U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

Bruce Schneier - 23 Dec 2020
The US has suffered a massive cyberbreach. It's hard to overstate how bad it is
https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols

 

"Five Solution Providers Breached By SolarWinds Hackers...

Deloitte, Stratus Networks, Digital Sense, ITPS and Netdecisions were breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise, according to a cybersecurity consultancy.

The Sweden-based firm, Truesec, analyzed the malware — as well as historical network data — to determine which firms were explicitly selected by the SolarWinds hackers for further activities, meaning that additional internal compromise could have taken place.

'The impact of this attack is likely to be of gigantic proportions,' Fabio Viggiani, technical lead for Truesec security team, wrote in a blog post Thursday. 'The full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community'..."

https://www.crn.com/news/security/five-solution-providers-breached-by-solarwinds-hackers-researchers

 

"SolarWinds Releases Updates to Address Vulnerability Related to SUPERNOVA Malware...

AUSTIN, Texas--(BUSINESS WIRE)--SolarWinds...today announced it released updates in response to the SUPERNOVA malware for all supported versions of SolarWinds® Orion® Platform products and a fix for customers on unsupported versions of these products.

Third parties and the media have publicly reported on a malware, now referred to as SUPERNOVA. Based on SolarWinds’ investigation, this malware could be deployed through an exploitation of a vulnerability in the Orion Platform. Like other software companies, SolarWinds seeks to responsibly disclose vulnerabilities in its products to customers, while also mitigating the risk that bad actors seek to exploit those vulnerabilities, by releasing updates to their products before the company discloses the vulnerabilities.

SolarWinds provided two hotfix updates on December 14 and 15, 2020, that contained security enhancements, including those designed to prevent certain versions of the Orion Platform products from being exploited in a SUPERNOVA attack..."

https://www.businesswire.com/news/h...ss-Vulnerability-Related-to-SUPERNOVA-Malware

 

SolarWinds hackers also went after CrowdStrike

"CrowdStrike Fends Off Attack Attempted By SolarWinds Hackers

The suspected Russian hackers behind the massive SolarWinds attack attempted to hack CrowdStrike through a Microsoft reseller’s Azure account but were ultimately unsuccessful, CrowdStrike says..."

https://www.crn.com/news/security/crowdstrike-fends-off-attack-attempted-by-solarwinds-hackers

https://www.cyberscoop.com/crowdstrike-solarwinds-targeted-microsoft/

 

"Suspected Russian hackers used Microsoft vendors to breach customers

WASHINGTON (Reuters) - The suspected Russian hackers behind the worst U.S. cyber attack in years leveraged reseller access to Microsoft Corp services to penetrate targets that had no compromised network software from SolarWinds Corp, investigators said.

While updates to SolarWinds’ Orion software was previously the only known point of entry, security company CrowdStrike Holdings Inc said Thursday hackers had won access to the vendor that sold it Office licenses and used that to try to read CrowdStrike’s email..."

https://www.reuters.com/article/us-...rs-to-breach-customers-idUSKBN28Y1BF?rpc=401&

"The hackers failed because 'as part of our secure IT architecture, CrowdStrike does not use Office 365 email'..."

https://www.cyberscoop.com/crowdstrike-solarwinds-targeted-microsoft/

 

"How the SolarWinds hackers are targeting cloud services in unprecedented cyberattack...

The SolarWinds supply chain attacks are unprecedented in many ways. The attacks are sophisticated in execution, broad in scope, and incredibly potent in their effectiveness. But perhaps most notable is the unprecedented manner in which the SolarWinds attackers seem to be seeking access to cloud-based services as one of their key objectives..."

https://www.geekwire.com/2020/solarwinds-hackers-targeting-cloud-services-unprecedented-cyberattack/

 

"Russian hackers compromised Microsoft cloud customers through third party, putting emails and other data at risk

Russian government hackers have compromised Microsoft cloud customers and stolen emails from at least one private-sector company, according to people familiar with the matter, a worrying development in Moscow’s ongoing cyberespionage campaign targeting numerous U.S. agencies and corporate computer networks.

The intrusions appear to have occurred via a Microsoft corporate partner that handles cloud-access services, those familiar with the matter said. They did not identify the partner or the company known to have had emails stolen.

Microsoft hasn’t publicly commented on the intrusions. On Thursday, an executive with the tech giant sought to downplay the issue’s significance..."

https://www.washingtonpost.com/nati...faa9c6-4590-11eb-975c-d17b8815a66d_story.html

 

"CrowdStrike releases free Azure security tool after failed hack...

[CrowdStrike] found it challenging to use Azure's administrative tools to enumerate privileges assigned to third-party resellers and partners in their Azure tenant...

To help administrators analyze their Microsoft Azure environment and see what privileges are assigned to third-party resellers and partners, CrowdStrike has released a free CrowdStrike Reporting Tool for Azure (CRT) tool...."

https://www.bleepingcomputer.com/ne...s-free-azure-security-tool-after-failed-hack/

 

Russia’s SolarWinds Attack

https://www.schneier.com/blog/archives/2020/12/russias-solarwinds-attack.html

 

I don't agree with this statement.

Backdoors were set and as a result, the device was compromised. The source is not the only one that can use an existing backdoor. Anyone can use it as long as they can find it. If this was espionage, it certainly was a sloppy attempt at it.

 

That is basically how most (all?) espionage acts at scale are performed. One-time unauthorized login for a few minutes to device isn't really helpful to penetrate deeper into target's network and retrieve data.
How do you think NSA does intercept the data from the Internet backbone infrastructure? They compromise devices and networks.

 

The Sunburst hack was massive and devastating. Here are 5 observations from a cybersecurity expert

https://www.abc.net.au/news/2020-12...rwinds-software-cybersecurity-expert/13021104

 

"Microsoft: SolarWinds hackers' goal was the victims' cloud data

Microsoft says that the end goal of the SolarWinds supply chain compromise was to pivot to the victims' cloud assets after deploying the Sunburst/Solorigate backdoor on their local networks...

Microsoft also detailed the step by step procedure used by the attackers to gain access to their victims' cloud assets..."

https://www.bleepingcomputer.com/ne...inds-hackers-goal-was-the-victims-cloud-data/

 

"SolarWinds hackers accessed Microsoft source code, the company says

WASHINGTON (Reuters) -The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code, Microsoft said on Thursday.

In a blog post, Microsoft said its investigation had turned up irregularities with a 'small number of internal accounts' and that one of the accounts 'had been used to view source code in a number of source code repositories.'..."

https://www.reuters.com/article/us-...de-microsoft-blog-post-idUSKBN2951M9?rpc=401&

 

"Microsoft Hacked in Russia-Linked SolarWinds Cyberattack...

Microsoft had previously confirmed that it had downloaded malicious software from a vendor called SolarWinds Corp. that had been modified by the hackers. Thursday’s disclosure is the first indication that the hackers were able to access internal systems at Microsoft...

This compromised account was able to view Microsoft’s source code, but not make changes, the company said.

A Microsoft spokesman declined to say what products or internal systems were affected by the intrusion..."

https://www.wsj.com/articles/microsoft-hacked-in-russia-linked-solarwinds-cyberattack-11609437601

 

"...Microsoft’s approach to source code 'means we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,' the post said. 'So viewing source code isn’t tied to elevation of risk.'..."

https://www.cyberscoop.com/microsoft-solarwinds-investigation-update/

 

Microsoft blog post:

"Microsoft Internal Solorigate Investigation Update..."

https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/

 

"As Understanding of Russian Hacking Grows, So Does Alarm...

The breach is far broader than first believed...it now appears Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks...

The hackers managed their intrusion from servers inside the United States, exploiting legal prohibitions on the National Security Agency from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security...

'Early warning' sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect brewing attacks clearly failed. There is also no indication yet that any human intelligence alerted the United States to the hacking...

The government’s emphasis on election defense, while critical in 2020, may have diverted resources and attention from long-brewing problems like protecting the “supply chain” of software...

SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target...

Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there...

'We still don’t know what Russia’s strategic objectives were...'..."

(Long Read))

https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html

 

FWIW:

From Vivian Salama,
National Security Correspondent, CNN:

"Latest on the hack: A USG official tells me that 'a lot more' than 250 gov't & private sector networks were prob impacted by the hack, but they're still investigating.

Trump’s NatSec Advisor Robert O’Brien was told last week it will take 'months to years' to understand and remedy"

https://twitter.com/vmsalama/status/1346104483613462529

 

"US intel agencies blame Russia for massive SolarWinds hack

A group of U.S. intelligence agencies on Tuesday formally accused Russia of being linked to the recently discovered hack of IT group SolarWinds that compromised much of the federal government.

The FBI, the Office of the Director of National Intelligence (ODNI), the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) attributed the effort to Russia. The group had set up a cyber unified coordination group in December after the compromise of SolarWinds was revealed...

'This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks,' the agencies said in a joint statement around their investigation into the cyber incident...

The agencies emphasized that 'at this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly'..."

https://thehill.com/policy/cybersec...cies-blame-russia-for-massive-solarwinds-hack

 

"Justice Department also hacked by Russians in the ongoing cyberespionage campaign

The Justice Department has become the latest known victim of Russian hackers, who are engaged in an ongoing campaign of cyberespionage that has afflicted federal agencies and the private sector...

A department spokesman on Wednesday said that the department’s Office of the Chief Information Officer, which handles network security, learned on Dec. 24 of malicious activity linked to the hacking campaign.

The intrusions in the Justice Department’s case involved its unclassified Office 365 email system..."

https://www.washingtonpost.com/nati...1cc6aa-5050-11eb-b96e-0e54447b23a1_story.html

 

"Widely Used Software Company [JetBrains] May Be Entry Point for Huge U.S. Hacking

Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.

Russian hackers may have piggybacked on a tool developed by JetBrains, which is based in the Czech Republic, to gain access to federal government and private sector systems in the United States.

American intelligence agencies and private cybersecurity investigators are examining the role of a widely used software company, JetBrains, in the far-reaching Russian hacking of federal agencies, private corporations and United States infrastructure, according to officials and executives briefed on the inquiry.

Officials are investigating whether the company, founded by three Russian engineers in the Czech Republic with research labs in Russia, was breached and used as a pathway for hackers to insert back doors into the software of an untold number of technology companies. Security experts warn that the monthslong intrusion could be the biggest breach of United States networks in history.

JetBrains, which counts 79 of the Fortune 100 companies as customers, is used by developers at 300,000 businesses. One of them is SolarWinds...

The exact software that investigators are examining is a JetBrains product called TeamCity, which allows developers to test and exchange software code before its release..."

https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html

 

"...Dmitri Alperovitch, a founder of CrowdStrike ... said compromising and introducing a back door into a product like TeamCity was 'the holy grail of a supply chain hack.'

'It can allow an adversary to have thousands of SolarWinds-style back doors in all sorts of products in use by victims all over the world.,' Mr. Alperovitch added. 'This is a very big deal'..."

https://www.nytimes.com/2021/01/06/us/politics/russia-cyber-hack.html

 

"JetBrains denies being the origin point of the SolarWinds hack

JetBrains denies confusing reports from the New York Times and Wall Street Journal portraying it as the origin point of the SolarWinds hack, which was later used to attack thousands of companies worldwide..."

https://www.zdnet.com/article/jetbrains-denies-being-the-origin-point-of-the-solarwinds-hack/

 

"Federal Judiciary’s Systems Likely Breached in SolarWinds Hack

Apparent compromise in suspected Russian attack has put highly sensitive nonpublic court documents at risk, officials said

WASHINGTON—The electronic filing system used by federal courts has likely been compromised in the massive SolarWinds hack, federal judiciary officials said, extending to another branch of government the impact of a suspected Russian cyber-espionage campaign that has breached more than half a dozen Trump administration agencies..."

https://www.wsj.com/articles/federa...ikely-breached-in-solarwinds-hack-11610040175