BOSTON (AP) – SolarWinds hacking campaign blamed on Russian spies and the “serious threat” it poses to US national security are widely known. A series of very different – and no less alarming – coordinated intrusions, also detected in December, attracted much less public attention.
Skilled, highly skilled criminal hackers, believed to be operating in Eastern Europe, hacked dozens of companies and government agencies on at least four continents by smashing a single product that they all used.
Victims include New Zealand’s central bank, Harvard Business School, Australia’s securities regulator, the powerful American law firm Jones Day – whose clients are former President Donald Trump – the rail freight company CSX and the chain of supermarkets and pharmacies Kroger. The Washington State Audit Office was also hit, where the personal data of up to 1.3 million people gathered for an investigation into unemployment fraud were potentially exposed.
Mega-hack in two stages In December and January, a popular Silicon Valley Accellion file transfer program highlights a threat that security experts fear could spiral out of control: intrusions by top criminals and state-backed hackers into chains. Software Supply and Third Party Services.
Operating system companies such as Microsoft have long been eye-catching – with thousands of unspoken installations of its Exchange e-mail server being violated globally in recent weeks, especially after the company issued a patch and revealed that Chinese hackers had entered the program.
Meanwhile, Accellion victims have piled up, many being extorted by the Russian-language cybercrime gang, which researchers believe could have bought data stolen from hackers. Their threat: You pay for or leak sensitive data online, whether it’s proprietary documents from Canadian aircraft manufacturer Bombardier or attorney-client communications from Jones Day.
The hack of up to 100 Accellion customers, who were easily identified by hackers through an online scan, puts in pain relief a basic mission of the digital age in which both governments and the private sector have failed.
“Attackers are finding it increasingly difficult to access traditional methods, as vendors such as Microsoft and Apple have significantly strengthened the security of operating systems in recent years. So attackers find easier ways. This often means going through the supply chain. And, as we have seen, it works, ”said Mikko Hypponen, chief research officer at cybersecurity firm F-Secure.
Members of Congress are already constrained by the hacking of the supply chain of the Texas network management software company SolarWinds, which allowed the suspects of state-backed hackers in Russia to go unnoticed – apparently intended exclusively to collect information – for more than half year through the networks of at least nine government agencies and over 100 companies and think tanks. It was not until December that the SolarWinds hacking campaign was discovered by cyber security firm FireEye.
France suffered a similar hack, accused by his cyber security agency of Russian military agents, who also played the supply chain. They introduced malware in an update to the network management software from a company called Centreon, allowing them to take root quietly around victims’ networks from 2017 to 2020.
Both hacks have introduced malware into software updates. The Accellion hack was different in one key aspect: its file transfer program was on the victims’ networks, either as a standalone device or as a cloud-based application. Its job is to safely move around files that are too large to be attached to email.
Mike Hamilton, a former chief information officer in Seattle, now with CI Security, said the trend to exploit third-party service providers shows no signs of slowing down, as it gives criminals the highest return on their investment if they “want to compromise.” a wide area of companies or government agencies. ”
The impact of the Accellion infringement could have been mitigated if the company had alerted customers faster, some complain.
New Zealand Central Bank Governor Adrian Orr says Accellion failed to warn her after first finding out in mid-December that the nearly 20-year-old FTA application – using outdated technology and ready for retirement – was violated.
Despite having a patch available on Dec. 20, Accellion did not notify the bank in time to prevent a breach of its device five days later, the bank said.
“If we had been notified at the right time, we could have correlated the system and avoided the breach,” Orr said in a statement posted on the bank’s website.. The stolen information included files containing personal emails, birth dates and credit information, the bank said.
Similarly, the Washington State Audit Office has no evidence that it was informed of the breach until January 12, the same day that Accellion publicly announced it., said spokeswoman Kathleen Cooper. Accellion then said it had released a patch for fewer than 50 affected customers within 72 hours of finding out.
Accellion is now telling another story. He is said to have alerted all 320 potentially affected customers with multiple emails since December 22 – and followed with emails and phone calls. The company’s spokesman, Rob Dougherty, would not address the complaints of the New Zealand and Washington state central bank auditor directly. Accellion says less than 25 customers appear to have suffered significant data theft.
A chronology launched on March 1 by cybersecurity firm Mandiant, which Accellion hired to investigate the incident, says the company received the first word about the violation on December 16th. The Washington state auditor says his hacking took place at Christmas.
The issue of notification calendar is serious. Washington has already been hit by a lawsuit, and several have filed lawsuits against Accellion in a class action lawsuit. Other organizations could also have legal or other consequences.
Last month, Harvard Business School officials emailed affected students to tell them that some social security numbers had been compromised, as well as other personal information. Another victim, the Singapore telecommunications company Singtel, said personal data on about 129,000 customers was compromised.
Too often, software companies with hundreds of programmers have only one or two security people, said Katie Moussouris, CEO of Luta Security.
“We would like to say that organizations are investing uniformly in security. But in fact, we only see them coping with the violations and then swearing that they will do better in the future. And that was kind of a business model. ”
Dougherty, a spokesman for Accellion, said the attacks “had nothing to do with staff,” but did not say how many people directly assigned the company to security in mid-December.
Cyber security threat analysts hope that the snowball of supply chain hacks amazes the software industry to prioritize security. Otherwise, sellers risk the fate that befell SolarWinds.
In a filing with the Securities and Exchange Commission last week, the company offered a bleak outlook.
He said that as supply chain hacks “continue to evolve at a rapid pace”, “they may be unable to identify current attacks, anticipate future attacks or implement appropriate security measures”.
The end result, painful, added the document:
“Customers have and may, in the future, postpone purchases or choose to cancel or not renew their agreements or subscriptions with us.”
—-
Associated Press writer Rachel La Corte of Olympia, Washington, contributed to the report.