Getting Geeky, Part II: Notes on SolarWinds

Cozy Bear’s Founder

As long as we are being geeky, let’s take a brief look at the SolarWinds hack, the largest and gravest breach of computer security in American history. In the Trump-fueled crises that dominate the news cycles, we’ve lost sight of an extremely serious, potentially catastrophic problem that is going to have dangerous consequences.

Foreign actors, identified by several sources as Russian, specifically, Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service or FSB, hacked a software company called SolarWinds. SolarWinds makes a software tool called Orion, used by of thousands of companies and government institutions to manage their computer and network systems. As a management tool, Orion has high user “permissions” or “privileges,” giving the tool access deep into users’ networks and systems.

The Russians compromised the update mechanism for Orion, allowing the FSB to install a back door to each Orion user’s software, inside their security systems, “behind the firewall” intended to keep bad guys away. FSB, in effect, tricked Solarwinds into distributing malware disguised as Orion. Both the design of the attack and its implementation were highly sophisticated and designed to be difficult to detect.

The hack occurred this past spring. Maybe earlier. It wasn’t discovered until December. In the interim, over an interval of perhaps as long as nine months, the FSB had largely unfettered access to almost all parts of Orion users’ computer systems. The effect was very much as if your system administrator was a crook or a spy. Except that there were thousands of these virtual spies.

At Microsoft, an Orion user, the Russians were able to view and, presumably, copy the source code for an undisclosed number of Microsoft’s products. It will take meticulous source code audits to determine if Windows, the Microsoft Office products, the groupware products and dozens of other Microsoft programs now feature Russian-generated malware.

The Departments of Defense, State, Treasury, Commerce, Homeland Security, Agriculture, Justice and Energy were all victims; the Feds have been remarkably close-mouthed about what got hacked at each of those agencies, but it can’t be good. For example,

Department of Justice Spokesman Marc Raimondi issued the following statement:

“On Dec. 24, 2020, the Department of Justice’s Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others.  This activity involved access to the Department’s Microsoft O365 email environment. “

DOJ claims the hack impacted “only” 3% of its emails, which WC thinks readers will agree is quite a large “only.”

We don’t have a list of who all was impacted by this very sophisticated hack. But FireEye, the network security firm that first reported the hack said it targeted “government, consulting, technology, healthcare, telecom, and oil and gas entities in North America, Europe, Asia, and the Middle East.” A month after the hack was discovered, Americans still don’t know if all of the damage has been contained, let alone how much damage has been done.

What makes this attack especially dangerous is that Microsoft reported in its own post that the attackers are stealing signing certificates that allow them to impersonate any of a target’s existing users and accounts, including highly privileged accounts. “Certificates” are the digital documents used to assure that you are connected to the digital domain you think you are. To an unknown extent, that assurance is now compromised.

The United States Cyber Unified Coordination Group (UCG), composed of the FBI, CISA, and ODNI with support from NSA, is certain this was the act of the Russians. However, that noted computer network specialist, Donald Trump, blames China.

As a result, in response to this outrageous violation of our computer security the United States has done . . . nothing.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s