Updated: December 23, 2020 12:14:38 PM
The target of the cyber attack was Orion, a software provided by the SolarWinds company. (Photo from Reuters)
The ‘SolarWinds hack’, a cyber attack recently discovered in the United States, has emerged as one of the biggest ever directed against the US government, its agencies and various other private companies. In fact, it is likely a global cyber attack.
It was first discovered by US cybersecurity company FireEye, and since then more developments have come to light every day. The enormity of the cyber attack remains unknown, although the US Treasury, Department of Homeland Security, Department of Commerce and parts of the Pentagon are all believed to have been affected.
In a opinion piece written for The New York TimesThomas P. Bossert, who was Homeland Security Adviser to President Donald Trump, has named Russia for the attack. He wrote “evidence in the SolarWinds attack points to the Russian intelligence agency known as SVR, whose trade is among the most advanced in the world.” The Kremlin has denied its involvement.
So, what is this ‘SolarWinds hack’?
News of the cyber attack technically first came out on Dec. 8, when FireEye released a blog detecting an attack on its systems. The company assists in the security management of several large private companies and federal government agencies.
FireEye CEO Kevin Mandia wrote in a blog post that the company was “attacked by a highly sophisticated threat actor,” calling it a state-sponsored attack, although it did not mention Russia. It said the attack was carried out by a country “with the highest level of offensive capabilities”, and “the attacker was mainly looking for information on certain government customers.” It also said the methods used by the attackers were new.
Then FireEye said on Dec. 13 that the cyber attack, which it called Campaign UNC2452, was not aimed at the company, but targeted various “public and private organizations around the world”. The campaign likely started in “March 2020 and has been going on for months,” the post said. Even worse, the extent of the stolen or compromised data is still unknown as the extent of the attack is still being discovered. After systems were compromised, “lateral movement and data theft” took place.
📣 JOIN NOW 📣: The Express Explained Telegram Channel
How have so many US government agencies and businesses been attacked?
This is called a ‘Supply Chain’ attack: instead of directly attacking the federal government or the network of a private organization, the hackers target a third-party vendor who supplies them with software. In this case, the target was an IT management software called Orion, provided by the Texas-based company SolarWinds.
Orion is a dominant software from SolarWinds with clients including more than 33,000 companies. SolarWinds says 18,000 of its customers have been affected. Incidentally, the company has removed the list of customers from its official websites.
According to the page, which has also been dropped from Google’s web archives, the list includes 425 companies in the Fortune 500, the top 10 telecom operators in the US. A New York Times report said parts of the Pentagon, Centers for Disease Control and Prevention, the State Department, the Justice Department, and others were all affected.
Microsoft confirmed that it found evidence of the malware on their systems, although it added that there was no evidence of “access to production services or customer data,” or that its “systems were being used to attack others.” Microsoft President Brad Smith said the company has begun “notifying more than 40 customers that the attackers have been more accurately targeted and compromised.”
A Reuters report said even emails sent by Department of Homeland Security officials were “monitored by the hackers.”
How did they get access?
According to FireEye, the hackers were “given access to victims via trojanized updates to SolarWinds’ Orion IT surveillance and management software.” In fact, a software update was exploited to install the ‘Sunburst’ malware in Orion, which was then installed by more than 17,000 customers.
FireEye says the attackers relied on “multiple techniques” to avoid being detected and “cover up their activity.” The malware was able to access the system files. What worked in favor of the malware was that it could “merge with legitimate SolarWinds activity”, according to FireEye.
After installation, the malware gave the hackers access to SolarWinds ‘customers’ systems and networks. More importantly, the malware was also able to thwart tools such as antivirus programs that could detect it.
Where does Russia come in?
In his NYT opinion article, Bossert mentioned Russia and his agency SVR, which has the capabilities to carry out the attack of such ingenuity and magnitude.
Microsoft notes in its blog that “this aspect of the attack created a supply chain vulnerability of near global importance and reached many major national capitals outside of Russia.” It adds that advanced attacks from Russia have become common.
However, FireEye has not yet named Russia as responsible, saying it is an ongoing investigation with the FBI, Microsoft and other key partners not named.
What have SolarWinds and the US government said about the hack?
At this time, SolarWinds recommends that all customers update the existing Orion platform, which has a patch for this malware, immediately. “If attacker activity is detected in an environment, we recommend conducting a comprehensive investigation and designing and executing a recovery strategy that is driven by the investigation results and details of the affected environment,” he says.
Those unable to update are told to “isolate SolarWinds servers” and “include blocking all outgoing Internet connections from SolarWinds servers”. The bare minimum suggestion is to “change passwords for accounts accessing SolarWinds servers / infrastructure”.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive 21-01 asking all “federal civil agencies to review their networks” for indicators of compromise. It has asked them to “disconnect or turn off SolarWinds Orion products immediately”.
The FBI, CISA and the Office of the Director of National Intelligence issued a joint statement announcing the so-called Cyber Unified Coordination Group (UCG) to coordinate the government’s response to the crisis. The statement calls this a “significant and ongoing cyber security campaign.”
The White House and President Donald Trump have been silent. Senator Mitt Romney summed it up best in his comment to SiriusXM radio journalist Olivier Knox, where he compared this attack to the equivalent of Russian bombers flying undetected across the country, exposing the US’s weakness in cyber warfare . He said the White House’s silence and inaction was unforgivable.
Senator Richard Blumenthal, a Democrat, tweeted, “The Russian cyber attack made me deeply alarmed, in fact downright scared.”
President-elect Joe Biden said in a statement: “Good defense is not enough; We must disrupt our opponents and stop them from carrying out major cyber attacks at all. “
© IE Online Media Services Pvt Ltd