Updated: December 23, 2020 at 12:14:38 PM
The target of the cyberattack was Orion, a software provided by the company SolarWinds. (Photo by Reuters)
The “SolarWinds hack”, a cyberattack recently discovered in the United States, has emerged as one of the the largest in history directed against the United States government, its agencies, and various private companies. In fact, it is likely to be a global cyberattack.
It was first discovered by the American cybersecurity company FireEye and, since then, more developments continue to come to light every day. The magnitude of the cyberattack is unknown, although it is believed that the U.S. Treasury, the Department of Homeland Security, the Department of Commerce and some parts of the Pentagon have been affected.
In a opinion article written by The New York Times, Thomas P Bossert, who was President Donald Trump’s national security adviser, has named Russia for the attack. He wrote: “Evidence of the SolarWinds attack points to the Russian intelligence agency known as SVR, whose commercial ship is one of the most advanced in the world.” The Kremlin has denied involvement.
So what is this “SolarWinds hack”?
News of the cyberattack first came technically on December 8, when FireEye posted a blog detecting an attack on its systems. The company assists in managing the security of several large private companies and federal government agencies.
FireEye CEO Kevin Mandia wrote in a blog post saying the company was “attacked by a very sophisticated threatened actor,” which he described as a state-sponsored attack, though he did not put name in Russia. He said the attack was carried out by a nation “with top-level offensive capabilities” and “the attacker primarily sought information related to certain government clients.” It was also said that the methods used by the attackers were new.
Then, on Dec. 13, FireEye said the cyberattack, which it called Campaign UNC2452, was not sent to the company, but had been targeted at several “public and private organizations around the world.” The campaign probably began in “March 2020 and has been going on for months,” the message said. Worse, the extent of stolen or compromised data is still unknown, given the magnitude of the attack that is still being discovered. After compromising the systems, “lateral movement and data theft” occurred.
📣 JOIN NOW 📣: The Telegram Express channel explained
How were so many US government agencies and companies attacked?
This is called a “supply chain” attack: instead of directly attacking the federal government or the network of a private organization, hackers target an external vendor, which supplies them with software. In this case, the target was an IT management software called Orion, provided by the Texas-based company SolarWinds.
Orion has been a dominant SolarWinds software with customers, including more than 33,000 companies. SolarWinds says 18,000 of its customers have been affected. By the way, the company has removed the list of customers from its official websites.
According to the page, which has also been removed from Google’s web archives, the list includes 425 Fortune 500 companies, the top ten U.S. telecom operators. A New York Times report said parts of the Pentagon, the Centers for Disease Control and Prevention, the State Department, the Department of Justice and others were affected.
Microsoft confirmed that it had found evidence of malicious software on its systems, although it added that there was no evidence of “access to production services or customer data,” nor that its “systems were used to attack others.” “. Microsoft President Brad Smith said the company has begun “notifying more than 40 customers that the attackers attacked with more accuracy and commitment.”
A Reuters report said even emails sent by Department of Homeland Security officials were “monitored by hackers.”
How did they have access?
According to FireEye, the hackers gained “access to the victims through trojanized updates to SolarWinds’ Orion IT control and management software.” Basically, it took advantage of a software update to install the “Sunburst” malware on Orion, which was later installed by more than 17,000 customers.
FireEye says the attackers relied on “multiple techniques” to avoid being detected and “obscure their activity.” Malicious software was able to access system files. What worked in favor of malware was that it was able to “combine with legitimate SolarWinds activity,” according to FireEye.
Once installed, the malicious software gave hackers access to the systems and networks of SolarWinds customers. More importantly, malware was also able to frustrate tools like antivirus that could detect it.
Where does Russia go?
In his NYT opinion piece, Bossert named Russia and its SVR agency, which has the ability to execute the attack of this ingenuity and scope.
Microsoft notes on its blog that “this aspect of the attack created a supply chain vulnerability of near-global importance, which reached many major national capitals outside of Russia.” He goes on to add that sophisticated attacks from Russia have become commonplace.
FireEye, however, has not yet named Russia as responsible and said it is an ongoing investigation with the FBI, Microsoft and other key partners who are not named.
What have SolarWinds and the US government said about the hack?
At this time, SolarWinds recommends that all customers immediately upgrade the existing Orion platform, which has a patch for this malware. “If the attacker’s activity is discovered in an environment, it is recommended to conduct a thorough investigation and design and execute a remediation strategy based on the results of the investigation and the details of the affected environment,” he said. .
Those who are unable to upgrade are told to isolate “SolarWinds servers” and to “include blocking all Internet outputs from SolarWinds servers.” The minimum suggestion is to “change the password for accounts that have access to SolarWinds servers / infrastructures.”
The U.S. Agency for Cybersecurity and Infrastructure Security (CISA) has issued a 21-01 Emergency Directive, which calls on all “federal civilian agencies to review their networks” for indicators of engagement. He has asked them to “disconnect or turn off SolarWinds Orion products immediately.”
The FBI, CISA and the office of the director of National Intelligence issued a joint statement announcing the so-called “Unified Cyber Coordination Group (UCG)” to coordinate the government’s response to the crisis . The statement called it an “important and ongoing cybersecurity campaign.”
The White House and President Donald Trump have been silent. Senator Mitt Romney best summed it up in his comments to journalist Olivier Knox of SiriusXM radio, where he compared the attack to the equivalent of Russian bombers flying undetected across the country and exposing the weakness of the war. US cybernetics. He said the silence and inaction of the White House were inexcusable.
Democrat Sen. Richard Blumenthal tweeted, “Russia’s cyberattack left me deeply alarmed, in fact, totally frightened.”
President-elect Joe Biden said in a statement: “Good defense is not enough; first, we must disrupt and deter our opponents from carrying out significant cyber attacks.”
© IE Online Media Services Pvt Ltd