The hacking campaign that infected numerous government agencies and tech companies with malicious SolarWinds software has also infected more than a dozen critical infrastructure companies in the electric, oil, and manufacturing industries who were also running the software, according to a security firm conducting investigations of some of the breaches.

In addition to these companies, the SolarWinds software also infected three firms that provide managed services to critical infrastructure industries, says Rob Lee, founder and CEO of Dragos, which specializes in industrial control system security for critical infrastructure and whose company discovered some of the infections.

The managed service providers, known in the industry as original equipment manufacturers or OEMs, sometimes have authorized remote access directly into critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. This means that hackers who breach such a provider can potentially use that provider’s credentials and access to control critical processes on their customers’ networks.

“If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. “But just because you have access doesn’t mean you know what to do or how to do it. It doesn’t mean they can then flip off the lights; they have to do more after that.”

But compromising an OEM does magnify the potential risks to multiple entities.

“[I]t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” Lee said. “Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.”

He notes that in some cases the OEMs actually infected their customers with the SolarWinds software. Some of the OEMs use the SolarWinds software not just to manage and monitor their own networks, but they also have installed it on customer networks to manage and monitor those. And some of those customers weren’t aware the SolarWinds software was on their network, because it had been installed by their OEM as part of the OEM’s monitoring and maintenance package.

Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in the providers and further compromised them to gain access to the customer networks they remotely manage.

The SolarWinds software was compromised back in March; it installed a backdoor to provide an attacker access to the network of anyone who downloaded it in the last eight months. The backdoor, which security researchers at the security firm FireEye have dubbed SUNBURST, gathers information about the infected network then waits about two weeks before sending a beacon to a command-and-control server owned by the hackers, along with information about the infected network, to signal to them that the infected system is open for them to surreptitiously enter. The hackers would have used that network information to pick out high-value targets and determine which ones they wanted to burrow into further. Once inside an infected system and network, the hackers can download more malicious tools to it and steal employee credentials to gain access to more critical parts of the network to either collect valuable information or potentially to alter data or alter processes on those networks. Kevin Mandia, CEO of cybersecurity company FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor.

Lee said some of the infections in the critical infrastructure sector occurred on the IT networks of the critical infrastructure entities, but others were on the actual industrial control system networks that control critical functions. There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their ICS networks.

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee, a former critical infrastructure threat intelligence analyst for the NSA. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

He says all of the infected companies are “doing the necessary hunting and [are] assuming they are compromised.” But without logging to catch the initial infection months ago and track the hackers’ movements through the network if they did burrow in further, the companies have to hunt for what looks like malicious behavior. “And this is an adversary that burrows in deep and is very very hard to root out.”

If the hackers came in through the infected OEM instead, using the OEM’s credentials and privileged access, it could be even more difficult for OEM customers to spot the hackers’ activity since it would look legitimate.

Dragos notified the three OEMs that they were infected, as well as government officials and officials in President-elect Joe Biden’s incoming administration. An alert published last week by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency noted that critical infrastructure entities were compromised by SolarWinds software, but didn’t indicate which industries were affected and didn’t note that this included managed services providers for critical infrastructure.

Potential Operations Against a “Pretty Resilient” U.S. Power Grid

It’s not the first time an OEM in the industrial control system has been hacked. In 2012 hackers believed to be from China breached an OEM called Telvent and stole engineering drawings and accessed files used to program industrial control systems. Telvent is a division of Schneider Electric that is headquartered in Spain, but its software is used in oil and gas pipelines across the U.S. and Canada and in some water control system networks. The breach raised concerns at the time that the hackers could have embedded malicious code in the software to infect customer control systems.

“When you look at industrial networks many people still believe them to be highly segmented, but that only means segmented from the” corporate enterprise network, Lee said. “While they might be segmented from the enterprise, they have a vast series of connections to OEMs and others who are connected to those networks for maintenance and other [purposes].”

The SolarWinds hacking campaign came to light earlier this month when FireEye revealed that it had been breached by hackers who took software tools the company uses to find vulnerabilities in customer systems. The company then revealed days later that the intruders had gained access to their network using a backdoor that had been implanted in network monitoring software made by the Austin-based company SolarWinds. The software is used widely across government and industry to manage and monitor networks, and SolarWinds has revealed that up to 18,000 customers could have downloaded the infected code.

Investigators in the security community have said they have seen nothing to attribute the SolarWinds campaign to a particular known hacking group or nation, but officials in the government have attributed the operation to Russia, though they haven’t indicated what has led them to this conclusion.

“It’s so many different people in the government [attributing this to Russia], you wouldn’t get this sort of statement if there wasn’t something there,” says James Lewis, a former government official who oversees cybersecurity programs at the Center for Strategic and International Studies. “[T]he forensic guys are looking at what’s left behind [on networks], and that may not be the best way to attribute something. Governments use other methods to look for attribution. So the fact that the forensic people haven’t discovered it isn’t determinative; they don’t have the full picture.”

Russia has denied responsibility for the hacking operation.

The scope of the hacking operation is still unknown, but so far reports indicate that the departments of Homeland Security, Commerce, and the Treasury; at least two national laboratories; the Federal Energy Regulatory Commission; and the National Nuclear Safety Agency, which maintains the nation’s stockpile of nuclear weapons, were all infected. Microsoft, Cisco, and Intel are among those in the tech sector that were also infected. A number of the intrusions at government agencies went beyond merely being infected by the SolarWinds malware. Sen. Ron Wyden revealed this week that the hackers were able to read and steal emails of some of the top officials at the Treasury Department.

Currently, the campaign is being characterized by security professionals and government officials as an espionage operation. But the compromise of critical infrastructure could have put the hackers in a position to do more than simply steal data, if they wanted to do so. Although there is currently no evidence this was or would have been their intention, Russia has a history of engaging in disruptive operations in critical infrastructure.

In 2015, Russia hacked several Ukrainian power distribution plants and took out power for about 230,000 customers for up to six hours in some cases, in the middle of winter. They repeated their operation again in Ukraine in 2016, taking out power to some customers for about an hour, and also struck the State Administration of Railway Transport, which manages Ukraine’s national railway system. The operations led experts to conclude that the Russians were using Ukraine as a test bed to refine hacking techniques that could be used in other countries, such as the U.S.

On Sunday, speaking on CNN’s “State of the Union,” Sen. Mitt Romney said, “What Russia has done is put in place a capacity to potentially cripple us in terms of our electricity, our power, our water, our communications.” He continued, “This is the same sort of thing one can do in a wartime setting, and so it’s extraordinarily dangerous, and it’s an outrageous affront on our sovereignty and one that’s going to have to be met with a very strong response.”

But Suzanne Spaulding, former undersecretary for the Department of Homeland Security who led the division that oversees critical infrastructure security, cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached networks in the electric, oil, and gas industries, this isn’t the same as having the ability to cause disruption or damage.

“But you can [still] get a lot of information … that can help you to plan a truly disruptive attack,” she noted. Because the hackers in the SolarWinds campaign were also able to breach FERC, this could have provided them with information on vulnerabilities and security measures in the U.S. grid that they could later leverage for an attack. She points to the 2015 Russian hack of the Ukrainian distribution plants: The hackers were in the plant networks at least six months doing reconnaissance to understand the equipment and how it worked before taking out the power in December that year.

But even an attack aimed at disrupting the U.S. electric grid would be limited in its effect, she notes.

“It’s hard to have a really impactful attack, particularly on our electric grid, which is pretty resilient,” she said. “[But] we don’t know that that’s what they’re doing.”

In the past, when Russian hackers have targeted the oil and gas industry in hacking operations, Spaulding said the U.S. government assessed that they may have just been looking for information that could make their own oil and gas industry more efficient. “So I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” Spaulding said. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”

Spaulding says this doesn’t mean anyone should take the SolarWinds campaign lightly.

“I don’t think this is just traditional spy vs. spy espionage. This is of a scale and scope that really is beyond traditional espionage,” she said. “Particularly because we have been told that over half the victims were not government, but were private sector. And if it’s critical infrastructure, not just defense-industrial base, that is not traditional kinds of espionage and that’s very serious.”

Lee cautions that there is no indication yet that the SolarWinds hacking campaign is anything other than espionage at the moment, but just being in critical infrastructure networks gives the adversary potential political power they might not otherwise have. “I’m thinking about president-elect Biden. The last thing I want him to have to worry about is getting into international relation discussions with Putin or others and not knowing if a foreign adversary can turn their access [in these networks] into a foreign operation on key parts of the infrastructure.”

Although other intruders have been inside the U.S. electric grid before, Lee says this is different. If Iran or China compromises industrial control systems in critical infrastructure, he said, “you assume they could [disrupt operations] but you don’t know [if they have the knowledge and ability]. But Russia has shown an ability to go beyond access to disruption. So when they get access you no longer have the question could they use it? The question is how long would it take them and would they?”

The documents feature internal Facebook communications in which managers appear to admit to major flaws in ad targeting capabilities, including that ads reached the intended audience less than half of the time they were shown and that data behind a targeting criterion  was “all crap.” Facebook says the material is presented out of context.

They emerged from a suit currently seeking class-action certification in federal court. The suit was filed by the owner of Investor Village, a small business that operates a message board on financial topics. Investor Village said in court filings that it decided to buy narrowly targeted Facebook ads because it hoped to reach “highly compensated and educated investors” but “had limited resources to spend on advertising.” But nearly 40 percent of the people who saw Investor Village’s ad either lacked a college degree, did not make $250,000 per year, or both, the company claims. In fact, not a single Facebook user it surveyed met all the targeting criteria it had set for Facebook ads, it says.

The complaint features Facebook documents indicating that the company knew its advertising capabilities were overhyped and underperformed. A “February 2016 internal memorandum” sent from an unnamed Facebook manager to Andrew Bosworth, a Zuckerberg confidant and powerful company executive who oversaw ad efforts at the time, reads, “[I]nterest precision in the US is only 41%—that means that more than half the time we’re showing ads to someone other than the advertisers’ intended audience. And it is even worse internationally. … We don’t feel we’re meeting advertisers’ interest accuracy expectations today.” The lawsuit goes on to quote unnamed “employees on Facebook’s ad team” discussing their targeting capabilities circa June 2016:

One engineer celebrated that detailed targeting accounted for “18% of total ads revenue,” and $14.8 million on June 17th alone. Using a smiley emoticon, an engineering manager responded, “Love this chart! Although if the most popular option is to combine interest and behavior, and we know for a fact our behavior is almost all crap, does this mean we are misleading advertiser [sic] a bit? :)” That manager proceeded to suggest further examination of top targeting criteria to “see if we are giving advertiser [sic] false hope.”

“Interest” and “behavior” are two key facets of the data dossiers Facebook compiles on us for advertisers; according to the company, the former includes things you like, “from organic food to action movies,” while the latter consists of “behaviors such as prior purchases and device usage.”

The complaint also cites unspecified internal communications in which “[p]rivately, Facebook managers described important targeting data as ‘crap’ and admitted accuracy was ‘abysmal.’”

Facebook has said in its court filings that these quotes are presented out of context. The company attempted to suppress the internal documents, obtained by the plaintiff through the legal discovery process, on the grounds that they were “confidential” and could be harmful if competitors were to read them — an argument rejected by the court, which in November ordered the filings unsealed with minor redactions. The social network argued further, in its rejected motion to dismiss the suit, that it’s never guaranteed complete accuracy in its targeting, and that any claims of sophisticated targeting the plaintiff cited in its decision to buy Facebook ads were “generalized, promotional statements about Facebook’s advertising on which a reasonable consumer could not rely as guaranteeing a specific accuracy rate.”

The lawsuit comes at an awkward time for Facebook, which has recently taken out full-page ads in several national newspapers claiming new iOS privacy safeguards will strangle American small businesses, which are already struggling with the economic cataclysm of the Covid-19 pandemic. Facebook calls this anti-Apple effort its “Speak Up for Small” campaign. The Investor Village lawsuit suggests that, far from being a pandemic panacea, Facebook’s ballyhooed ad targeting has actually wasted the time and money of small advertisers it now says it’s championing. “Facebook is no friend to small business,” said Steven Molo, an attorney representing the plaintiff. “As detailed in the allegations of our class action suit on behalf of advertisers, Facebook substantially misrepresented its ability to deliver ads accurately, to the dismay of its own employees.”

Though Facebook would like you to think it’s not, its new spat with Apple is dead simple. Historically, companies like Facebook have been able to monitor the way you use your iPhone (or iPad) in order to attempt to learn the details of your life on a vast scale in order to — as the pitch went to advertisers, at least — show you specific ads that reflect your private hopes, desires, friendships, movements, and so on. But starting in early 2021, Apple says this persistent surveillance will not longer be turned on by default; rather, iPhone owners would have to explicitly opt-in to be stalked by their apps, cutting off this firehose of deeply personal data. This is a major shift in an industry where surveillance is a given, rather than an option.

According to Dipayan Ghosh — a former Facebook executive and current co-director of the Digital Platforms and Democracy Project at Harvard Kennedy School’s Shorenstein Center on Media, Politics, and Public Policy — both Facebook’s anti-privacy PR blitz and this new lawsuit ironically lead to a similar conclusion: Facebook isn’t anyone’s friend but Facebook’s. “Facebook’s argument that its ad-targeting regime is good for small businesses is not only self interested — it is plain wrong,” Ghosh told The Intercept in an email. “Further, the recent [Investor Village] complaint indicates clearly that, if anything, Facebook advertising is not as effective for its advertising clients as it could be. The lack of transparency coupled with the perceived low bang-for-the-buck of advertising on Facebook has troubled marketers for many years — and it appears as though those perceptions may well be true.”

Facebook could not be immediately reached for comment.

In late March, following an employee walkout at an Amazon warehouse in Staten Island to protest the lack of safety protections amid the new pandemic, Amazon fired the lead organizer, Chris Smalls, with the public rationale that he had violated rules around social distancing. Under pressure, Amazon pledged in early April to ramp up its distribution of personal protective equipment, but a leaked memo from a private meeting revealed company executives had discussed how to smear Smalls and damage any potential union efforts. Smalls is “not smart, or articulate,” argued Amazon’s general counsel David Zapolsky, who urged the company to tell reporters Smalls’s conduct was “immoral, unacceptable, and arguably illegal.”

Zapolsky’s comments outraged many left-leaning groups, including a group of lawyers and law students affiliated with the American Constitution Society, a self-described progressive legal organization that was created in 2001 to help build the bench of liberal judges and act as a countervailing force to the conservative Federalist Society. More than 100 individuals sent a letter to ACS’s president, Russ Feingold, the former Democratic senator from Wisconsin, and the ACS board of directors protesting the inclusion of a deputy of Zapolsky’s, Andrew DeVore, in its leadership ranks. DeVore, an Amazon vice president and associate general counsel, reports to Zapolsky and manages Amazon’s “labor and employment” issues, among other areas.

The signatories argued that Amazon’s conduct around Smalls was no isolated incident when it comes to “trampling worker rights” and also blasted the company’s record on privacy, surveillance, tax avoidance, anticompetitive practices, contracts with ICE, and bullying of local governments. “We urge you to ask for Mr. DeVore’s immediate resignation from the Board of Directors,” the letter read. DeVore was appointed in 2017.

Following the letter, ACS sought to handle the internal uprising in several ways, including organizing a virtual town hall for local chapter leaders with Feingold to discuss their concerns.

Feingold “expressed ACS’s respect for workers rights, but my feeling was he treated the meeting like a politician as a way to pacify the opposition rather than committing to specific actions,” said Hooman Hedayati, a member of the Washington, D.C., ACS chapter board who attended the town hall. Feingold declined to share with attendees how much money ACS receives from Amazon (it’s listed as a 2020 corporate sponsor on its website) but insisted the amount was negligible.

Following the town hall, ACS released a public statement reiterating the organization’s support for workers’s rights, and urged “employers to support the right of their employees” to form unions and demand safe working conditions.

Hedayati noted the statement failed to name-check Amazon specifically. “I think it was very concerning that ACS as a progressive organization won’t make a statement that specifically calls out Amazon and its bad track record,” he told The Intercept. “It makes me question to what degree they’d really be willing to speak up in support of the labor movement.”

Feingold also made a few personal calls, including to Leo Gertner, a labor lawyer and lead organizer of the letter, to suggest that the problem will basically go away when DeVore’s three-year term expires at the end of the year. “Feingold was very nice, diplomatic, and courteous and told me he was very supportive of our effort, but that the board was not interested in voting to remove Mr. DeVore or change his status in any way,” Gertner said. “But he told me DeVore was up for reappointment soon and his term was going to end this year.”

Since April, Amazon has continued to face charges of anti-worker activity, most recently this month, when attorneys for the company sought to blunt a union effort at an Alabama warehouse.

But in response to questioning, ACS confirmed to The Intercept that DeVore’s position on the board was actually renewed this year for another three-year term. David Lyle, ACS’s senior counsel for communications, said in a statement that keeping DeVore on “does not affect ACS programming or other decisions, at the national or chapter levels,” but maintained that leadership found him “to be a very engaged board member” and “valu[ed] representation of a diversity of experiences.”

ACS’s ties to Silicon Valley do not end with DeVore. Apple’s in-house counsel, Philippa Scarlett, was appointed to the board of directors in 2017, and now serves on ACS’s board of advisers, though her affiliation with Apple is not actually disclosed in her bio.

Over the last decade, ACS has taken at least $290,000 from Google, Microsoft, and Facebook, with other corporate sponsorships coming from Verizon and Amazon, according to pages detailing ACS convention donors. The contributions have raised questions among its members about how ACS positions itself on matters of antitrust, bankruptcy, and corporate power — areas where ACS has less clear stances than it does on issues around reproductive and civil rights. Some members say this is because ACS has molded its politics in the image of the corporate-minded Senate that serves as gatekeeper to the judiciary.

“ACS is an elite-driven organization based in D.C. with a board of directors full of Harvard, Yale, and Stanford alums, where most of those folks cut their teeth in corporate law and advised those megacorporations,” said Gertner. “I think they have an interest in putting themselves out as liberal and progressive because they have genuinely pro-choice views and are mildly anti-war, but the capture of the elite stratum by corporations is pretty much complete.”

ACS doesn’t shy away from questioning corporate power, though the bulk of its interrogation has been confined to panel discussions. Anti-monopoly advocate Barry Lynn of the Open Markets Institute says ACS could be doing more to offer a progressive vision on these issues, in the way the Federalist Society helps train and educate its conservative members on monopoly and antitrust.

Following the election of Donald Trump, some antitrust advocates, including Lynn, reached out to ACS to encourage the legal organization to take a firmer stance on these issues. In February 2017, Lynn, his colleague Lina Khan, antitrust attorney Jonathan Kanter, and Andy Green of the Center for American Progress met with Kara Stein, ACS’s vice president of policy and program.

“We said, ‘Hey, at least do no harm, don’t support people who are hardcore conservative on corporate welfare,’” Lynn said. “We want them to be a counterweight to the Federalist Society. Maybe they won’t take as radical a position as us, but we do think they should be pretty critical and at least work to educate its members about why the right takes the positions it does.” Lynn says the response they received was relative openness — if anti-monopoly advocates could fundraise for the work.

“They basically told us, ‘Well, if you really want us to engage on these issues around monopoly, then the way to do it would be to give us some money, build up a program,’” Lynn said, adding that Washington, D.C., “is full of these pay-to-play places.” David Lyle, ACS’s senior counsel for communications, didn’t deny Lynn’s characterization of the meeting and said it “was like many ACS holds regularly to explore partnerships and ways to collaborate on topics and issues.”

ACS has sponsored local and national events that have been critical of corporate power and encouraged stronger antitrust work, including an antitrust conference Khan organized at Yale. Hedayati says his ACS chapter has hosted several antitrust events in recent years — including one last month on political influence around antitrust investigations and a film screening in 2019 where members discussed shortcomings of antitrust law.

In response to questions, Lyle also pointed to a national panel ACS sponsored on consolidation of wealth and power in 2017, one on the constitutional dilemmas of Big Tech in 2018, and one on tech regulation in July. He also noted ACS has “been pleased” to publish scholars like Khan in ACS’s official law journal, and that the organization is publishing an essay by her this week with policy recommendations for the Biden administration.

ACS declined to comment on the donations it receives from tech companies or make Feingold available for an interview. “Our work in this field, including the promotion of leading advocates of more strict antitrust enforcement and critics of technology companies speaks for itself,” said Lyle. As a U.S. senator, Feingold was a leading champion on campaign finance reform, pushing major legislation to curb the influence of money in politics. He was also known among his colleagues — and often privately resented — for his strict and obsessive fealty to the spirit of Senate ethics rules.

Lynn told The Intercept that ACS’s corporate tech donations “can’t help but affect” the organization. “When those sorts of folks are in the room they’re going to affect the policy,” he said.

Other members argue ACS’s murkiness on corporate power is less a reflection of rank corruption and points more to the reality that ACS’s aim to be a “big-tent” organization for liberals means it effectively becomes more of a networking group, with inevitable vague policy positions palatable to the full Democratic Party. In the absence of drawing clearer lines in the sand and providing a sharper vision for what progressive lawyering means in the realms of corporate power and bankruptcy law, newer organizations like Demand Justice, the People’s Parity Project, and the Law and Political Economy Project will continue to fill what its supporters say is an intellectual and advocacy void for lawyers on the left.

The Biden administration, for its part, has recently appointed a number of leaders and alumni from big tech companies, though maintains it will continue serious investigations into the practices of these firms. The Trump administration filed a major antitrust suit against Google, which will continue under the Biden administration. The suit is seen as potentially the first of several such clashes with tech titans.

“I think antitrust and antimonopoly people feel listened to on the substance by the Biden administration,” said Jeff Hauser, the director of the Revolving Door Project, which advocates for progressive executive branch appointments. “But the question is whether there will be people appointed who will be able to slow the move of the government against these companies.”