all caught unawares.
The Pentagon, several intelligence agencies, nuclear laboratories, and numerous Fortune 500 companies were compromised at varying degrees. US officials are still trying to determine the extent of the damage.
To make matters worse, in early January, during the intrusion in the Capitol, sensitive systems were stolen, including a laptop belonging to House Speaker Nancy Pelosi.
These are just the most recent and pronounced examples of an undeclared conflict in the cyber domain between the US and its near-peer adversaries, primarily Russia, which runs parallel to the competition between those adversaries, conducted by state and private actors, taking place around the world.
An ounce of prevention is worth a pound of care
When it comes to tapping a government device in order to access sensitive networks and obtain classified information, there are many moving parts. The placement, accessibility, and vulnerability of a device or network play a big part.
“It really depends on how accessible the device or network is and [on] the methods used by the malign actors,” Jonathan, a former officer with joint special-operations and intelligence experience, told Insider.
“For example, take the recent intrusion in the Capitol building, where we have news that the FBI feared a rioter who stole House Speaker Nancy Pelosi’s laptop from her office may have intended to sell it to Russian security services,” Jonathan added.
“This makes a great case for both physical and digital security, an even more critical undertaking given the proliferation of mobile devices these days. You can’t have one without the other.”
Digital security challenges often spill over from the military and intelligence domains into personal lives. Cyberstalking, cyberbullying, cybercrime, digital coercion, and doxxing – the unsolicited sharing of personal information – are a reality for many in an era of unprecedented connectivity.
Signature Management Unit (SMU), a risk, security, and intelligence consulting firm led by former special-operations and intelligence professionals, recently released a digital security guide that companies and private citizens alike can use to boost their cyber defenses.
Featuring six threat scenarios, ranging from cyberstalking to foreign intelligence, and 31 simple techniques, the guide arms those seeking to take their digital security to another level with the knowhow to do so. The authors’ special-operations and intelligence background adds a refreshing level of authenticity.
“We recognize that obtaining a timely, holistic, and coherent understanding of how to approach individual digital security and privacy is difficult and potentially inaccessible to the layman,” the authors write. “However, these matters do not just concern government spies, murky organizations, or those conducting corporate espionage.”
Some of the guide’s key takeaways for public and private audiences are the importance of preemptive action, physical security, situational awareness, and a layered defense plan.
Even if a person is concerned that their data or devices have been compromised, there are still steps that can minimize the damage.
“For starters, don’t let your devices fall into the wrong hands – this could be leaving it unattended in a coffee shop or not letting it out of your sight when crossing a border, and everywhere in between,” Jonathan added.
“[Also] ensure your devices are fully encrypted, and limit unauthorized users from being able to access them physically through the lightning USB port (phones) or by messing with your firmware/boot options,” Jonathan said. “Use tools like the ‘Find my iPhone’ feature enabled which provides you with a remote wipe option should it be required.”
When it comes to personal devices, measures like two-factor authentication, fairly complex passwords, and network security are important.
The commercial aspect of digital security is perhaps as important and concerns a larger audience since companies and private citizens are also on the “target deck.”
“While malign nation states like Russia are a serious threat, we also have the insidious and less visible threat from corporate big-data companies (and many others like Lexis Nexis, Oracle) such as Google and Facebook, who traffic the sale of individual data for profit that results from targeted advertising,” Jonathan told Insider. “We should all be advocates of the right to privacy and severely limiting others’ ability to profit from the sale of your personal data.”
Although the extent of the Russian cyberattacks is yet to be determined, malign actors working on behalf of Moscow have shown that digital security threats are real and not only concern the military and intelligence communities but private citizens as well.
Stavros Atlamazoglou is a defense journalist specializing in special operations, a Hellenic Army veteran (National Service with the 575th Marine Battalion and Army HQ), and a Johns Hopkins University graduate.
While US cybersecurity and intelligence officials trained their attention on securing the 2020 election, foreign hackers took the opportunity to wedge another door wide open, carrying out a devastating and unprecedented cyberattack.
US officials have tentatively attributed responsibility for the supply-chain attack, which targeted the software company SolarWinds, to a hacking group aligned with Russia’s foreign intelligence service.
“This was the most pristine espionage effort, unlike anything we’ve seen in a very long time,” said Karim Hijazi, a former intelligence community contractor. “Everyone in the cybersecurity community is freaking out, because we don’t know where this could stop.”
Security experts say the most alarming aspect is that officials are nowhere close to gauging the hack’s full scope, who else may have been compromised, and what the attackers could have obtained.
“This could just be the tip of the iceberg,” said Dave Aitel, the CTO of Immunity Inc. and a former NSA research scientist. “This could be an ongoing operation that never ends.”
While public attention was trained on the election, hackers took the opportunity to wedge another door wide open, carrying out a devastating and months-long supply chain attack that could have exposed as many as 18,000 entities, and potentially more.
“The entire US government was very much focused, even hyper-focused, on securing the election,” said David Kennedy, the CEO of TrustedSec and a former hacker for the National Security Agency. “So these are definitely opportunistic times for adversaries to say, ‘Well, the focus right now is going to be on election systems. Let’s go after things that we know are going to be beneficial for us for the next administration or for the foreseeable future that helps us from an intelligence perspective.’ That’s what nation states do. This is what cyber war is all about.”
The hack targeted Orion, a type of network management software developed by the firm SolarWinds and distributed to thousands of clients. SolarWinds said a nation state was responsible for the hack and estimated that 18,000 Orion customers downloaded a malicious software update containing a backdoor that gave hackers access to their computer systems.
US officials have tentatively attributed the attack to Russian hackers, specifically the group Cozy Bear, which is linked to Russia’s foreign intelligence arm. Former homeland security advisor Thomas Bossert also said in a New York Times op-ed that “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”
Russian government officials have denied responsibility, and there is some debate over whether another nation state was the culprit.
“Unlike terrorist activities where the attackers like to take credit, this was an espionage effort,” said Karim Hijazi, the CEO of the cybersecurity firm Prevailion and a former intelligence community contractor. “With espionage, your main goal is to complete your objective with zero residual presence. It’s not about gloating. This was the most pristine espionage effort, unlike anything we’ve seen in a very long time. That’s what makes it so difficult to pin down one suspect.”
‘This could just be the tip of the iceberg’
At least three state governments and multiple federal agencies were hacked, including the Pentagon, intelligence agencies, the State Department, Commerce Department, Treasury Department, and the agency that manages the US’s nuclear stockpile. The National Nuclear Security Administration said the attack was isolated to the business side of its network and did not affect critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA), the US’s premier cyber arm, issued an urgent statement after news of the hack broke instructing all federal civilian agencies to uninstall SolarWinds products and inform CISA once they had, to prevent hackers from infiltrating more systems.
The most alarming aspect of the hack, however, is that officials are nowhere close to gauging its full scope. They don’t know if it’s still ongoing, who else may have been targeted, and what the hackers could have obtained.
“The real fear is what else may have been put into these environments subsequent to the SolarWinds hack, persistent malware that can go dormant and lay in wait until it’s called upon later,” Hijazi said. “And as long as it doesn’t call out or do anything, no one’s going to know it’s there. That’s the bigger scare.”
Moreover, “because this was a supply chain and third party infiltration hack,” meaning that the attackers breached systems through another trusted organization, “it’s almost impossible to prevent,” he added. “This adversary was so sophisticated and it was such a well orchestrated attempt to obfuscate their tactics and make themselves look benign, that this attack was fairly inevitable.”
The cyberattack began when hackers infiltrated SolarWinds and injected malicious code into Orion by manipulating the code-signing process, which firms use to digitally sign a certificate ensuring that a product’s code is authentic and has not been altered.
SolarWinds then unknowingly distributed the malware to its clients when it rolled out a series of software updates beginning in March. The attack was not detected until last week, when the cybersecurity giant FireEye learned it was hacked by a nation state “with top-tier offensive capabilities” and asked the FBI to investigate.
FireEye said hackers had stolen its offensive security tools that highlight an organization’s vulnerabilities, known as red teaming tools. In the hands of a cybersecurity company, these are used to help an organization understand and address its weak points.
“But in the hands of an adversary, it’s literally a can opener,” Hijazi said. “These are tools they can use to get into other organizations, and we don’t know if this was opportunistic on the part of the hackers or if it was their plan all along.”
In the days since the breach was discovered, national security advisor Robert O’Brien cut short an overseas trip and came back to the US to attend crisis meetings about the attack, a sign of how seriously the government is taking the matter.
The FBI, CISA, and the US intelligence community are all investigating it, and the White House and the House and Senate intelligence panels have been briefed on it. Republican and Democratic lawmakers have also requested information about if the IRS, which is housed within the Treasury Department, was infiltrated and whether personal taxpayer information was stolen.
“This could just be the tip of the iceberg,” said Dave Aitel, the CTO of Immunity Inc. and a former NSA research scientist. “This could be an ongoing operation that never ends, because let’s say as the attacker, you go from SolarWinds to Microsoft to Cisco to FireEye, and you make a big circle by the time your first injection point has been discovered. And there’s so many huge companies running so much software, and we have no way to secure it. No one had a solution to preventing an attack like this, and here we are.”
‘Are you ever truly going to be able to get them out?’
Hijazi agreed, saying there could be a prolific and “dizzying chain effect” of the hack.
“This is why everyone in the cybersecurity community is freaking out, because we don’t know where this could stop,” he said. “If these hackers have been able to work over months, bouncing from one target to the next, that gets very serious. And the kinds of tools and access they can get in these environments can be as simple as a Trojan, or it could be complete and utter control of the administrative privileges of an organization. And no one would notice because the hackers could be acting like they’re one of the employees of the company.”
But Aitel was wary of drawing conclusions about the timing, scope, or motive of the hack given how little information officials have gleaned about it so far and how much is still unknown.
“Not only do we not know enough, but I don’t think we have the strategic picture or analytics done to say what our next move should be from a countrywide perspective,” he said. “We’re also not the only country involved because our supply chains automatically reach every other country. And SolarWinds got unlucky, but they’re not the only large enterprise management software out there that could get attacked like this.”
Kennedy echoed that view, saying, “We still don’t know the implications of what they were going after and their objectives. But believe me, the government is going to do a full investigation of the level of access they had and their overall motives, and there’s going to be retaliation for that.”
Regardless of whether there’s any retaliation, Aitel said, the biggest question is whether the US will ever be able to recover from the attack.
“If you’ve given a top-notch hacking team access to your network for months, are you ever truly going to be able to get them out?” he said.