What is the SolarWinds hack? Who is compromised?

Écrit par Shruti Dhapola | Chandigarh

Updated: December 23, 2020 12:14:38 pm

The target of the cyberattack was Orion, software provided by the SolarWinds company. (Photo Reuters)The “SolarWinds hack”, a cyberattack recently discovered in the United States, has become one of the the biggest ever targeted against the US government, its agencies and several other private companies. In fact, it is likely a global cyber attack.

It was first discovered by the American cybersecurity company FireEye, and since then new developments continue to appear every day. The extent of the cyberattack remains unknown, although the US Treasury, Department of Homeland Security, Department of Commerce, and parts of the Pentagon have all been affected.

In one article d’opinion written for Le New York TimesThomas P Bossert, who was Homeland Security Advisor to President Donald Trump, named Russia for the attack. He wrote “Evidence in the SolarWinds attack points to the Russian intelligence agency known as SVR, which has some of the most advanced craft in the world.” The Kremlin has denied his involvement.

So what is this “SolarWinds hack”?

News of the cyberattack technically first broke on December 8, when FireEye posted a blog detecting an attack on its systems. The company assists in the security management of several large private companies and federal government agencies.

FireEye CEO Kevin Mandia wrote in a blog post saying the company had been ‘attacked by a highly sophisticated threat actor’, calling it a state-sponsored attack, although it was not. did not name Russia. He said the attack was carried out by a nation “with high-level offensive capabilities” and that “the attacker was primarily seeking information relating to certain government clients”. He also said the methods used by the attackers were new.

Then on December 13, FireEye said the cyberattack, which it dubbed Campaign UNC2452, had not been transmitted to the company but had targeted various “public and private organizations around the world.” The campaign likely started in “March 2020 and has been going on for months,” the post said. Worse yet, the extent of the stolen or compromised data is still unknown, given the scale of the attack is still being discovered. Once the systems were compromised, “lateral movement and data theft” took place.

📣 JOIN NOW 📣: Telegram chain explained express

How have so many American government agencies and businesses come under attack?

This is called a “supply chain” attack: instead of directly attacking the federal government or a private organization’s network, hackers target a third-party vendor, which provides them with software. In this case, the target was computer management software called Orion, supplied by the Texas company SolarWinds.

Orion has been a dominant software package for SolarWinds with customers, which include over 33,000 companies. SolarWinds says 18,000 of its customers have been affected. Incidentally, the company removed the customer list from its official websites.

According to the page, which has also been cleaned from Google’s web archives, the list includes 425 companies from the Fortune 500, the top 10 carriers in the United States. A New York Times report said parts of the Pentagon, the Centers for Disease Control and Prevention, the State Department, the Justice Department and others have all been affected.

Microsoft confirmed that it found evidence of the malware on their systems, although it added that there was no evidence of “access to production services or customer data”, or that its “systems were being used for attack others ”. Microsoft chairman Brad Smith said the company had started “informing more than 40 customers that attackers were more specifically targeting and compromised.”

A Reuters report said that even emails sent by officials from the Department of Homeland Security were “monitored by hackers.”

How did they get access?

According to FireEye, the hackers gained “access to the victims via trojanized updates to SolarWinds’ Orion computer monitoring and management software.” Basically, a software update was exploited to install the “Sunburst” malware in Orion, which was then installed by over 17,000 customers.

FireEye says the attackers relied on “multiple techniques” to avoid detection and “obscure their activity.” The malware was able to access system files. According to FireEye, what worked in the malware’s favor was that it was able to “blend into the legitimate business of SolarWinds.”

Once installed, the malware gave hackers a back door to SolarWinds customer systems and networks. More importantly, the malware was also able to thwart tools like antivirus that could detect it.

Where does Russia come from?

In his NYT opinion piece, Bossert cited Russia and its SVR agency, which has the capabilities to execute the attack of such ingenuity and scale.

Microsoft notes in its blog that “this aspect of the attack created a supply chain vulnerability of near global significance, reaching many major national capitals outside of Russia.” He adds that sophisticated attacks from Russia have become commonplace.

FireEye, however, has yet to name Russia responsible and said it is an ongoing investigation with the FBI, Microsoft and other key partners who are not named.

What did SolarWinds and the US government say about the hack?

Currently, SolarWinds recommends that all customers immediately update the existing Orion platform, which has a fix for this malware. “If an attacker’s activity is discovered in an environment, we recommend that you conduct a thorough investigation and design and execute a remediation strategy based on the results of the investigation and the details of the affected environment. “, did he declare.

Those who cannot update are advised to isolate the “SolarWinds servers” and this should “include blocking all Internet exits from the SolarWinds servers”. The minimum suggestion is to “change passwords for accounts that have access to SolarWinds servers / infrastructures”.

The US Agency for Cyber ​​Security and Infrastructure Security (CISA) issued an emergency directive 21-01, asking all “federal civil agencies to review their networks” for indicators of compromise. He instructed them to “immediately disconnect or shut down the SolarWinds Orion products.”

The FBI, CISA and the Office of the Director of National Intelligence issued a joint statement and announced the so-called “Cyber ​​Unified Coordination Group (UCG)” to coordinate the government’s response to the crisis. The statement calls it a “significant and ongoing cybersecurity campaign.”

The White House and President Donald Trump have remained silent. Senator Mitt Romney summed it up best in his comments to SiriusXM radio reporter Olivier Knox, where he compared the attack to the equivalent of Russian bombers flying undetected across the country, exposing the weakness of cyber- United States war. He said the silence and inaction of the White House was inexcusable.

Senator Richard Blumenthal, a Democrat, tweeted: “The Russian cyberattack has deeply alarmed me, in fact downright frightened.

President-elect Joe Biden said in a statement: “A good defense is not enough; We need to disrupt and deter our adversaries from carrying out major cyber attacks in the first place. ”

📣 The Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay up to date with the latest headlines

For all the latest news explained, download the Indian Express app.

© IE Online Media Services Pvt Ltd

(vitag.Init = window.vitag.Init || []).push(function () { viAPItag.display(“vi_1088641796”) })


Please enter your comment!
Please enter your name here