Sophisticated Cyberattacks

News of hack broke on December 8 when U.S. Cyber Firm FireEye Says It Was Breached by Nation-State Hackers.

FireEye said the attack compromised its software tools used to test the defenses of its thousands of customers.

This week we learn the hack did not start with FireEye, rather with SolarWinds, a trusted US security firm. The breach happened at least four years ago!

It was discovered only because of due diligence by a FireEye employee who took time to investigate an automated message regarding a login from an unknown device. 

That's a type of automated message routinely decarded by almost everyone.

The suspected Russian hack involving SolarWinds compromised parts of the U.S. government. The scale surprised even veteran security experts.

Hack Suggests New Scope, Sophistication for Cyberattacks

The Wall Street Journal reports Hack Suggests New Scope, Sophistication for Cyberattacks.

As the probe continues into the massive hack—which cast a nearly invisible net across 18,000 companies and government agencies—security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years.

The attack blended extraordinarily stealthy tradecraft, using cyber tools never before seen in a previous attack, with a strategy that zeroed in on a weak link in the software supply chain that all U.S. businesses and government institutions rely on—an approach security experts have long feared but one that has never been used on U.S. targets in such a concerted way.

Most devastatingly, they sneaked their malicious code into the legitimate software of a trusted software maker—an Austin-based company called SolarWinds Corp. and its software called Orion.

FireEye put more than 100 cyber sleuths on the job out of its roughly 3,400 total staff. Trained to investigate breaches at other companies, they now found themselves scouring the company’s own networks.

Security Breaches

  • US Treasury
  • Energy Department
  • Department of Homeland Security
  • State Department
  • At least 18,000 corporations who downloaded SolarWinds updates
  • While 80% of the victim companies were based in the U.S., Microsoft said that targets were also hit in the U.K., Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates.

New Techniques

RECOMMENDED ARTICLES

Among the worrying signs, the attacker seemed to have an understanding of the red flags that typically help companies like FireEye find intrusions, and they navigated around them: They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence.

Once they noticed suspicious activity emanating from SolarWinds’ Orion product, the company’s malware analysts scoured some 50,000 lines of code in search for “a needle in a stack of needles,” Mr. Carmakal said, eventually spotting a few dozen lines of suspicious code that didn’t appear to have any reason to be there. Further analysis confirmed it as the source of the hack.

The Unknown

“It’s very broad in scope, and potentially very damaging to our economic security,” said J. Michael Daniel, chief executive of the Cyber Threat Alliance, an industry information-sharing group, and the former White House cybersecurity coordinator in the Obama administration. “It’s going to take a long time to figure out the full scope and extent of the damage, and it’s probably going to cost a lot of money to fix.” 

How the hackers gained access to SolarWinds systems to introduce the malicious code is still uncertain. The company said that its Microsoft email accounts had been compromised and that this access may have been used to glean more data from the company’s Office productivity tools.

Inside the Hack

Inside the Hack

The above image from Solar Winds.

Microsoft and the US Nuclear Agency Exposed

Bloomberg reports Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed

The U.S. nuclear weapons agency and at least three states were hacked as part of a suspected Russian cyber-attack that struck a number of federal government agencies, according to people with knowledge of the matter, indicating widening reach of one of the biggest cybersecurity breaches in recent memory.  

The Energy Department and its National Nuclear Security Administration, which maintains America’s nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn’t affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.

“At this point, the investigation has found that the malware has been isolated to business networks only,” Hynes said. The hack of the nuclear agency was reported earlier by Politico.

Microsoft spokesman Frank Shaw said the company had found malicious code “in our environment, which we isolated and removed.”

President-elect Joe Biden issued a statement Thursday on “what appears to be a massive cybersecurity breach affecting potentially thousands of victims, including U.S. companies and federal government entities.”

“I want to be clear: My administration will make cybersecurity a top priority at every level of government -- and we will make dealing with this breach a top priority from the moment we take office,” Biden said, pledging to impose “substantial costs on those responsible for such malicious attacks.”

In the email notice, Bloomberg commented "President Donald Trump, who has been reluctant to criticize Russia or President Vladimir Putin throughout his four years in office, has said nothing."

Wow. 

What a pox on the Department of Homeland Security and the US National Security Agency.

Congrats to the FireEye employee who decided to investigate an automated message. 

Mish