Suspected Russian hackers compromising parts of the U.S. government were conducted with a reach and sophistication that surprised even seasoned security experts and exposed a potentially critical vulnerability in the U.S. technology infrastructure, the investigators said.
While investigating a massive hacking operation that has led to an almost invisible network that includes 18,000 companies and government agencies, security experts are discovering new evidence suggesting that the operation is part of a larger, previously undetected cyber espionage campaign that could go back several years.
This attack combined unusually covert business techniques using unprecedented IT tools with a strategy that focused on a weak link in the software supply chain that all U.S. companies and government agencies had long feared, but had never before been applied to U.S. targets in such a consistent manner.
Internal spade
The hackers used a so-called supply chain attack, in which they used updates of the SolarWinds operating software to place malicious code on the target servers.
SolarWinds produces network management software called Orion, which is widely used by government agencies and Fortune 500 companies. Like most software publishers, they distribute regular updates to their customers.
Hackers have compromised SolarWinds and included their own malware in the updates the company distributed between March and June this year.
Approximately 18,000 customers have downloaded these updates, acting like Trojans waiting for instructions from hackers.
For some of these clients the instructions came in and the SolarWinds computer downloaded more code, giving hackers a way to sneak into the network and steal data. They could access e-mail, download software and perform online outreach.
SolarWinds produces network management software called Orion, which is widely used by government agencies and Fortune 500 companies. Like most software publishers, they distribute regular updates to their customers.
Hackers have compromised SolarWinds and included their own malware in the updates the company distributed between March and June this year.
For some of these clients the instructions came in and the SolarWinds computer downloaded more code, giving hackers a way to sneak into the network and steal data. They could access e-mail, download software and perform online outreach.
Approximately 18,000 customers have downloaded these updates, acting like Trojans waiting for instructions from hackers.
SolarWinds produces network management software called Orion, which is widely used by government agencies and Fortune 500 companies. Like most software publishers, they distribute regular updates to their customers.
Hackers have compromised SolarWinds and included their own malware in the updates the company distributed between March and June this year.
For some of these clients the instructions came in and the SolarWinds computer downloaded more code, giving hackers a way to sneak into the network and steal data. They could access e-mail, download software and perform online outreach.
Approximately 18,000 customers have downloaded these updates, acting like Trojans waiting for instructions from hackers.
SolarWinds produces network management software called Orion, which is widely used by government agencies and Fortune 500 companies. Like most software publishers, they distribute regular updates to their customers.
Hackers have compromised SolarWinds and included their own malware in the updates the company distributed between March and June this year.
Approximately 18,000 customers have downloaded these updates, acting like Trojans waiting for instructions from hackers.
For some of these clients the instructions came in and the SolarWinds computer downloaded more code, giving hackers a way to sneak into the network and steal data. They could access e-mail, download software and perform online outreach.
Hackers have used the digital equivalent of an espionage disguise to sneak into the data stream of government and corporate networks and remain invisible. They have seized old but abandoned Internet domains, turned them into piracy and called their imitation software legitimate business assets. Worse, they embedded their malicious code in legitimate software from a trusted software vendor, SolarWinds Corp. of Austin, and its software called Orion.
The Cyber Security and Infrastructure Security Agency, which is responsible for protecting U.S. networks, said Thursday that it had proof that hackers were able to hack into computer networks using bugs other than SolarWinds software. Alert described hacking as a serious threat to compromised victims, including numerous government agencies, critical infrastructure and private sector companies.
A few hours later, the National Security Agency, the leading U.S. cyber intelligence organization, issued a broader warning to defense agencies and contractors about vulnerabilities similar to those of the SolarWinds attack. Hackers, he said, were looking for ways to steal computer data to gain better access to the network and steal secure data stored on back-end servers and in cloud data centers. According to the NSA, this approach would have been used in an attack against
VMware Inc.
Software used in national security circles, which the espionage agency warned about earlier this month.
Government officials and cyber security experts have come to the conclusion that Russia is probably responsible for the hacking, partly because of overqualification, but also because of other classified evidence, according to people familiar with the case. At least two senators briefed in the last few days have openly described the operation as Russian. Moscow denies all responsibility.
Government officials and legislators are still struggling to understand the full implications of this hack, which is seen as a classic but highly successful attempt to spy on internal communications and steal information that could be useful to Moscow’s intelligence services. It is not a devastating attack that damages or paralyses computer systems, as has been the case in the past with some major cyber attacks.
Cyber security society
FireEye Inc.
Mr. Kovalev said residential customers all over the world are likely to be affected. According to the researchers, most of the companies affected by the attack are located in the United States and Western Europe. No foreign government has announced compromises on its own systems. A former high-ranking British intelligence official said that Western governments other than the United States expect to find evidence of compromise in their systems in the coming weeks.
The SolarWinds attack was so far beyond U.S. security measures that it was not detected by the intelligence services, but almost accidentally thanks to an automated breach warning sent over the past few weeks to a FireEye employee who himself had been imperceptibly compromised.
The alarm, which was also sent to the company’s security team, informed a FireEye employee that someone had logged into the company’s virtual private network from an unrecognizable device using the employee’s credentials – a security message that the company’s employees routinely delete. If it hadn’t triggered a review by FireEye officials, the attack would probably never have been detected, officials say.
The cybersecurity company FireEye Inc., itself discreetly compromised, discovered the attack.
Photo:
Ben Margot/Presse Associée
The stealth of the attack delayed attempts to determine the extent of the cyber-invasion and new revelations were made every day. On Thursday, the energy department said its corporate networks had been compromised. According to a department spokesperson, this does not affect essential national safety functions, including those of the National Service for Nuclear Safety.
While U.S. government agencies were clearly targeted,
Microsoft Corporation.
A study released on Thursday found that of the more than 40 customers identified as victims of SolarWinds hacking, 44% were IT service providers. While 80 percent of the companies attacked were based in the United States, Microsoft also identified targets in the United Kingdom, Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates.
Overall, the information uncovered by the investigators suggests that the alleged piracy operation in Russia is on a larger scale than feared a few days ago, and that it is a historical spy campaign.
Some security experts estimate that it can take four years to prepare for an attack.
According to people familiar with the case, hackers have attacked the Ministry of Homeland Security, the vast Ministry of Foreign Affairs and the Ministries of Finance and Trade, among others. The SolarWinds malware update has been downloaded by 18,000 companies. Researchers suspect that hackers have probably penetrated dozens if not hundreds of systems and exploited this vulnerability because of the resources and time it takes to penetrate the network unnoticed.
Hackers have infiltrated the Ministry of Homeland Security, the Ministry of Foreign Affairs, the Ministry of Finance, as listed above, and other ministries.
Photo:
Eric Baradat/ Agence France-Presse/Getty Images
But because it has gone unnoticed for so long, and thanks to the expertise of hackers, thousands of potential victims may never know for sure whether they have been compromised, according to security experts.
This is a far-reaching and potentially very dangerous problem for our economic security, he said.
J. Michael Daniel,
Executive Director of the Cyber Threat Alliance, an information-sharing group with the industry, and former White House coordinator for cyber security in the Obama administration. It will take a long time to determine the extent and scope of the damage, and it is likely to cost a lot of money to repair the damage.
It is also a blue eye for the American intelligence services, who spent much of the year worrying about the hacking attacks from Russia or other countries aimed at the American presidential elections and who were in a festive mood when this did not happen. The attack itself was aimed at various government and corporate networks and went unnoticed. It was discovered by FireEye, more by accident than by government security services.
A warning for a connection attempt leads to a red alert from the e-merchant responsible for protecting the networks of some of the largest companies. FireEye has recruited more than 100 cybersatellites among its approximately 3,400 employees. Trained to investigate violations by other companies, they now roam the company’s networks.
It was loud and clear, the CEO of FireEye.
Kevin Mandia
said about the apparent intrusion. After years of reacting to violations, after years of simply understanding the details, something else happened.
Kevin Mandia, CEO of FireEye, photographed in 2017.
Photo:
Andrew Harrer/Bloomberg News
Charles Carmacal,
Senior Vice President of Incident Response at FireEye, led the company’s investigation. At the beginning of the process, Carmacal said he realized that the company was dealing with one of the most advanced and disciplined hacking groups he had ever seen.
Under the warning signs, the attacker seems to have understood the red flags that usually help companies like FireEye to find intruders: They used an IT infrastructure based entirely in the United States and gave their systems the same names as the real FireEye employees – an unusually clever tactic to disguise the presence of hackers even more.
More worryingly, FireEye, other security companies and intelligence and law enforcement partners have been unable to find evidence to link this infrastructure to attacks on other victims. Hackers, even good ones, often reuse their cyber tools because it’s easier, cheaper and faster.
The focus of the laser made the attack more difficult, said FireEye and others. Mr. Mandia compared it to a sniper shooting through a bulletproof vest.
After noticing suspicious activity emanating from SolarWind’s Orion product, the company’s malware analysts combed through about 50,000 lines of code looking for a needle in a haystack, Carmacal said, and eventually discovered several dozen lines of suspicious code that appeared to be irrelevant. Further analysis confirmed that this was indeed the source of the collapse.
On Saturday, the company reported its discovery to SolarWinds, the software vendor that had unwittingly shipped the contaminated software since March, and informed the U.S. government. We mobilized our incident response team and quickly deployed significant internal resources to investigate and address the vulnerability, SolarWinds said Thursday.
This week SolarWinds released a quick solution to a safety issue for customers. However, experts warn that simply closing an access point does not guarantee that hackers will be eliminated, especially since they would use their time on these networks to further hide their activities.
While intelligence services and security experts generally agree that Russia is responsible, and some believe that Moscow’s intelligence services are responsible, FireEye and Microsoft, as well as some government officials, believe that the attack was carried out by an unprecedented hacking group whose tools and methods were hitherto unknown.
Satellite image of Russian foreign intelligence in Moscow, 2019.
Photo:
Digital Globe / Getty Images
We were lucky to have them, said Glenn Gerstell, former National Security Agency General Counsel. Despite strong spying capabilities and a desire to constantly monitor what foreign hackers are doing abroad, U.S. intelligence agencies have few opportunities to spy on skilled opponents who have established themselves in the nation’s computer infrastructure, as SolarWinds hackers have done, Gerstell said.
The complexity and widespread success of SolarWinds hacking forms a new frontier for cyber security. However, the technique of using a trusted software vendor as a Trojan horse to break into a customer’s house has been used before. In 2017, hackers with links to Russia placed malware in a dark Ukrainian tax program, leading to a global malware epidemic known as NotPetya. FedEx Corp. later stated that the incident cost the company $400 million. The other victim, Merck and Co., put a price tag of $670 million on the cleanup.
The attack of the solar winds was not a matter of destruction, but of deception. This has allowed it to go unnoticed for so long, and has also shown how far hackers can go to access the software development tools of the medium-sized company that has a foothold in U.S. government and Fortune 500 company networks.
We still don’t know how the hackers got access to SolarWinds systems to inject the malicious code. The company stated that its Microsoft email accounts had been compromised and that access may have been used to obtain more data using Office productivity tools.
The basis for hacking SolarWinds was laid last year when hackers acquired internet domains to serve as external launch points for their attack, according to
Joe Slowick,
An investigator at the threat intelligence agency DomainTools LLC. Once installed, the malware connects to the server on these domains, making it possible to carry out further attacks on SolarWinds clients and steal data.
Cyber security company Volexity Inc. tracked down SolarWinds hackers at least four years ago.
Stephen Adair,
the president of the company.
In July he investigated the hacking of a think tank, which he refused to name, that used SolarWinds software. According to Adair, the think tank has been under fire for four years, with hackers trying to read the emails of some employees. The first time they approached it by an unknown method, the second time they exploited a bug in Microsoft’s Exchange software. When FireEye released the results of the SolarWinds survey on Sunday, Adair said he knew within seconds that it was an incident he had investigated during the summer.
According to Carmacal, FireEye has received phone calls in recent days from customers who think they have been infiltrated by the same hackers, even though SolarWinds’ software has never been installed on their network.
It would be foolish to think that the only technology they have to present to companies is the SolarWinds technology, Carmacal said. If we continue our investigation, we may discover that there is another way for the abuser to gain access to these organizations.
-Timothy Puko contributed to this article.
Email Dustin Volz at [email protected] and Robert McMillan at [email protected].
Copyright ©2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8
Related Tags:
ant workshop,steam texorcist,dead end job depression,dead-end job synonym,deadly 30,dead-end job book