[German]More and more details about the SolarWinds hack are coming to light, and more and more questions are surfacing. There are a large number of people affected, raising the question of the attackers’ targets. In addition, questions are growing louder about why the early warning systems in the U.S. did not kick in, and whether outsourcing to SolarWinds dependencies in Eastern Europe made the attack possible in the first place.
The SolarWinds hack strikes at the heart of the U.S. and its administration. Suspected state attackers had succeeded in infecting a DLL in SolarWinds’ Orion software with a backdoor called SOLARBURST. The whole thing was then distributed as a digitally signed update to all users of the SolarWinds Orion software. The hackers were able to access the victims’ systems unnoticed for many months and set up shop there. Since SolarWinds Orion products are used by many customers, the number of victims is enormous (potentially 18,000 people are said to have been affected).
Security system failed to detect the hack
The hackers were probably able to look around unnoticed in the compromised systems for 9 months (possibly even longer). Only an attentive employee of the security company FireEye, which was also hacked, was able to take a closer look. The employee did not simply click away a warning that someone had logged in with his account, but sounded the alarm and initiated an analysis of the situation. At the end of the analysis it was clear that the security provider FireEye had been hacked via the SolarWinds Orion software and that the attackers had been able to steal Red Team tools (see FireEye hacked, Red Team tools stolen).
U.S. authorities boasted of having early detection software to monitor such attacks. And the victims’ systems were actually instrumented enough to detect hacker attacks. I had already pointed out in the blog post SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail that the EINSTEIN monitoring software had been ‘blind’ regarding the SolarWinds hack. Meanwhile, this question of why nothing was noticed is becoming more urgent in the US. After all, the hack as well as the infection of the software systems took place months before. One possible explanation: the fear of some manipulation of the US voting computers for the presidential election might have diverted attention from this hack. However, I fear that this is ‘whistling in the forest’, because a lot of things in IT are simply broken in terms of security.
Eastern European developers facilitate the hack?
In the meantime, people are digging deeper and the Americans, or rather the users of the Orion software, have to ask themselves more unpleasant questions. The New York Times takes up the following points in this article.
- SolarWinds has already attracted attention in the past due to a lack of security measures for its products. This has made the company an easy target for supply chain attacks, according to current and former employees and U.S. government investigators. Chief Executive Kevin B. Thompson, who is leaving his job after 11 years, dodged questions about whether his company should have detected the intrusion. After all, I had addressed such a case in the article Sloppiness at SolarWinds responsible for compromised software?
- SolarWinds is a U.S. manufacturer, but its software development is international. Some of the compromised SolarWinds software was developed in Eastern Europe, according to The New York Time. American investigators are now looking into whether the attack on the Orion software source code, which resulted in the implementation of a backdoor, originated from these Eastern European development studios. The suspicion exists because Russian intelligence operatives have deep roots there.
My guess is that many development models will now have to be put to the desk. Years ago, the U.S. administration banned Russian antivirus vendor Kaspersky from its agencies over security concerns. Now, the U.S. public is learning that its own software clunkers outsourced development to the sphere of influence of Russia, whose intelligence service is responsible for the action, and also acted rather carelessly in terms of security in other respects. Whoever finds traces of schadenfreude may keep them.
Damage is enormous, the number of victims is growing
Both this article from The New York Times and this article from Bloomberg pick up on two other aspects. SolarWinds claims 18,000 customers potentially affected by the backdoor called SOLARBURST. However, it is now known that the number of companies and institutions actively investigated is lower.
In the article News in the fight against SUNBURST infection, domain seized I had named some victims – the Wallstreet Journal gives a further overview. In the meantime, it has also become known that another backdoor was found on some victims (see 2nd backdoor found on infected SolarWinds systems). It suggests that another hacker group is active in this field.
In the two articles linked above, it is said that according to analyses so far, about 200 US agencies and companies have probably been targeted victims of this hacking action. However, there are probably new findings every day, so the number can still change.
What also makes me quite jittery at the moment: SolarWinds and the US-CERT have issued security advices on what to patch now to lock out the attackers. Every infected computer user is told that the system is compromised and that no one can know whether all traces of the infection have been removed by virus scanners. A new installation is prescribed. SolarWinds security advisories simply say ‘with the and version of the software the backdoor is removed’. The fact that the attackers have long since found other ways to infiltrate the IT networks in question is ignored.
What was the goal?
U.S. officials, including outgoing Attorney General William Barr, as well as cybersecurity experts have pinpointed Russia as the most likely culprit; some experts suspect the attack bears the hallmarks of Russian hacking group APT 29, also known as Cozy Bear. Bloomberg writes that the fact that the hackers had access to the email accounts of high-ranking U.S. government officials supports the theory that the suspected Russian hackers drove a massive espionage operation.
On Monday, Senator Ron Wyden, Oregon Democrat and ranking member of the Senate Finance Committee, provided the most compelling evidence yet for the spying theory, according to U.S. media. After being briefed by Treasury Department staff, Wyden said the hackers gained access to the email accounts of the department’s most senior officials. However, the U.S. Treasury Department still does not have a full accounting of what exactly the hackers did in their IT systems.
According to the Wall Street Journal, the hackers also managed to access about three dozen email accounts at the Commerce Department’s National Telecommunications and Information Administration. The email accounts of high-ranking executives were affected. This raises speculation about the purpose of the entire operation. The New York Times speculates that the goal may have been ‘to destroy confidence in the U.S. IT landscape and its security.’
If this were the case, I would spontaneously classify this as something very positive – because the bigotry of the Americans in this respect is simply unbelievable – and this case could perhaps bring things back to the right level.
With the new administration taking office in three weeks, some analysts suspect that the Russians may be trying to shake Washington’s confidence in the security of its communications and demonstrate their cyber arsenal. The background would be to have leverage against President-elect Joseph R. Biden Jr. ahead of nuclear arms talks.
Frank Cilluffo, director of the McCrary Institute for Cyber and Critical Infrastructure Security at Auburn University and a consultant to the Department of Homeland Security, is quoted by U.S. media as saying that it is simply too early to know for sure what the hackers were after. That’s true even if it looks like a “massive intelligence coup” at first, he said. “That doesn’t necessarily mean they can’t use those buttresses for more disruptive actions in the future,” Cilluffo is quoted as saying. “It’s hard to know until the damage assessment is complete.”
The case will be with us for some time, and I’m guessing we’ll be getting new findings every day. Details can be found in articles from The New York Times and Bloomberg. Some interesting thoughts can also be found in this article. There, the finger is put in the wound that private equity financing, as in the case of SolarWinds, and monopolies a la Microsoft would have first laid the foundation for such hacks as we have now experienced. Exciting story, this SolarWinds hack and a thankful field of activity for bloggers and journalists.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft’s analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
Cookies helps to fund this blog: Cookie settings