Cyber-security expert Steven Adair and his team were in the final stages of purging the hackers from a think tank’s network earlier this year when a suspicious pattern in the log data caught their eye.
The spies had not only managed to break back in – a common enough occurrence in the world of cyber incident response – but they had sailed straight through to the client’s email system, waltzing past the recently refreshed password protections like they didn’t exist.
“Wow,” Adair recalled thinking in a recent interview. “These guys are smarter than the average bear.”
It was only last week that Adair’s company – the Reston, Virginia-based Volexity – realized that the bears it had been wrestling with were the same set of advanced hackers who compromised Texas-based software company SolarWinds.
Using a subverted version of the company’s software as a makeshift skeleton key, the hackers crept into a swathe of US government networks, including the Departments of Treasury, Homeland Security, Commerce, Energy, State and other agencies besides.
When news of the hack broke, Adair immediately thought back to the think tank, where his team had traced one of the break-in efforts to a SolarWinds server but never found the evidence they needed to nail the precise entry point or alert the company. Digital indicators published by cyber-security company FireEye on December 13 confirmed that the think tank and SolarWinds had been hit by the same actor.