BOSTON (AP) – The SolarWinds hacking campaign attributed to Russian spies and the “serious threat” it poses to US national security are widely known. A very different – and no less alarming – coordinated series of intrusions also detected in December has received considerably less public attention.
Agile and highly skilled criminal hackers operating in Eastern Europe have invaded dozens of companies and government agencies on at least four continents, invading a single product that everyone used.
Victims include the New Zealand central bank, the Harvard Business School, the Australian securities regulator, the powerful American law firm Jones Day – whose clients include former President Donald Trump – the rail freight company CSX and the Kroger supermarket and pharmacy chain. Washington state auditor’s office was also hit, where the personal data of up to 1.3 million people collected for an investigation into unemployment fraud was potentially exposed.
The two-stage mega-hack in December and January, a popular file transfer program by the Silicon Valley company, Accellion, highlights a threat that security experts fear is getting out of hand: invasions by top criminals and state-supported hackers in security chains. software supplies and third party Services.
Operating system companies like Microsoft have long been the targets – with countless thousands of installations your Exchange email server being violated globally in recent weeks, especially after the company released a patch and revealed that Chinese state hackers had penetrated the program.
Accellion victims continued to pile up, however, with many being extorted by the Russian-speaking cybercriminal gang Clop, which threat researchers believe has bought data stolen from hackers. Their threat: Pay or leak your confidential data online, whether it’s proprietary documents from Canadian aircraft manufacturer Bombardier or Jones Day attorney-client communications.
The hack of up to 100 Accellion customers, which were easily identified by hackers with an online scan, places in pain relief a central mission of the digital age in which both governments and the private sector have fallen short.
“Attackers are finding it increasingly difficult to gain access using traditional methods, as vendors like Microsoft and Apple have considerably strengthened the security of operating systems in recent years. Thus, attackers find easier ways to enter. This usually means going through the supply chain. And, as we have seen, it works, ”said Mikko Hypponen, research director at cybersecurity company F-Secure.
Congress members are already dismayed by the supply chain hack of Texas network management software company SolarWinds, which allowed suspected hackers supported by the Russian state to go undetected – apparently with the sole intention of gaining intelligence – for more than half a year for through networks of at least nine government agencies and more than 100 companies and think tanks. Only in December was the SolarWinds hacking campaign discovered by cyber security firm FireEye.
France suffered a similar hack, blamed for its cybersecurity agency on Russian military personnel, who also manipulated the supply chain. They put malware in a network management software update from a company called Centreon, allowing them to quietly scan victims’ networks from 2017 to 2020.
Both hacks have infiltrated malware in software updates. The Accellion hack was different in a fundamental way: its file transfer program resided on the victims’ networks, either as a standalone device or a cloud-based application. Its function is to safely move files that are too large to be attached to the email.
Mike Hamilton, a former Seattle information security director now at CI Security, said the trend to exploit third-party service providers shows no signs of slowing down because it gives criminals the greatest return on their investment if they “want to compromise a wide range of companies or government agencies. ”
The impact of the Accellion breach could have been mitigated if the company alerted customers more quickly, some claim.
New Zealand central bank governor Adrian Orr says Accellion did not warn after it learned in mid-December that the nearly 20-year-old FTA application – using outdated technology and ready for retirement – had been breached.
Despite having a patch available on December 20, Accellion did not notify the bank in time to prevent its device from being tampered with five days later, the bank said.
“If we were notified at the appropriate time, we could have corrected the system and prevented the breach,” said Orr in a statement posted on the bank’s website. Among the stolen information were files containing personal e-mails, birth dates and credit information, the bank said.
Likewise, the Washington State audit office has no record of having been informed of the breach until January 12, the same day that Accellion publicly announced, said spokeswoman Kathleen Cooper. Accellion then said it released a patch for less than 50 affected customers within 72 hours after it learned of the breach.
Accellion now tells a different story. He says he alerted all 320 potentially affected customers with multiple emails starting on December 22 – and followed up with emails and phone calls. The company’s spokesman, Rob Dougherty, did not directly address the complaints of the New Zealand central bank and the Washington State auditor. Accellion says that less than 25 customers appear to have suffered significant data theft.
A timeline released on March 1 by cybersecurity company Mandiant, which Accellion hired to examine the incident, says the company received the first word about the breach on December 16. The Washington state auditor says his hack occurred at Christmas.
The notification timing problem is a serious one. The state of Washington has already been hit by a lawsuit, and several have been brought against Accellion in pursuit of class action. Other organizations may also face legal or other consequences.
Last month, Harvard Business School officials sent emails to affected students to tell them that some Social Security numbers had been compromised, as well as other personal information. Another victim, Singapore-based telecommunications company Singtel, said personal data about 129,000 customers has been compromised.
Often, software companies with hundreds of programmers have only one or two security employees, said Katie Moussouris, CEO of Luta Security.
“We would like to be able to say that organizations are investing uniformly in security. But in reality, we are seeing them just dealing with the violations and promising to do better in the future. And that has been the business model. “
Dougherty, the Accellion spokesman, said the attacks “had nothing to do with personnel”, but he did not say how many people directly assigned to security the company employed in mid-December.
Cybersecurity threat analysts expect the snowball of supply chain hacks to make the software industry prioritize security. Otherwise, suppliers risk the fate that has befallen SolarWinds.
In a filing last week with the Securities and Exchange Commission, the company offered a bleak outlook.
He said that as supply chain hacks “continue to evolve at a rapid pace”, “they may be unable to identify current attacks, anticipate future attacks or implement appropriate security measures”.
The final and painful result, the document added:
“Customers have and may in the future postpone their purchase or choose to cancel or not renew their contracts or subscriptions with us.”
—-
Associated Press writer Rachel La Corte of Olympia, Washington contributed to this report.