The SolarWinds Hack - There's More To It Than You Realize

The SolarWinds Hack – There’s More To It Than You Realize

National Compass has consistently maintained that having elected as president, an extreme narcissist former Reality television host, whose only ambition was self aggrandisement, was – and remains, a severe, existential national security risk for America.

Nothing that has occured during Donald Trump’s term in office has shown that assessment to be inaccurate and it could be reasonably argued that the latest episode in the news cycle is the crown jewel of catastrophe for this nation.

We refer to the revelation that for the better part of a year, a foreign adversary that the impeached president has been acting as an agent of influence for, has breached a wide array of our most sensitive cyber infrastructure, both government and civilian / commercial.

Photo of Russian President Vladimir Putin and U.S. Secretary of State Mike Pompeo smiling and shaking hands at a conference in 2019. — Speaking of “Cozy Bear”, this is an interesting photo featuring U.S. Secretary of State Mike Pompeo and Russian President Vladimir Putin all smiles. Pompeo, within the last 24 hours, has formally identified the Kremlin as the sponsor and instigator of the massive and international Solar Winds cyberattack.

Cybersecurity and Infrastructure Agency (CISA), issued a statement on Thursday, not only disclosing that responding to the intrusion would be “highly complex and challenging”, but revealed “critical infrastructure” had been damaged, federal agencies and private sector companies compromised, and that the damage posed a “grave threat.”

Beyond that, and the reason this story is not going away anytime soon, CISA said that the operation is a “significant and ongoing hacking campaign.”

“The situation is developing, but the more I learn, this could be our modern day, cyber equivalent of Pearl Harbor.”

– House Member Jason Crow (D-CO)

The hacking is believed to have commenced as early as March of this year the agency said, and that those responsible had “demonstrated patience, operational security, and complex tradecraft”, CISA said. Because of the complexity involved in the intrusion, all signs point to “Russia, Russia, Russia.”

The cyber-attack has been determined to have been the result of Russian counter-intelligence teams from the Russian Foreign Intelligence Service (SVR) primarily “Cozy Bear”, successfully inserting malware into system network software updates (Orion) distributed by a private firm, SolarWinds, to an array of clients estimated at 18,000.

The intended objects of their predation included large corporate targets like Microsoft – and even a noted private security firm, FireEye. Austin based SolarWinds’ customer list includes such heavyweight brands as AT&T, Procter & Gamble, Cisco Systems and McDonald’s.

Russian Cyberattack victims by sector

Microsoft pie chart illustrating Cyber-targets of the Russian hack by sector.

FireEye describes the Orion software as having been “trojanized”, meaning that it was reconfigured by the hackers to act as a conduit for malware (“SUNBURST”) utilized in what is termed, “supply chain” attacks.

At this point, this story having only been evolving for less than a week, we have learned that the Energy Department, Commerce, State, DHS, NIH and the Department of Treasury are among the national assets that were compromised, but it is likely that other target vectors will emerge.

Gordon Corera, BBC security correspondent notes that:

The list of who was hacked is already long – and it is going to get longer. These are still early, and quite frantic, days in the investigation as government departments, companies and organisations race to see if they have a backdoor in their systems and what might have been stolen through it over a period of months. The scale is potentially huge, but the truth is no-one is quite sure of the extent of the impact yet.

While not specifically naming Russia, Microsoft President Brad Smith left little doubt to whom he was referring when commenting that:

“This is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.”

Matthieu Faou, a malware researcher at Slovakia-based ESET issues the disturbing appraisal that it may not be a simple matter of shutting down and locking out the Russians:

“APT29 tends to deploy multiple implants on the same machine so when one is detected, they re-use the remaining one in order to re-take control of the machine. APT29 tends to stay as low profile as possible in order to establish persistence for years in the networks of their targets.”

Think COVID-19 Vaccines Will Be A Magic Bullet For The Pandemic? Not So Fast

Of the agencies that have been discovered to have been hacked, all are subject of deep concern, but the incursion into the databases at the National Nuclear Security Administration is striking among them when one considers the broader implications.

Despite the statements from DOE officials that the known infected networks – the Federal Energy Regulatory Commission (FERC), Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE, have been decoupled from the Orion software, it is by no means certain that merely doing so will lead to a successful purge of APT29 (Advanced Persistent Threat) aka, “Cozy Bear.”

The incursion into the systems at Richland, is raising concerns among DOE officials due to the fact that it may indicate a plan to cripple the nation’s energy grid.

CISA itself is cautioning both government and private sector Information Security stakeholders that shoring up pathways is only the front end of the task, but that uprooting the intruders will be an ongoing challenge:

“The depth with which the attackers might have penetrated networks, combined with sophisticated masking—or “anti-forensic techniques”—means detection and remediations work will continue for some time.”

Researchers at Forensic Cybersecurity firm Volexity, published a report on the 14th of this month that disclosed their findings that the wide ranging infrastructure attacks were part and parcel of other breaches, such as against U.S. research institutes that have been operational for a number of years:

“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication to access the mailbox of a user via the organization’s Outlook Web App service.”

Adding to the chorus of cybersecurity professionals warning of the difficult road ahead in disrupting Russia’s intrusion is Dmitri Alperovitch, co-founder and former chief technical officer of the leading cybersecurity firm CrowdStrike. “We should buckle up. This will be a long ride. Cleanup is just phase one.”

SecurityMagazine quotes Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, as speculating that officials at NNSA are not fully disclosing the threat or the extent of it:

“As soon as we think it can’t get any worse, more evidence will be found. The government needs to really step up and prepare for the fallout of all this data loss. Claiming we don’t know will not satisfy the public about the state of national security. There needs to be some level of transparency about what was taken and how we plan to respond based on all the potential ways this data can be used.”

As has been amply noted, but certainly not a surprise to most all of us in the media, Trump has been silent as the grave about this assault against our most critical infrastructure and that of our closest allies. As a contrast, president-elect, Joe Biden, said:

“A good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyber attacks in the first place. We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”

Referencing the shameful abrogation of leadership on the part of Trump, who persists in his obsession of either discrediting the election or overturning it, Mitt Romney put the magnitude of this operation against America in these terms:

pic.twitter.com/iEsWD1V4KI
— Senator Mitt Romney (@SenatorRomney) December 17, 2020

Another angle of this evolving story is that the General Accounting Office, three months ago, issued a report containing warnings about U.S. vulnerabilities to cyber attacks from such actors as the Russians and Chinese, based on the lack of an office inside the White House that can advise the president on cyber threats and coordinate preventative measures among the myriad of agencies that have cyber defense resources and responsibilities.

One of the impediments to defending America from cyber assaults identified in the report, is the existence of disconnected silos that stand in the way of effective exchanges of intel between federal agencies.

Their recommendations resulted in a bi-partisan bill that passed in both House and Senate as a component of the 2121 NDAA (National Defense Authorization Act). It probably won’t come as a surprise that the bill is now sitting on Trump’s desk and he’s considering a veto.

Ironically, the legislation’s provision for a White House Czar of Cybersecurity has led to speculation that president elect Biden may be considering Christopher Krebs for that role. Krebs, as you will recall, is the former Director of the Cybersecurity and Infrastructure Security Agency in the United States Department of Homeland Security that Trump fired for attesting to the integrity of the election processes that Trump has been assailing constantly since November 4th.

As an interesting footnote to those of you, who like myself, run a PC on Windows 10 and activated Microsoft Defender antivirus software – it has been revealed that this seemingly pedestrian security tool played a role in discovering a number of entities that had been subject to the Russian hack.

A caution however – Microsoft Defender was only able to detect the intrusions via an after the fact analysis using telemetry tools integrated in Defender. You should couple this tool with an anti-virus that has real time protection, particularly if you are concerned about having active monitoring of threats that propogate through internet browsers (although Defender does protect Google Chrome and Microsoft Edge browsers).

Industry experts warn against running Defender and a secondary anti-virus program if you are operating an enterprise system with dedicated servers – the principal targets of the Russian operation.

Unfortunately, the infrastructure attacks are only one facet of cyber assault and in a follow up to this report, we will outline another avenue that could directly affect your personal security and make you a target of surveillance. Stay tuned.