What is the SolarWinds hack? Who is compromised?

Written by Shruti Dhapola | Chandigarh |

Updated: December 23, 2020 12:14:38 pm

SolarWinds, SolarWinds hack, new cyber attacks, fireeye, Russia cyber attacks on us, explained indian expressThe target of the cyber attack was Orion, a software provided by SolarWinds. (Photo Reuters)

“SolarWinds hack”, a cyber attack recently discovered in the United States, has emerged as one of the the biggest ever targeted by the US government, its agencies and several other private companies. In fact, it is probably a global cyber attack.

It was first discovered by the American cyber security company FireEye and, since then, several evolutions continue to appear every day. The extent of the cyber attack remains unknown, although it is believed that the US Treasury, the Department of Homeland Security, the Department of Commerce and parts of the Pentagon were affected.

a opinion article written for New York Times, Thomas P Bossert, who was an internal security adviser to President Donald Trump, called Russia to attack. He wrote “evidence of the SolarWinds attack indicates the Russian intelligence agency known as SVR, whose merchant ship is among the most advanced in the world.” The Kremlin has denied involvement.

So what is this “SolarWinds hack”?

The news about the cyber attack first appeared technically on December 8, when FireEye launched a blog that detects an attack on its systems. The firm helps manage the security of several large private companies and federal government agencies.

FireEye CEO Kevin Mandia wrote in a blog post that the company was “attacked by an extremely sophisticated threat actor”, calling it a state-sponsored attack, although it did not name Russia. He said the attack was carried out by a nation “with superior offensive capabilities” and “the attacker first sought information from certain government customers”. It was also said that the methods used by the attackers were new.

Then, on December 13, FireEye said that the cyber attack, which it called the UNC2452 Campaign, was not transmitted to the company, but targeted various “public and private organizations around the world.” The campaign probably started in “March 2020 and has been going on for months”, the post says. Worse, the extent of the stolen or compromised data is still unknown, given the extent of the attack that is still being discovered. After the systems were compromised, “lateral movement and data theft” took place.

📣 REGISTER NOW 📣: Express explained telegram channel

How have so many US government agencies and companies been attacked?

This is called a “supply chain”: instead of directly attacking the federal government or a private organization’s network, hackers target a third-party vendor that provides them with software. In this case, the target was an IT management software called Orion, provided by the Texas company SolarWinds.

Orion has been a dominant software from SolarWinds along with its customers, which includes over 33,000 companies. SolarWinds says 18,000 of its customers have been affected. In fact, the company deleted the list of customers from its official websites.

According to the page, which was also removed from the Google Web Archives, the list includes 425 companies in the Fortune 500, the top 10 telecommunications operators in the US. A New York Times report said parts of the Pentagon, the Centers for Disease Control and Prevention, the State Department, the Department of Justice and others were all affected.

Microsoft confirmed that it had found evidence of malware on their systems, but added that there was no evidence of “access to production services or customer data” or that “its systems were used to attack others.” Microsoft President Brad Smith said the company had begun “notifying more than 40 customers that the attackers were more targeted and compromised.”

A Reuters report said that even e-mails sent by Department of Homeland Security officials were “monitored by hackers.”

How did they get access?

According to FireEye, the hackers gained “victim access through Trojan updates to Orion’s IT monitoring and management software from SolarWinds.” Basically, a software update was exploited to install the “Sunburst” malware in Orion, which was then installed by over 17,000 customers.

FireEye says the attackers relied on “multiple techniques” to avoid detection and “hide their activity.” The malware was able to access the system files. What worked in favor of the malware was that it managed to “interfere with the legitimate activity of SolarWinds,” according to FireEye.

Once installed, the malware gave hackers backdoor access to SolarWinds customer systems and networks. More importantly, the malware was also able to counter tools such as antivirus that could detect it.

Where does Russia go?

In his NYT opinion piece, Bossert called Russia and its SVR agency, which has the capabilities to carry out the attack of such ingenuity and magnitude.

Microsoft notes in its blog that “this aspect of the attack has created a supply chain vulnerability of almost global importance, reaching many major national capitals outside of Russia.” He goes on to add that sophisticated attacks in Russia have become commonplace.

FireEye, however, has not yet named Russia responsible and said it is an ongoing investigation with the FBI, Microsoft and other unnamed key partners.

What did SolarWinds and the US government say about the hack?

At this time, SolarWinds recommends that all customers immediately upgrade their existing Orion platform, which has a patch for this malware. “If the attacker’s activity is discovered in an environment, we recommend that you conduct a comprehensive investigation and design and execute a remedial strategy driven by the findings of the investigation and the details of the affected environment,” he said.

Those who cannot upgrade are told to isolate “SolarWinds servers” and should “include blocking all Internet outputs from SolarWinds servers”. The minimum suggestion is to “change passwords for accounts that have access to SolarWinds servers / infrastructure”.

The US Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive 21-01, requiring all “federal civilian agencies to review their networks” for compromise indicators. He asked them to “disconnect or stop SolarWinds Orion products immediately.”

The FBI, CISA and the director of national intelligence’s office issued a joint statement announcing the so-called “Unified Cyber ​​Coordination Group (UCG)” to coordinate the government’s response to the crisis. The statement calls this a “significant and ongoing cyber security campaign”.

The White House and President Donald Trump have been silent. Senator Mitt Romney best summed it up in his comments to journalist Olivier Knox on SiriusXM radio, where he compared the attack to the equivalent of Russian bombers flying undetected across the country, exposing the weakness of the US cyber war. He said the silence and inaction in the White House were inexcusable.

Senator Richard Blumenthal, a Democrat, wrote on Twitter: “Russia’s cyber attack left me deeply alarmed, in fact, really scared.”

President-elect Joe Biden said in a statement: “A good defense is not enough; We must stop and discourage our opponents from carrying out significant cyber attacks in the first place. “

📣 Indian Express is now on Telegram. Click here to join our channel (@indianexpress) and stay up to date with the latest headlines

For all the latest Explained News, download the Indian Express app.

© IE Online Media Services Pvt Ltd.