Updated: December 19, 2020 1:30:09 pm
The target of the cyberattack was Orion, a software supplied by the SolarWinds company. (Reuters photo)
The ‘SolarWinds hack’, a recently discovered cyber attack in the United States, has become one of the The greatest of all directed against the United States government, its agencies, and various other private companies. In fact, it is likely a global cyberattack.
It was first discovered by the American cybersecurity company FireEye, and since then more developments continue to come to light every day. The scale of the cyberattack is unknown, although the United States Treasury, the Department of Homeland Security, the Commerce Department, and parts of the Pentagon are believed to have been affected.
In a opinion piece written for The New York TimesThomas P Bossert, who was President Donald Trump’s National Security Advisor, named Russia for the attack. He wrote that “the evidence from the SolarWinds attack points to the Russian intelligence agency known as SVR, whose craft is among the most advanced in the world.” The Kremlin has denied its involvement.
So what is this ‘SolarWinds hack’?
News of the cyber attack was technically first known on December 8, when FireEye posted a blog that detected an attack on their systems. The firm assists with the security management of several large private companies and federal government agencies.
FireEye CEO Kevin Mandia wrote in a blog post that the company was “attacked by a highly sophisticated threat actor,” calling it a state-sponsored attack, although he did not mention Russia. He said the attack was carried out by a nation “with first-rate offensive capabilities” and “the attacker primarily sought information related to certain government clients.” He also said that the methods used by the attackers were new.
Then, on December 13, FireEye said that the cyberattack, which it dubbed the UNC2452 Campaign, was not limited to the company, but had targeted various “public and private organizations around the world.” The campaign likely started in “March 2020 and has been ongoing for months,” the publication said. Worse still, the extent of the stolen or compromised data is still unknown, given the scale of the attack that is still being discovered. After the systems were compromised, “lateral movement and data theft” took place.
📣 JOIN NOW 📣: The Telegram channel Explained Express
How were so many agencies and companies of the United States government attacked?
This is called a ‘Supply Chain’ attack: instead of directly attacking the federal government or a private organization’s network, the hackers target a third-party vendor, who provides them with software. In this case, the target was an IT management software called Orion, supplied by Texas-based company SolarWinds.
Orion has been a dominant SolarWinds software with clients, which include more than 33,000 companies. SolarWinds says 18,000 of its customers have been affected. By the way, the company has removed the customer list from its official websites.
According to the page, which has also been removed from Google’s Web Archives, the list includes 425 companies in the Fortune 500, the top 10 telecommunications operators in the United States. A New York Times report said that parts of the Pentagon, the Centers for Disease Control and Prevention, the State Department, the Justice Department and others were affected.
Microsoft confirmed to have found evidence of the malware on its systems, although it added that there was no evidence of “access to production services or customer data”, or that its “systems were used to attack others.” Microsoft president Brad Smith said the company has begun “notifying more than 40 customers that attackers targeted more precisely and compromised.”
A Reuters report said that even emails sent by Department of Homeland Security officials were “monitored by hackers.”
How did they get access?
According to FireEye, the hackers gained “access to victims through trojanized updates to SolarWinds’ Orion IT monitoring and management software.” Basically, a software update was used to install the ‘Sunburst’ malware on Orion, which was then installed by more than 17,000 customers.
FireEye says the attackers relied on “multiple techniques” to avoid detection and “hide their activity.” The malware was able to access the system files. What worked in the malware’s favor was that it was able to “blend in with legitimate SolarWinds activity,” according to FireEye.
Once installed, the malware gave hackers a backdoor entry into SolarWinds customers’ systems and networks. More importantly, the malware was also able to thwart tools like antivirus that could detect it.
Where does Russia come in?
In his NYT op-ed, Bossert named Russia and its agency SVR, which has the ability to execute the attack of such ingenuity and scale.
Microsoft notes in its blog that “this aspect of the attack created a vulnerability in the supply chain of almost global importance, reaching many major national capitals outside of Russia.” He goes on to add that sophisticated attacks from Russia have become common.
FireEye, however, has yet to name Russia as responsible and said it is an ongoing investigation with the FBI, Microsoft and other key partners who are not named.
What have SolarWinds and the US government said about the hack?
At this time, SolarWinds recommends that all customers immediately upgrade to the existing Orion platform, which has a patch for this malware. “If attacker activity is discovered in an environment, we recommend conducting a thorough investigation and designing and executing a remediation strategy driven by the investigation findings and details of the affected environment,” he said.
Those who cannot upgrade should isolate the “SolarWinds servers” and should “include blocking all Internet exits from the SolarWinds servers.” The minimal suggestion is “change the passwords of the accounts that have access to the SolarWinds servers / infrastructure”.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 21-01, asking all “federal civil agencies to review their networks” for indicators of compromise. He has asked them to “unplug or shut down SolarWinds Orion products immediately.”
The FBI, CISA and the office of the Director of National Intelligence issued a joint statement and announced what is called the ‘Unified Cyber Coordination Group (UCG)’ to coordinate the government’s response to the crisis. The statement calls this a “significant and ongoing cybersecurity campaign.”
The White House and President Donald Trump have been silent. Senator Mitt Romney has best summed it up in his comments to SiriusXM radio journalist Olivier Knox, where he compared this attack to the equivalent of Russian bombers flying undetected across the country exposing America’s cyberwar weakness. He said that the silence and inaction of the White House were unforgivable.
Democratic Senator Richard Blumenthal tweeted: “Russia’s cyberattack left me deeply alarmed, in fact absolutely scared.”
President-elect Joe Biden said in a statement: “A good defense is not enough; We need to disrupt and deter our adversaries from undertaking major cyberattacks in the first place. “
© IE Online Media Services Pvt Ltd
.
