U.S. Treasury, Commerce Depts Hacked by Group Tied to 'Foreign Government’

"Hackers’ Monthslong Head Start Hamstrings Probe of U.S. Breach -- ‘We may never know the full scope of what happened here’...

...Access was in some cases lengthy and unfettered, carried out by hackers with the ability to cleverly masquerade as IT professionals who had legitimate reason to be poking around networks linking thousands of workstations...

.... The hackers were extraordinarily skilled and careful to cover their tracks....The attackers’ method for infiltrating networks provided them with essentially an unfettered ability to do as they please...

...The Orion software...uses the same permissions to change things as high-level administrators...

The network access gives the attacker the opportunity to steal the credentials of authorized users...

...'The challenge of doing the forensics is you’re going to be looking at logs of events with senior IT or global admin credentials, and then you have to figure out which ones are legit and which ones are attacker-related,'...

...Investigators need to review a “massive” amount of data from historical network records including every interaction that infected SolarWinds’s servers had with other machines on the network...

...Attackers could have made small changes to firewalls, network switches or other sensitive equipment that they could use to access networks in the future. Finding those changes may require manually reviewing those machines...

...In some cases...hackers gained access to the systems at victim companies that manage user authentication. This allowed them to impersonate any user or account, including system administrators..."

https://www.bloomberg.com/cybersecurity?sref=ylv224K8

 

"Hack Suggests New Scope, Sophistication for Cyberattacks...

As the probe continues into the massive hack...security specialists are uncovering new evidence that indicates the operation is part of a broader, previously undetected cyber espionage campaign that may stretch back years...

The SolarWinds attack so eluded U.S. security measures that it was discovered not by intelligence officials but, almost accidentally, thanks to an automated security alert sent in recent weeks to an employee at FireEye...

The warning... told the employee of FireEye that someone had used the employee’s credentials to log into the company’s virtual private network from an unrecognized device...Had it not triggered scrutiny from FireEye executives, the attack would likely still not be detected, officials say...

Some security experts now believe there are clues to suggest preparations for the attack may date back four years...

The warning about the login attempt set off a red alert at the cyber vendor... FireEye put more than 100 cyber sleuths on the job...

Among the worrying signs, the attacker seemed to have an understanding of the red flags that typically help companies like FireEye find intrusions, and they navigated around them: They used computer infrastructure entirely located in the U.S.; and they gave their systems the same names used by real FireEye employee systems, an unusually adept tactic designed to further conceal the hackers’ presence...

Once they noticed suspicious activity emanating from SolarWinds’ Orion product, the company’s malware analysts scoured some 50,000 lines of code in search for 'a needle in a stack of needles,' Mr. Carmakal said, eventually spotting a few dozen lines of suspicious code that didn’t appear to have any reason to be there. Further analysis confirmed it as the source of the hack..."

https://www.wsj.com/articles/hack-suggests-new-scope-sophistication-for-cyberattacks-11608251360

 

"Hackers last year conducted a 'dry run' of SolarWinds breach

Hackers who breached federal agency networks through software made by a company called SolarWinds appear to have conducted a test run of their broad espionage campaign last year, according to sources with knowledge of the operation...

The hackers distributed malicious files from the SolarWinds network in October 2019, five months before previously reported files were sent to victims through the company’s software update servers. The October files, distributed to customers on Oct. 10, did not have a backdoor embedded in them, however...

'We’re thinking they wanted to test whether or not it was going to work and whether it would be detected. So it was more or less a dry run...

The new information about the 2019 files expands the previously reported timeline around the intrusions and indicates that the hackers had already compromised SolarWinds’ software update system at least five months earlier than reported...

The files that infected customers on Oct. 10 were compiled the same day customers got infected with them, as were files released in the spring of 2020, infecting customers within hours...

The fact that the hackers released their files so soon after compiling them suggests they had already done extensive reconnaissance on the SolarWinds network to ensure that their delivery of the code to customers was ready to go as soon as the files were completed..."

https://www.yahoo.com/news/hackers-...-dry-run-of-solar-winds-breach-215232815.html

 

State of Florida Hacked

"Florida launches investigation into hacking of its servers

TALLAHASSEE, Fla. (AP) - Florida officials acknowledged Friday that state servers appear to have been compromised by overseas hackers who gained entry by imbedding malicious code into networking software from a Texas-based software company, SolarWinds..."

https://www.dailymail.co.uk/wires/a...a-launches-investigation-hacking-servers.html

 

"Hacked networks will need to be burned ‘down to the ground’

It’s going to take months to kick elite hackers widely believed to be Russian out of the U.S. government networks they have been quietly rifling through since as far back as March in Washington’s worst cyberespionage failure on record...

Experts say there simply are not enough skilled threat-hunting teams to identify all the government and private-sector systems that may have been hacked...

'We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they left,' said Bruce Schneier, a prominent security expert and Harvard fellow.

The only way to be sure a network is clean is 'to burn it down to the ground and rebuild it,' Schneier said..."

https://apnews.com/article/hacking-russia-bafff5557a8941aa1a5ef239d36c4e28

 

"Security experts are 'freaking out' about how foreign hackers carried out the 'most pristine espionage effort' in modern history right under the US's nose...

'This was a pristine espionage effort unlike anything we've seen in a very long time,' said Karim Hijazi, a former intelligence community contractor.'Everyone in the cybersecurity community is freaking out, because we don't know where this could stop.'...

Security experts say the most alarming aspect is that officials are nowhere close to gauging the hack's full scope, who else may have been compromised, and what the attackers could have obtained.

'This could be an ongoing operation that never ends'..."

https://www.businessinsider.com/cybersecurity-experts-freaking-out-solarwinds-russia-hack-2020-12

 

Would love to know @cruelsister's take on this one.
And we thought the Ccleaner hack was quite big!
I would imagine it is realistically nigh impossible to recover from this hack.

 

Here is some funny quote from SolarWind's Greg Stuart:
The Pros and Cons of Open-source Tools

Reminder: SolarWind is not open-source software yet:

to be fair:

but it isn't completely ruled out.

 

"The massive cyber spy campaign against the U.S. government is grave and ongoing. And Russia is ‘pretty clearly’ behind it, Pompeo says.

Russia is behind the massive, ongoing cyber spy campaign against the federal government and private sector, Secretary of State Mike Pompeo said Friday — the first Trump administration official to publicly blame Moscow for the computer hacks...

'This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity,' said Pompeo...

Pompeo’s 'attribution is a very important step,' said Tom Bossert, who was Trump’s homeland security adviser until April 2018. 'The United States can now direct its focus and unite the world against this outrage.'..."

https://www.washingtonpost.com/nati...850cf0-41b3-11eb-8bc0-ae155bee4aff_story.html

 

Microsoft 365 Defender Research Team
Microsoft Threat Intelligence Center (MSTIC)

"Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers..."

https://www.microsoft.com/security/...ack-and-how-microsoft-defender-helps-protect/

 

The President of The United States of America, Donald J. Trump's, first comments on Solarwinds:

"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!). There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA."


https://twitter.com/realDonaldTrump/status/1340333618691002368

https://twitter.com/realDonaldTrump/status/1340333619299147781

 

"CISA Updates Alert and Releases Supplemental Guidance on Emergency Directive for SolarWinds Orion Compromise

Original release date: December 18, 2020 | Last revised: December 19, 2020

CISA has updated AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, originally released December 17. This update states that CISA has evidence of, and is currently investigating, initial access vectors in addition to those attributed to the SolarWinds Orion supply chain compromise. This update also provides new mitigation guidance and revises the indicators of compromise table; it also includes a downloadable STIX file of the IOCs.

In addition, CISA has released supplemental guidance to Emergency Directive (ED) 21-01, providing new information on affected versions, new guidance for agencies using third-party service providers, and additional clarity on required actions..."

https://us-cert.cisa.gov/ncas/curre...-and-releases-supplemental-guidance-emergency

 

"At Least 200 Victims Identified in Suspected Russian Hacking

(Bloomberg) -- At least 200 organizations, including government agencies and companies around the world, have been hacked as part of a suspected Russian cyber-attack that implanted malicious code in a widely used software program, said a cybersecurity firm and three people familiar with ongoing investigations...

...the number that was actually hacked -- meaning the attackers used the backdoor to infiltrate computer networks..."

The number is expected to grow as the wide-ranging investigation continues..."

https://www.bnnbloomberg.ca/at-least-200-victims-identified-in-suspected-russian-hacking-1.1538882

 

" 'Powerful tradecraft': how foreign cyber-spies compromised America

(Reuters) - Speaking at a private dinner for tech security executives at the St. Regis Hotel in San Francisco in late February, America’s top cyber defense chief boasted how well his organizations protect the country from spies...

U.S. teams were 'understanding the adversary better than the adversary understands themselves,' said General Paul Nakasone, boss of the National Security Agency (NSA) and U.S. Cyber Command...

Yet even as he spoke, hackers were embedding malicious code into the network of a Texas software company called SolarWinds Corp...

A little over three weeks after that dinner, the hackers began a sweeping intelligence operation that has penetrated the heart of America’s government and numerous corporations and other institutions around the world..."

https://in.reuters.com/article/glob...cyber-spies-compromised-america-idINKBN28T0Y1

 

To trust a government with a so-called security program to prevent cyper-spies is totally absurd considering the same government cannot run a post office profitably or not run the country into trillions of dollars of debt. Incompetence is all around-what should we expect?

 

@cruelsister: https://malwaretips.com/threads/u-s...-foreign-government.105695/page-2#post-919871

referring also to earlier post: https://malwaretips.com/threads/u-s...-foreign-government.105695/page-2#post-919863

 

@cruelsister and myself had long already had enough to gnaw about after the OPM incident

https://www.opm.gov/cybersecurity/cybersecurity-incidents/

No compensation other than the same old monitoring services offered after damage was already done.

I still have my proof letter. Government sux at security especially now with so-called educated kids running things they have no business even being part of.

Mighty considerate of them that personal high classified info and stats lay in the loving arms of this useless government

 

In the words of a software developer I respect, 'digital natives' who can 'scroll a picture gallery at most'.

 

Second hacking team was targeting SolarWinds at time of big breach

 

100> Begin Rant

As this breach will be in the News for a while yet, it may be a good thing to highlight a few things. The creation of a backdoor and weaving it into a dll (SUNBURST) was nicely done (I especially loved the delayed activation) but not earth shaking. Packaging that dll into an Orion update is quite easy. The issue is not the malware itself but what had to be accomplished to deliver it successfully.

Consider that the involved Group had to obtain digital signatures for the malicious dll itself as well as the update package. Furthermore in order to distribute the update from SolarWinds servers credentials had to be obtained to upload it, and all these things happening while SolarWinds security being oblivious to it. There are only two ways that this could have been accomplished- either they had an Inside Man (men) or had bribed/blackmailed/or seduced these folks to acquire such access. Trust me when I say that this would be a time consuming process requiring a great deal of Trade Craft as well as being very, very expensive to pull off. Realistically we are talking a State sponsored attack (whether from RSA, China, or Liechtenstein is no matter).

What I'm sure we will see are a bunch of mid-level bureaucrats from Government and industry spewing out reams and reams of updated policies SO THAT THIS WILL NEVER HAPPEN AGAIN!!!!!). Well I hate to darken their day, but these updated policies will be ineffective and sadly no security firm, whether Palo Alto, Crowdstrike, Symantec (yeah, as if...), or Fortinet, etc could protect against this. Yes, once the malware was active for God knows how long (talk is that actual creation of the backdoor was in April) and doing God know what to God knows Whom the effects could be detected after something untoward has already occurred as was seen when FireEye noticed something odd.

To prevent this hack and all others of this sort Governments and Industries must implement the William Adama Defense. Yes, just as in B. Galactica these organizations MUST DISCONNECT from the Network and NEVER USE IT AGAIN in order to defeat the Cylons (I mean Hackers). But as this may be not realistic to do, We can also change humanity so that no one will ever be in a position to be bribed, blackmailed, seduced or compromised in any way.

If these remediations cannot be implemented then we are pretty much screwed and are already in the Hands of the Enemy.

999> End Rant

 

"Microsoft identifies additional SolarWinds Orion malware

In the process of analyzing the malware responsible for the high-profile SolarWinds hack, Microsoft has discovered that the compromised software, Orion, was also infected with another, completely unrelated malware....

...the company said that it found a 'small persistence backdoor in the form of a DLL file named App_Web_logoimagehandler.ashx.b6031896.dll. '...

...the malware is programmed to allow remote code execution through SolarWinds’ web application server, when installed in the folder “inetpub\SolarWinds\bin\”. Microsoft said that, due to the fact that the DLL doesn’t have a digital signature, it most likely isn’t related to the supply chain compromise...

...the infected DLL can receive a C# script from a web request, then compile and execute it..."

https://www.itproportal.com/news/microsoft-identifies-additional-solarwinds-orion-malware/

 

FYI:

Nearly a decade ago the US pulled of a similar, if far more targeted, supply chain hack.

It was of Huawei, originally to search for PRC backdoors but then to hack its clients:

https://nytimes.com/2014/03/23/wor

 

Here's a more detailed analysis of the newly discovered additional New SUPERNOVA backdoor found in SolarWinds cyberattack analysis:

"New SUPERNOVA backdoor found in SolarWinds..."

https://www.bleepingcomputer.com/ne...oor-found-in-solarwinds-cyberattack-analysis/

 

"Treasury Department’s Senior Leaders Were Targeted by Hacking...

The Russian hackers who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership...dozens of email accounts were compromised, apparently including in what is called the departmental offices division, where the most senior officials operate.

The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries...

Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen..."

https://www.nytimes.com/2020/12/21/us/politics/russia-hack-treasury.html