You can read the pages below (and click to enlarge) and/or the text below:
SolarWinds Hack Was the Largest and Most
Sophisticated Attack Ever
April 14, 2021
By Paul Davis
Back
in November of 2019, Microsoft’s President Brad Smith was questioned on 60
Minutes about the SolarWinds cyber hack, which the U.S. intelligence community
stated was likely committed by “an actor Russian in origin.”
“I
think from a software engineering perspective, it’s probably fair to say that
this is the largest and most sophisticated attack the world has ever seen,”
Smith said.
On
February 23rd, Florida Republican Senator Marco Rubio, the Senate Select
Committee on Intelligence’s Vice Chairman, spoke at an open hearing on the
SolarWinds Hack.
He
thanked their witnesses from Microsoft, Fire Eye, SolarWinds and Crowd Strike,
who appeared before the committee to discuss what has been called the largest
cyber supply chain operation ever detected.
Rubio
noted that the cyber operation involved the modification of the SolarWinds
Orion platform, a widely used software product, to include a malicious backdoor
that was downloaded by up to 18,000 SolarWinds customers between March and June
2020.
“Perhaps
most insidious about the operation was that it hijacked the very security
advice promulgated by computer security professionals to verify and apply
patches as they are issued,’ Rubio said. “There are many concerning aspects to
this operation that raise significant questions.”
Rubio
stated that it was his understanding that if FireEye had not investigated an
anomalous event within its own network in November of 2020, it was quite
possible that the hack operation would be continuing unfettered even now.
“Despite
the investment that we have made in cybersecurity, collectively between the
government and the private sector, no one detected this activity earlier – and
this actor was within SolarWinds network since at least September 2019,” Rubio
said. “Put simply, how did we miss this? What are we still missing? And what do
we need to do to make sure we don’t miss it again?”
Testifying
before the committee, Microsoft’s Smith stated that at this stage, they’ve seen
substantial evidence that points to the Russian foreign intelligence service,
and they’ve not seen any evidence that leads them anywhere else.
Speaking
before the U.S. Senate’s Judiciary Committee on March 2nd, FBI Director
Christopher Wray spoke about a variety of issues, including the SolarWinds hack
“In
2020, nation-state and criminal cyber actors took advantage of people and
networks made more vulnerable by the sudden shift of our personal and
professional lives online due to the COVID-19 pandemic, targeting those
searching for personal protective equipment, worried about stimulus checks, and
conducting vaccine research,” Wray testified. “Throughout the last year, the
FBI has seen a wider-than-ever range of cyber actors threaten Americans’
safety, security, and confidence in our digitally connected world.
Cyber-criminal syndicates and nation-states keep innovating ways to compromise
our networks and maximize the reach and impact of their operations, such as by
selling malware as a service or by targeting vendors as a way to access scores
of victims by hacking just one provider.”
Wray
stated that the criminals and nation-states believe they can compromise U.S.
networks, steal U.S. property, and hold U.S. critical infrastructure at risk
without incurring any risk to themselves.
“In
the last year alone, we have seen, and have publicly called out, China, North
Korea, and Russia for using cyber operations to target U.S. COVID-19 vaccines
and research,” Wray said. “We have seen the far-reaching disruptive impact a
serious supply-chain compromise can have through the SolarWinds intrusions,
which we believe was conducted by an Advanced Persistent Threat actor, likely
Russian in origin.”
“We
have seen China working to obtain controlled defense technology and developing
the ability to use cyber means to complement any future real-world conflict. We
have seen Iran use cyber means to try to sow divisions and undermine our
elections, targeting voters before the November election and threatening
election officials after.”
Wray
said they have to make it harder and more painful for hackers and criminals,
which is why he announced the new FBI cyber strategy last year, using the FBI’s
role as the lead federal agency with law enforcement and intelligence
responsibilities to not only pursue FBI actions, but to work seamlessly with
the FBI’s domestic and international partners to defend their networks,
attribute malicious activity, sanction bad behavior, and take the fight to
adversaries overseas.
“We
must impose consequences on cyber adversaries and use our collective law enforcement
and intelligence capabilities to do so through joint and enabled operations
sequenced for maximum impact,” Wray said. “And we must continue to work with
the Department of State and other key agencies to ensure that our foreign
partners are able and willing to cooperate in our efforts to bring the
perpetrators of cybercrime to justice.”
But
Wray, noted, the government needs the private sector to do its part as well.
“We
need the private sector to come forward to warn us—and warn us quickly—when they
see malicious activity. We also need the private sector to work with us when we
warn them that they are being targeted. The SolarWinds example only emphasizes
what I have been saying for a long time: The government cannot protect against
cyber threats on its own. We need a whole-of-society approach that matches the
scope of the danger. There is really no other option for defending a country
where nearly all of our critical infrastructure, personal data, intellectual
property, and network infrastructure sits in private hands.”
SIDEBAR
On January 5, 2021,
the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the
Office of the Director of National Intelligence (ODNI), and the National
Security Agency (NSA) released a joint statement:
“On behalf of President Trump, the National Security Council staff has
stood up a task force construct known as the Cyber Unified Coordination Group
(UCG), composed of the FBI, CISA, and ODNI with support from NSA, to coordinate
the investigation and remediation of this significant cyber incident involving
federal government networks. The UCG is still working to understand the scope
of the incident but has the following updates on its investigative and
mitigation efforts.
This work indicates
that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is
responsible for most or all of the recently discovered, ongoing cyber
compromises of both government and non-governmental networks. At this time, we
believe this was, and continues to be, an intelligence gathering effort. We are
taking all necessary steps to understand the full scope of this campaign and
respond accordingly.
The UCG believes
that, of the approximately 18,000 affected public and private sector customers
of Solar Winds’ Orion product, a much smaller number have been compromised by
follow-on activity on their systems. We have so far identified fewer than ten
U.S. government agencies that fall into this category, and are working to
identify and notify the nongovernment entities who also may be impacted.
This is a serious
compromise that will require a sustained and dedicated effort to remediate.
Since its initial discovery, the UCG, including hardworking professionals
across the United States Government, as well as our private sector partners
have been working non-stop. These efforts did not let up through the holidays.
The UCG will continue taking every necessary action to investigate, remediate,
and share information with our partners and the American people.
As the lead agency
for threat response, the FBI’s investigation is presently focused on four
critical lines of effort: identifying victims, collecting evidence, analyzing
the evidence to determine further attribution, and sharing results with our
government and private sector partners to inform operations, the intelligence
picture, and network defense.
As the lead for asset response, CISA is focused on sharing information quickly with our government and private sector partners as we work to understand the extent of this campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14, CISA directed the rapid disconnect or power-down of affected SolarWinds Orion products from federal networks.
CISA also issued a technical alert providing technical details and
mitigation strategies to help network defenders take immediate action. CISA
will continue to share any known details as they become available.
As the lead for
intelligence support and related activities, ODNI is coordinating the
Intelligence Community to ensure the UCG has the most up-to-date intelligence
to drive United States Government mitigation and response activities. Further,
as part of its information-sharing mission, ODNI is providing situational
awareness for key stakeholders and coordinating intelligence collection
activities to address knowledge gaps.
Lastly, the NSA is
supporting the UCG by providing intelligence, cybersecurity expertise, and
actionable guidance to the UCG partners, as well as National Security Systems,
Department of Defense, and Defense Industrial Base system owners. NSA’s
engagement with both the UCG and industry partners is focused on assessing the
scale and scope of the incident, as well as providing technical mitigation
measures.
The UCG remains
focused on ensuring that victims are identified and able to remediate their
systems, and that evidence is preserved and collected. Additional information,
including indicators of compromise, will be made public as they become
available.”
Paul Davis, a regular contributor to the Journal, writes the IACSP
online Threatcon column.
No comments:
Post a Comment