Data crunching consequences of SolarWinds cyberattack
December 17, 2020
Thousands of companies and institutions across the globe have to check if they have been hacked via security software from Texan firm SolarWinds at the heart of a cyberattack on several US government agencies.
Here is what we know to date about the sophisticated attack:
- How did the hackers get in? -
Hackers managed to compromise and instal malware on a piece of security software -– the Orion security tool developed by SolarWinds which is used for management and supervision of IT networks at many large companies and several US government agencies.
Rather than attack directly clients who include top accounting firms -- but also the full gamut of military branches -- the hackers aimed to compromise the software's automatic update function.
Beyond the content of the data hacked, the break-in further allowed the crypto burglars to gain an idea of their victim's systemic structural vulnerabilities.
The attack was discovered by cybersecurity company FireEye, which, along with SolarWinds, has pointed the finger at people linked to the Russian government.
Taking care only to upload stolen data in relatively small quantities, the hackers reportedly breached software used by the US Treasury Department, the Commerce Department and the Department of Homeland Security, allowing them to view internal email traffic, prompting an FBI investigation.
The software had enjoyed much commercial success based not least on its state of the art ergonomic interface.
The malware was laced into the software updates that breached network security and allowed access to data including mail, with FireEye saying the breaches began around last March.
- Who are the victims? -
According to SolarWinds, 18,000 users of Orion have potentially suffered a security breach, including government agencies and Fortune 500 companies.
For now, experts say the hackers seem primarily to have used a security flaw, dubbed Sunburst, to break into US governmental agencies, insert malicious code and gain access to data to aid state espionage.
People are asking is a foreign government involved in this attack? Like China or Russia???
Is the U.S. facing a Cyber Pearl Harbor?
Thomas P. Bossert writes:
At the worst possible time, when the United States is at its most vulnerable — during a presidential transition and a devastating public health crisis — the networks of the federal government and much of corporate America are compromised by a foreign nation. We need to understand the scale and significance of what is happening.
Last week, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk. This week, we learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked.
The attackers gained access to SolarWinds software before updates of that software were made available to its customers. Unsuspecting customers then downloaded a corrupted version of the software, which included a hidden back door that gave hackers access to the victim’s network.
This is what is called a supply-chain attack, meaning the pathway into the target networks relies on access to a supplier. Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state. Evidence in the SolarWinds attack points to the Russian intelligence agency known as the S.V.R., whose tradecraft is among the most advanced in the world.
According to SolarWinds S.E.C. filings, the malware was on the software from March to June. The number of organizations that downloaded the corrupted update could be as many as 18,000, which includes most federal government unclassified networks and more than 425 Fortune 500 companies.
The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.
While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.
The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated.
President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government. He must use whatever leverage he can muster to protect the United States and severely punish the Russians.
President-elect Joe Biden must begin his planning to take charge of this crisis. He has to assume that communications about this matter are being read by Russia, and assume that any government data or email could be falsified. [Continue reading…]