Updated: December 23, 2020 12:14:38 PM
The target of the cyber attack was Orion, a software provided by the company SolarWinds. (Reuters photo)
The ‘SolarWinds hack’, a cyber attack recently discovered in the United States, has emerged as one of the The biggest of all directed against the US government, its agencies and several other private companies. In fact, it is likely to be a global cyber attack.
It was first discovered by the United States cybersecurity company FireEye, and since then, more developments continue to emerge every day. The scale of the cyber attack remains unknown, although the United States Treasury, the Department of Homeland Security, the Department of Commerce and parts of the Pentagon are believed to have been impacted.
On a opinion article written for The New York TimesThomas P Bossert, who was President Donald Trump’s Homeland Security Advisor, appointed Russia to the attack. He wrote “evidence at SolarWinds attack points for the Russian intelligence agency known as the SVR, whose spacecraft is among the most advanced in the world”. The Kremlin denied its involvement.
So, what is this ‘SolarWinds hack’?
The news of the cyber attack was technically released for the first time on December 8, when FireEye released a blog that detected an attack on its systems. The company assists in the security management of several large private companies and federal government agencies.
FireEye CEO Kevin Mandia wrote in a blog post saying the company was “attacked by a highly sophisticated threat actor”, calling it a state-sponsored attack, although he did not mention Russia. He said the attack was carried out by a nation “with high-level offensive capabilities” and “the attacker mainly sought information related to certain government clients”. He also said that the methods used by the attackers are new.
Then, on December 13, FireEye said that the cyber attack, dubbed Campaign UNC2452, was not attributed to the company, but targeted several “public and private organizations around the world”. The campaign probably started in “March 2020 and has been going on for months,” the post said. Worse, the extent of the stolen or compromised data is still unknown, given the scale of the attack is still being discovered. After the systems were compromised, “lateral movements and data theft” occurred.
📣 JOIN NOW 📣: Telegram Channel Explained Express
How have so many US government agencies and companies been attacked?
This is being called a ‘Supply Chain’ attack: instead of directly attacking the federal government or a private organization’s network, hackers target a third-party vendor, who provides software for them. In this case, the target was an IT management software called Orion, provided by SolarWinds, a Texas-based company.
Orion has been SolarWinds’ dominant software with customers, which include more than 33,000 companies. SolarWinds says 18,000 of its customers have been affected. Incidentally, the company deleted the customer list from its official websites.
According to the page, which has also been deleted from Google’s Web Archives, the list includes 425 Fortune 500 companies, the 10 largest telecommunications operators in the United States. A New York Times report said parts of the Pentagon, Centers for Disease Control and Prevention, the State Department, the Department of Justice and others were affected.
Microsoft confirmed that it found evidence of malware on its systems, although it added that there was no evidence of “access to production services or customer data”, or that its “systems were used to attack third parties”. Microsoft President Brad Smith said the company has started to “notify more than 40 customers that the attackers were targeting more precisely and compromising.”
A Reuters report said that even emails sent by Department of Homeland Security employees were “monitored by hackers”.
How did they get access?
According to FireEye, hackers gained “access to victims through trojanized updates to SolarWinds’ Orion IT monitoring and management software.” Basically, a software update was exploited to install the ‘Sunburst’ malware on Orion, which was then installed by more than 17,000 customers.
FireEye says the attackers relied on “various techniques” to avoid detection and “obscure their activity”. The malware was able to access the system files. What worked for the malware was that it was able to “blend in with the legitimate activity of SolarWinds,” according to FireEye.
Once installed, the malware gave hackers an entry into the funds for SolarWinds customers’ systems and networks. Most importantly, the malware was also able to thwart tools such as antivirus that could detect it.
Where does Russia enter?
In his opinion piece on the NYT, Bossert cited Russia and its agency as SVR, which has the ability to carry out the attack of such ingenuity and scale.
Microsoft notes in its blog that “this aspect of the attack created a supply chain vulnerability of almost global importance, reaching many of the major national capitals outside Russia”. And he adds that sophisticated attacks from Russia have become common.
FireEye, however, has not yet named Russia as responsible and said it is in progress with the FBI, Microsoft and other key partners that have not been identified.
What did SolarWinds and the US government say about the hack?
At the moment, SolarWinds recommends that all customers immediately update the existing Orion platform, which has a patch for this malware. “If the attacker’s activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by investigative findings and details of the affected environment,” he said.
Those who fail to update are instructed to isolate “SolarWinds servers” and must “include blocking all Internet outlets on SolarWinds servers”. The minimum suggestion is “changing passwords for accounts that have access to SolarWinds servers / infrastructure”.
The United States Cybersecurity and Infrastructure Agency (CISA) issued an Emergency Directive 21-01, asking all “federal civilian agencies to review their networks” for indicators of commitment. He asked them to “disconnect or turn off SolarWinds Orion products immediately”.
The FBI, CISA and the Office of the Director of National Intelligence issued a joint statement and announced what is called a ‘Cyber Coordination Group (UCG) ”to coordinate the government’s response to the crisis. The statement calls this a “significant and ongoing cyber security campaign”.
The White House and President Donald Trump remained silent. Senator Mitt Romney summed it up in his comments to journalist Olivier Knox on SiriusXM radio, where he compared this attack to the equivalent of undetected Russian bombers flying across the country, exposing the weakness of the U.S. cyber war. He said the White House’s silence and inaction were inexcusable.
Senator Richard Blumenthal, a Democrat, tweeted: “Russia’s cyber attack left me deeply alarmed, in fact totally scared.”
President-elect Joe Biden said in a statement: “A good defense is not enough; We need to stop and stop our opponents from carrying out significant cyber attacks in the first place. “
© IE Online Media Services Pvt Ltd