[BreachExchange] Deepening Mystery — and Fear — Over the SolarWinds Hack

[Destry Winant]

https://www.bloomberg.com/opinion/articles/2021-02-26/deepening-mystery-and-fear-over-the-solarwinds-hack

Brad Smith, Microsoft Corp.’s president, made it clear in a Senate
Intelligence Committee hearing this week that the federal government
and leading members of the business community still don’t fully
understand how digital burglars pulled off one of the most dangerous
computer hacks in history.

“Who knows the entirety of what happened here?” asked Smith. “Right
now, the attacker is the only one who knows the entirety of what they
did.”

Intelligence analysts and technologists believe that the “attacker” is
the Russian government and that about 1,000 of its operatives
orchestrated a massive breach of at least 100 companies around the
globe, as well as nine U.S. agencies. The Russians crept onto those
servers by targeting SolarWinds Inc., an Austin, Texas-based company
that is a leading provider of network and information-technology
software. Other undisclosed vendors may also have been involved.

The attack, which came to light late last year, set off alarms in the
highest reaches of the government and corporate America, prompting the
Biden administration to disclose plans to retaliate against Russia in
coming weeks. The White House hasn’t offered details about what that
response will entail, but has said it would involve more than
diplomatic or economic sanctions. The response is also meant to signal
the government’s distaste for a range of Russian activities, including
digital disruption (such as interfering in U.S. elections), theft
(such as sponsoring ransomware botnets and attempting to steal
Covid-19 vaccine research) and political vendettas (such as the
poisoning and imprisonment of the Russian dissident Alexei Navalny).

But as two committees in the House of Representatives hold a joint
hearing today on the SolarWinds hack, featuring the same witnesses who
testified before the Senate on Tuesday, it’s clear that glaring
problems remain. Computer networks are vulnerable, information about
how to defend and respond to attacks is scattered among private and
public stakeholders who don’t freely share it with one another, and
the Russian hack may be ongoing.

Although the Russians initially penetrated networks in the fall of
2019, and began lifting information last spring, the breach didn’t
become publicly known until December, when FireEye Inc., a Milpitas,
California, company specializing in digital warfare, disclosed that it
had been hacked. Cybersleuths in the federal government — including
the National Security Agency — had not been aware of the hack.
Corporate heavyweights at Microsoft weren’t aware until FireEye
alerted them shortly after Thanksgiving and asked for help conducting
a forensic analysis.

“Without this transparency, we would likely still be unaware of this
campaign,” Smith said of FireEye’s alert. “In some respect, this is
one of the most powerful lessons for all of us. Without this type of
transparency, we will fall short in strengthening cybersecurity.”

It turned out that hackers had accessed and exploited Microsoft source
code that authenticates customers using some of the software giant’s
programs. Microsoft has since acknowledged that it hadn’t made sure
its programs could detect the theft of identity tools providing
cloud-computing access to its clients — a reminder that the cloud,
overall, remains vulnerable to hackers and may be impossible to fully
protect. FireEye also discovered attackers had breached its own
private, in-house data center by piggybacking malware on a software
update from SolarWinds. And SolarWinds, which hadn’t adequately
protected its own systems, proved to be a leading nexus for a large
portion of the attacks.

After sneaking into SolarWinds, the hackers deposited malware that
gave them powers so broad they enjoyed “God-mode” — the ability to
skirt encrypted protections and control everything on a network. The
hackers masked their presence by replacing legitimate tools and
utilities with their own and then depositing time bombs on a network.
Then they covered their tracks by restoring the legitimate files. The
malware was placed on SolarWinds’ supply chain, allowing it to travel
onto victims’ networks whenever SolarWinds sent its customers a
software update.

Sudhakar Ramakrishna, the chief executive of SolarWinds, said at the
Senate hearing that his company still isn’t entirely sure how the
hackers penetrated its systems, though his team has narrowed its
investigation to three possibilities — unreassuring testimony given
how long ago his company was breached. As many as 17,000 companies
were imperiled in the Russian hack, according to Senate testimony.

Legislators attending Tuesday’s session, overseen by Senator Mark
Warner, a Virginia Democrat, said they’re considering a national data
breach reporting law — which would mandate hacking disclosures the
private sector has long resisted due to concerns about reputational
damage and legal liabilities. But Smith and Kevin Mandia, FireEye’s
chief executive, both said that companies will have to embrace greater
disclosure if they want to protect themselves.

Amazon.com Inc., which operates a ubiquitous cloud computing business,
was repeatedly criticized by legislators for not sending a
representative to testify, even though hackers breached its servers
and used them as staging grounds to strip data from government
networks. Amazon has said it wasn’t victimized in the hack, and has
already shared what it knows with law enforcement and the government.

Smith and Mandia also said that companies and governments seeking to
protect themselves need to increase public-private collaboration and
information-sharing, and take practical steps to strengthen
supply-chain security, insulate networks and redefine how
nation-states conduct themselves in cyberspace (good luck with that
last one).

“There are still too many missing pieces of the puzzle,” Smith said.
“We need a full examination of what other cloud services and networks
the Russians have accessed. Before we as a nation can secure our
digital ecosystem, we need to know that the Russian attackers are no
longer present in the dozens or hundreds of networks in which they
have accessed data or information through this attack.”

Scared yet?