BOSTON (AP): The SolarWinds Piracy Campaign the blame for Russian spies and the “grave threat” it poses to U.S. national security are widely known. A number of very different (and no less alarming) coordinated intrusions also detected in December have garnered considerably less public attention.
Agile and highly skilled criminal hackers believed to be operating in Eastern Europe hacked dozens of companies and government agencies on at least four continents breaking into a single product they all used.
Victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the high-profile US law firm Jones Day – including former President Donald Trump -, the railway freight company CSX and the supermarket and pharmacy chain Kroger. The Washington state audit was also a success, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud was potentially exposed.
The two-stage mega-hack in December and January of a popular Silicon Valley Accellion file transfer program highlights a threat that security experts fear could get out of hand: intrusions by top criminals and hackers backed by status in software supply chains and third-party services.
Operating system companies like Microsoft have been around for a long time, with thousands of unexplained installations from your Exchange email server which was violated globally in recent weeks, especially after the company issued a patch and revealed that hackers from the Chinese state had penetrated the program.
Meanwhile, the victims of Accellion have been accumulating and many have been extorted by the Russian-speaking cybercriminal gang Clop, which investigators believe may have bought pirated data from hackers. Their threat: Pay or filter your sensitive data online, whether it’s proprietary documents from Canadian aircraft manufacturer Bombardier or communications between lawyers and clients of Jones Day.
Hacking up to 100 Accellion customers, which hackers easily identified with an online scan, puts in a painful relief a basic mission of the digital age in which both governments and the private sector have fallen short.
“Attackers are finding it increasingly difficult to access through traditional methods, as vendors such as Microsoft and Apple have significantly tightened the security of operating systems in recent years. Therefore, attackers find easier ways. This often means going through the supply chain. And, as we’ve seen, it works, ”said Mikko Hypponen, research director at cybersecurity company F-Secure.
Members of Congress they are already dismayed by the hacking of the supply chain of the Texas network management software company SolarWinds that allowed the alleged Russian state-backed hackers to go on tiptoe, apparently intended solely for the collection of intellect. For more than half a year through the networks of at least nine government agencies and more than 100 companies and think tanks. Only in December was the hacking campaign SolarWinds, by cybersecurity firm FireEye, discovered.
France suffered a similar hack, guilty by his cybersecurity agency to Russian military agents, who also gambled on the supply chain. They introduced malware in an update to the network management software of a company called Centreon, which allowed them to take root quietly around the victim networks from 2017 to 2020.
Both hacks introduced malware into software updates. The Accellion hack was different in one key aspect: its file transfer program resided on the victims’ networks, either as a standalone device or a cloud-based application. Your job is to safely move files that are too large to attach to your email.
Mike Hamilton, former head of information security in Seattle, now with CI Security, said the trend to exploit external service providers shows no signs of slowing down, as it gives criminals the maximum performance of their investment if “they want to engage a wide range of companies or government agencies.”
The impact of Accellion’s gap could have faded if the company had alerted customers more quickly, some complain.
New Zealand Central Bank Governor Adrian Orr says Accellion failed to warn him after first learning in mid-December that the nearly 20-year-old FTA application, which used outdated technology, had been breached. was scheduled for retirement.
Despite having a patch available on Dec. 20, Accellion did not notify the bank in time to prevent its device from being breached five days later, the bank said.
“If we were notified at the right time, we could have corrected the system and avoided the violation,” Orr said in a statement posted on the bank’s website.. Among the information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Similarly, the Washington State Audit has no record of being notified of the breach until Jan. 12, the same day that Accellion publicly announced it., said spokeswoman Kathleen Cooper. Accellion then said it threw a patch at the less than 50 affected customers within 72 hours after learning of the offense.
Accellion now tells a different story. He is said to have alerted all 320 potentially affected customers with various emails as of Dec. 22, and tracked them down with emails and phone calls. The company’s spokesman, Rob Dougherty, would not directly address the complaints of the central bank of New Zealand and the state of Washington. Accellion says it appears less than 25 customers have suffered a major data theft.
A chronology posted March 1 by cybersecurity company Mandiant, which Accellion hired to examine the incident, says the company received the first word of the violation on December 16th. The Washington state auditor says his attack occurred at Christmas.
The notification sync issue is serious. The state of Washington has already been affected by a lawsuit and several lawsuits have been filed against Accellion seeking class action. Other organizations may also suffer legal or other consequences.
Last month, Harvard Business School officials emailed affected students to tell them that some Social Security numbers had been compromised, as well as other personal data. Another victim, Singapore-based telecommunications company Singtel, said personal data about 129,000 customers were compromised.
Too often, software companies with hundreds of programmers only have one or two security people, said Katie Moussouris, CEO of Luta Security.
“We would like to be able to say that organizations invest uniformly in security. But in reality we only see them face offenses and then promise to do better in the future. And this has been a kind of business model. “
Dougherty, Accellion’s spokesman, said the attacks “had nothing to do with staffing,” but would not say how many people directly assigned security to the company in mid-December.
Cybersecurity threat analysts expect the snowball of supply chain hacks to disrupt the software industry to prioritize security. Otherwise, sellers take risks with the fate that has befallen SolarWinds.
In a presentation last week to the Securities and Exchange Commission, the company offered a bleak outlook.
He said that as supply chain hackers “continue to evolve at a rapid pace,” “they may be unable to identify current attacks, anticipate future attacks, or implement appropriate security measures.”
The end result, painful, added the document:
“Customers may and may in the future postpone the purchase or choose to cancel or not renew their agreements or subscriptions with us.”
—-
Associated Press writer Rachel La Corte in Olympia, Washington, contributed to this report.