BOSTON (AP) – The SolarWinds hacking campaign accused of Russian spies and the “serious threat” this poses to US national security are well known. A very different – and no less disturbing – coordinated string of intruders also discovered in December has received significantly less public attention.
Agile, highly skilled criminal hackers believed to be operating from Eastern Europe hacked dozens of businesses and government agencies on at least four continents by breaking into a single product that they all used.
The victims include the Central Bank of New Zealand, Harvard Business School, Australia’s securities regulator, the powerful American law firm Jones Day – whose clients are former President Donald Trump – rail freight company CSX, and the supermarket and pharmacy chain. Kroger. Also hit the Washington State accounting firm, where the personal data of up to 1.3 million people collected for an unemployment fraud investigation may have come to light.
The two-stage mega hack in December and January of a popular file transfer program from Silicon Valley company Accellion points to a threat that security experts fear spiraling out of control: break-ins by top criminals and state-sponsored hackers in the supply chains of software and third-party services.
Operating system companies like Microsoft have long been a hit – with untold thousands of installations from its Exchange email server was breached worldwide in recent weeks, mostly after the company issued a patch and revealed that Chinese state hackers had entered the program.
Accellion’s victims continue to pile up as many are extorted by Russian-speaking Clop cyber criminal gang, which researchers believe have bought stolen data from the hackers. Their threat: Pay or we’ll leak your sensitive data online, whether it’s property documents from Canadian aircraft manufacturer Bombardier or communications from Jones Day’s attorney and client.
The hack of up to 100 Accellion customers, easily identified by the hackers with an online scan, is a painful relief for a core mission of the digital age in which governments and the private sector fall short.
“Attackers are finding it increasingly difficult to gain access through traditional methods as vendors such as Microsoft and Apple have tightened operating system security significantly in recent years. So the attackers find easier ways to get in. This often means going through the supply chain. And as we’ve seen, it works, ”said Mikko Hypponen, chief research officer of cybersecurity company F-Secure.
Members of Congress have already been appalled by the supply chain hack of the Texas network management software company SolarWinds, which allowed suspected Russian state-backed hackers to walk on their toes unnoticed – apparently solely focused on gathering information – for more than half a year through the networks of at least nine government agencies and more than 100 companies and think tanks. It wasn’t until December that SolarWinds’ hacking campaign was discovered by cybersecurity company FireEye.
France suffered a similar hack, accused by its cybersecurity agency to Russian military agents, who also played the supply chain. They put malware in an update to network management software from a company called Centreon, which allowed them to quietly root in victims’ networks from 2017 to 2020.
Both hacks sneak malware into software updates. The Accellion hack was different in one important respect: the file transfer program resided on the victims’ networks as a standalone device or as a cloud-based app. Its job is to securely move files that are too large to be attached to email.
Mike Hamilton, a former Seattle Chief Information Security Officer, now at CI Security, said the trend to exploit third-party service providers is showing no signs of slowing down as it gives criminals the highest return on their investment if they “a wide variety of businesses or government agencies. “
The impact of the Accellion breach could have been mitigated if the company had warned customers more quickly, some are complaining.
New Zealand Central Bank Governor Adrian Orr says Accellion did not warn it after first learning in mid-December that the nearly 20-year-old FTA filing – using outdated technology and about to to retire – was violated.
Despite a patch being available on Dec. 20, Accellion failed to notify the bank in time to avoid breaching the device five days later, the bank said.
“If we had been notified at the right time, we could have patched the system and prevented the breach,” Orr said in a statement posted on the bank’s website.Among the information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Likewise, the Washington State Auditor’s office has no records that it was made aware of the breach until Jan. 12, the same day Accellion announced it publicly.said spokeswoman Kathleen Cooper. Accellion then said it released a patch to the less than 50 affected customers within 72 hours of learning of the breach.
Accellion now tells a different story. It says it has alerted all 320 potentially affected customers with multiple emails from December 22nd – and followed up with emails and phone calls. Company spokesman Rob Dougherty would not directly address the complaints from the New Zealand central bank and the Washington State auditor. Accellion says fewer than 25 customers have apparently experienced significant data theft.
A timeline Released on March 1 by cybersecurity firm Mandiant, which has hired Accellion to investigate the incident, it says the company first became aware of the breach on December 16. The Washington State auditor says the hack took place at Christmas.
The issue with the timing of the report is serious. Washington state has already been sued and several have been filed against Accellion for class action. Other organizations may also face legal or other consequences.
Last month, Harvard Business School officials emailed the affected students telling them that some Social Security numbers had been compromised, as well as other personal information. Another victim, Singapore-based telecommunications company Singtel, said personal details on approximately 129,000 customers was compromised.
Too often, software companies with hundreds of programmers have only one or two security guards, says Katie Moussouris, CEO of Luta Security.
“We wish we could say that organizations were investing uniformly in security. But we really only see them dealing with the breaches and then promise they will do better in the future. And that has been a kind of business model. “
Dougherty, Accellion’s spokesman, said the attacks “had nothing to do with personnel,” but he did not want to say how many people were directly assigned to security by the company employed in mid-December.
Cybersecurity threat analysts hope the snowball effect of supply chain hacks will baffle the software industry to prioritize security. Otherwise, sellers risk the fate that befell SolarWinds.
In a filing with the Securities and Exchange Commission last week, the company offered a bleak outlook.
It said that as supply chain hacks “continue to evolve at a rapid pace,” it “may not be able to identify current attacks, anticipate future attacks, or implement adequate security measures.”
The ultimate, painful result, the document added:
“Customers have and may in the future delay the purchase or choose to cancel or not renew their agreements or subscriptions with us.”
Associated Press writer Rachel La Corte in Olympia, Washington contributed to this report.