It's not often that the Treasury Department and Iowa State University are dealing with the same security problem.
Such is the breadth of what's known as the SolarWinds hack, named for a Texas-based company that was used as a staging ground for an espionage campaign so widespread that experts say we're only beginning to understand who was affected and what was stolen. Treasury is trying to figure out how many senior officials' email accounts were monitored. Iowa State has decommissioned servers to check whether hackers got in.
Around the world, at least hundreds, but more likely thousands or tens of thousands of organizations — including companies, schools, think tanks and, notably, every major government agency — have been working frantically to see whether they've been affected by the suspected Russian hacking campaign and, if so, how much access the hackers had.
It's not rare for companies or government agencies to suffer security breaches. The campaign has drawn some comparisons to China's 2014 hack of the U.S. Office of Personnel Management, which stored the private information of nearly all government employees, including undercover agents. But experts say the SolarWinds hack is unique in its scope, potentially the largest spying operation against the U.S. in history — and it ran without being noticed for nine months.
"The issue is we don't know how big this is, and at the same time it could be the biggest ever," said Sergio Caltagirone, the vice president of threat intelligence at the cybersecurity company Dragos, which is helping industrial and manufacturing companies deal with the hacking campaign and its fallout.
Only a handful of organizations, including the cybersecurity company FireEye and three federal agencies — the departments of Commerce, Energy and Treasury — have admitted having been seriously affected. But the cybersecurity industry is aware of "a little over 200" compromises, Caltagirone said, with the number all but guaranteed to grow.
"Most organizations still lack the basic visibility to even assess whether they were compromised or not," Caltagirone said. "We know we are undercounting the victims here. We know that for a fact."
The campaign is so broad because the hackers pulled off a textbook "supply-chain attack." Instead of breaking into individual organizations, many of which have robust cybersecurity measures, the hackers — widely believed to be Russia's SVR intelligence agency, although most Trump officials have publicly pointed the finger only at Russia — breached SolarWinds, based in Austin, Texas, a company that has an enormous customer base.
Unlike some of Russia's nosier agencies, like the FSB, which is accused of poisoning Russian dissidents, or the GRU, which hacks and leaks material to disparage Russia's opponents, the SVR is known for its methodical, long-term intelligence-gathering operations.
SolarWinds provides software that helps large organizations manage their computer networks, and it is thus given automatic permission to be in those networks without raising alarms. In March, the hackers implanted malicious code into the company's regular software updates, the company and a government investigation found, creating a potential back door into any of the company's tens of thousands of customers.
While the question of who was affected is still open, SolarWinds said in a filing with the Securities and Exchange Commission that it had informed 33,000 customer organizations that they had been infected and that it could narrow the suspected number of actual victims only to under 18,000.
While SolarWinds has released an update of its software, the hackers' nine-month head start means they are likely to have built additional entry points into the networks they deemed important, said Neil Jenkins, the chief analytic officer at the Cyber Threat Alliance, a cybersecurity industry group, and a former senior cybersecurity official at the Department of Homeland Security.
"As soon as you get into a network, you're going to set up other potential back doors and ways to get in, in case the original way you got in closed," Jenkins said. "So just because you closed the SolarWinds intrusion doesn't mean you've solved the problem."
The range of victims extends beyond SolarWinds' extensive customer base. The U.S. Cybersecurity and Infrastructure Security Agency, or CISA, which is leading the government's technical response to the hacking campaign, has warned that the same hackers may have infected victims by other means.
The hackers' lead time and extraordinary access mean victim organizations will have to choose between two unpleasant options: spending significant resources hunting through their computers in the hope that they can eradicate the hackers' footholds or rebuilding their networks from scratch, said Suzanne Spaulding, the former head of what is now CISA and currently the director of the Defending Democratic Institutions project at the Center for Strategic and International Studies, a think tank.
"I think we'll be at least months trying to figure out the full scope and scale of this," Spaulding said. "And at least months trying to recover, trying to get the adversary out or abandon ship and rebuild securely.
"This is not an adversary that goes away when detected," she said. "They fight to maintain their persistent presence, and we'll be doing battle, I suspect, for a while."