SUNBURST hack: Microsoft’s analysis and news

[German]The hack of many US agencies and companies via the SUNBURST backdoor, executed by hackers suspected to be close to the state, is drawing wider circles. It was probably uncovered by accident, US President Trump is pointing the finger at the Chinese, and Microsoft is providing more detailed analysis. Here is a brief overview.


Advertising

To the facts

For months, numerous U.S. agencies and ministries, as well as companies around the world, have been hacked through a backdoor, and attackers have managed to pull numerous documents. I first reported on these hacks in the articles FireEye hacked, Red Team tools stolen and US Treasury and US NTIA hacked. Hackers have been able to look around their IT systems for months, reading mails and pulling documents.

It is a huge espionage operation that, because of its sophistication and effort, is attributed to state-related hackers. This is because the attackers managed to contaminate updates for a widely used network monitoring software (SolarWinds Orion) with a Trojan called SUNBURST. I had reported in detail in the posts linked at the end of the article.

In my perception, the case has taken on a new dimension and is likely to shake the US IT landscape in the marketplace. Certainties of the kind ‘we are the best, we are safe, nobody can do anything to us’ have just gone down the drain. Wired writes here that experts believe the U.S. is poorly positioned to defend against supply chain attacks, as was the case here. 

Trump downplays the case

The media and authorities have been pointing to Russia as the beneficiary of the spying action since it came to light. This article says that they already had an official statement prepared for last Friday, naming Russia as the originator. But there was a publication stop. 

Trump-Tweets zum Super-Hack


Advertising

Donald Trump has his own view of things (see also here). In above tweets he downplays the hack and writes that it could have been China (wouldn’t be impossible). But the funny thing is that he immediately links it to mini-tampering with the voting machines and claims that the election was stolen. Twitter has added a warning to this tweet that Joe Biden is the winner of the US election.

Hack came to light by accident

I had hinted at it in my posts before: the mistake the state hackers made was probably not being able to resist infiltrating security vendor FireEye and stealing their Red Team tools. That’s because the billion-dollar EINSTEIN program, which is supposed to protect U.S. government IT from such attacks, failed and didn’t notice. The Washington Post writes here that the whole operation was uncovered by a fluke.

The SolarWinds attack escaped U.S. security measures so much that it was discovered not by intelligence officials, but almost by accident thanks to an automated security alert sent in recent weeks to a FireEye employee who had himself been quietly compromised.

The alert, which was also sent to the company’s security team, told the FireEye employee that someone had used the employee’s credentials to log into the company’s virtual private network from an unrecognized device – the kind of security message that company employees routinely delete.

Had this not caught the attention of FireEye executives, the attack likely still would not have been detected. The devil is a squirrel, and from that moment on, things started rolling.

Microsoft presents two analyses

For people who are in enterprise network administration, I’d like to point out two more analyses from Microsoft that go a little deeper into the story. There’s a nice analysis from the Microsoft 365 Defender Research Team: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers. Microsoft’s Defender detects the Trojan (see also here).

And there is another document from the Microsoft 365 Defender Threat Intelligence Team Ensuring customers are protected from Solorigate which deals with defensive measures. Microsoft also provides the documentCustomer Guidance on Recent Nation-State Cyber Attacks with further details.

Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *