By Raphael Satter
WASHINGTON (Reuters) – Following a decade-old security recommendation could have helped stymie the Russian hackers who ran amok across federal government networks last year, the Department of Homeland Security’s digital defense arm said in a letter sent earlier this month.
As the United States prepares to pour billions of dollars into shoring up its cybersecurity following a series of dramatic intrusions by foreign hackers, the acknowledgement from the Cybersecurity and Infrastructure Security Agency (CISA) highlights how basic digital security measures can help defeat or at least mitigate the impact of even the most severe breaches.
The June 3 letter, sent by CISA to Senator Ron Wyden, concerned the sprawling espionage campaign that hijacked software from Texas-based SolarWinds Corp to compromise nine government departments, a months-long effort that led to the theft of thousands of U.S. officials’ emails and is already racking up hundreds of millions of dollars in cleanup costs.
The hackers – alleged to be Russian operatives – pulled off the intelligence coup by subverting SolarWinds’ widely deployed networking monitoring program and using it to plant malicious software on thousands of clients’ servers, eventually singling out a smaller number for in-depth exploitation.
CISA said that had those victims configured their firewalls so that they blocked all outbound connections from the servers running SolarWinds, it “would have neutralized the malware.”
The agency said that several targets who did set up their firewalls that way “successfully blocked connection attempts” and had no “follow-on exploitation.”
Wyden’s office cited SolarWinds as saying that servers running its software had no need to send outbound traffic. Guidance from the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA) has warned for more than a decade that servers that don’t need to connect to the internet should be prevented from doing so – a principle that’s akin to the idea that doors that don’t need to be opened should be bolted shut.
The servers running SolarWinds inside government networks “should have had even more constraints around them,” said Jason Garbis, who serves as the chief product officer for digital security company Appgate.
There’s no suggestion that sealing the servers running SolarWinds off from the internet would have completely foiled last year’s hacking campaign; the spies used a variety of sophisticated tactics to carry out their espionage work.
But Garbis said following security best practices would have made government networks “much more resilient to these types of attacks.”
(Reporting by Raphael Satter; editing by Jonathan Oatis)