Of the 18,000 organizations that downloaded a backdoored version of the software from SolarWinds, the smallest of the pieces – possibly even 0.2% – received a tracking hack that used the backdoor to install a task useful in the second stage. The largest populations that received the second stage were, in order, technology companies, government agencies and think tanks / NGOs. The vast majority – 80 percent – of these 40 elected were located in the United States.
These figures were provided in an update by Microsoft President Brad Smith. Smith also shared some insightful and worrying comments about the significance of this almost unprecedented attack. Its numbers are incomplete because Microsoft only sees what its Windows Defender application detects. However, Microsoft sees a lot, so any difference with real numbers is probably a rounding error.
SolarWinds is the maker of an almost ubiquitous network management tool called Orion. A surprisingly large percentage of the world’s business networks run it. Hackers backed by a nation-state – two U.S. senators who received private information say it was Russia – managed to take over the SolarWinds software building system and push a security update with a backdoor. SolarWinds said about 18,000 users downloaded the malicious update.
The month-long hacking campaign came to light only after security firm FireEye admitted to violating a nationwide rule. During their investigation, the company’s researchers found that the hackers were using the Orion’s rear door, not only against FireEye, but in a much larger campaign targeting several federal agencies. In the 10 days that have passed since then, the purpose and discipline of the hacking operation have become increasingly clear.
The hack on SolarWinds and its backdooring of 18,000 servers was only the first phase of the attack, one that was done only at zero in the targets of interest. These crème de la crème organizations were probably the only target for the entire operation, which lasted at least nine months and probably much longer.
Microsoft’s numbers illustrate how targeted this attack was. The hackers behind this supply chain compromise had privileged access to 18,000 enterprise networks and tracked only 40 of them.
The map below shows the sector of these elite hack victims.
Violation of the rules
Smith tacitly acknowledged that all industrialized nations engage in espionage that includes hacking. What was different this time, he said, was that a nation-state violated the rules by putting large areas of the world in real danger to pursue its goals. Smith continued to write:
It is essential to take a step back and assess the significance of these attacks in their full context. This is not “espionage as usual”, even in the digital age. Instead, it is an act of recklessness that has created a serious technological vulnerability for the United States and the world. In fact, it is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure to advance a nation’s intelligence agency. While the latest attack seems to reflect a particular focus on the United States and many other democracies, it also provides a strong reminder that people in almost every country are at risk and in need of protection, regardless of governments in the world. who live.
Elsewhere in the post, Smith quoted FireEye CEO Kevin Mandia as saying, “We are witnessing an attack by a nation with higher-level offensive capabilities.” Smith then wrote:
As Microsoft’s cybersecurity experts contribute to the answer, we came to the same conclusion. The attack is, unfortunately, a large and successful attack, based on espionage, both on the confidential information of the US government and on the technological tools used by companies to protect them. The attack is ongoing and is being actively investigated and addressed by cyber security teams in the public and private sectors, including Microsoft. As our teams act as the first responders to these attacks, these ongoing investigations reveal a remarkable attack in its scale, sophistication and impact.
The SolarWinds hack has emerged as one of the worst spy hacks of the last decade, if not all time. The accuracy of tradecraft and precision is not amazing. As those elite victims in the coming weeks reveal what the second stage did to their networks, this story will likely go into hipdrive.