This is the first of a multi-part article, as its lengthy and many articles and commentary await. Enjoy!
On catchup as usual, Solar Winds takes a very interesting turn going all the way back to December 8th. Why do I say that? We learn about the fact that Fire Eye, the company behind finding the Solar Wind breach to begin with was breached, with hackers making off with “red team tools” which could change the game for the cybersecurity industry.
I’m going to have to play major catchup, or just start fresh, as there’s still a lot I need to read in the landscape, although no podcast or blog is going to cover everything passing their desk.
The first article I’m going to start with is FireEye says hackers stole its red-team tools, suggests state-sponsored group is to blame which was quite interesting just the same. The CEO, Kevin Mandia indicates that the actors behind their hack used sophistocated techniques and some of these tools are used to simulate attacks. Here is the blog post linked within this article from Fire eye.
If attacker stole so called red team tools as mentioned in this article and linked, than we’ve got a bigger problem than who did who.
The response from Capitol Hill was swift.
Rep. Adam Schiff, D-Calif., chairman of the House Intelligence Committee, said he had asked intelligence agencies to brief his panel on the FireEye hack,
including “any vulnerabilities that may arise from it and actions to mitigate the impacts.”Sen. Mark Warner, D-Va., vice chairman of the Senate Intelligence Committee, said the incident “shows the difficulty of stopping determined nation-state
hackers.”“As we have with critical infrastructure, we have to rethink the kind of cyber assistance the government provides to American companies in key sectors
on which we all rely,” Warner added.
The Next article is quite interesting because Kevin is even interviewed on Face the Nation, A CBS news program that airs on Sundays. You can watch the portion of the video he’s in by entering this link. The article itself is entitled FireEye’s Mandia on SolarWinds hack: ‘This was a sniper round’ which is interesting to say the least. Now, we’re learning that this was a foreign espionage attack after all, although it was earlier reported that it wasn’t. As I’ve written in prior articles on this whole ordeal, we’ve still got a whole lot to learn. The first paragraph says: The foreign espionage operation that breached several U.S. government agencies through SolarWinds software updates was unique in its methods and stealth,
according to FireEye CEO Kevin Mandia, whose company discovered the activity. While Fire Eye got breached themselves, they’re definitely trying to do good under the face of their own issues that they might have faced at the beginning of the month, and that we need to praise them for. It takes guts and encouragement to go from breached, to finding what I believe to be the biggest breach we have to date, and that doesn’t necessarily include other well-known breaches like Sony Pictures, Target and others that may be discussed within these linked articles. What interested me, about these articles is the fact that they talked about the fact that Security companies are a prime target. in this space because of the knowledge they have to offer.
Despite bearing the hallmarks of a familiar hacking group, this particular campaign was “totally unique” and “utterly clandestine” in how it happened,
Mandia said.“And quite frankly, it was a backdoor into the American supply chain that separates this from thousands of other cases that we’ve worked throughout our
careers,” Mandia said.
According to the analysis to date in this article,
Although many details about the SolarWinds hack are unclear, Mandia and other analysts have settled on a rough timeline: The attackers breached the software
update platform for the company’s Orion product in October 2019 and inserted what Mandia called “innocuous” code. In March of this year, the foreign operators
returned to add malware — essentially a backdoor that allowed them access into the network of any organization that installed it.
This is definitely significant, this means that the actors have been working on this for at least a year, if not more. As we continue to do analysis, you’ll learn about the potential threat group that may be responsible for all of this, but I’m not in the business to say whether it is or isn’t a particular actor group.
According to the article the experts continue to say that it is Russia, but our president continues to indicate that it is China, which could be a possibility if multiple actor groups are involved.
Remember when I mentioned that there could be a second hacking group behind this whole debacle that grips us right now besides covid-19 problems? Well, this article Microsoft identifies second hacking group affecting SolarWinds software covers this aspect of this very interesting story. While Fire Eye was looking in to their own problems which started at the beginning of today’s article, they found this, and even a potential vulnerability unrelated to the initial breach as well. This blog post from Microsoft goes in to more detail about that.
The particular malware that was additionally discovered is called Supernova. This malware uses in memory execution instead of the hard drive, thereby hiding from research tools and other techniques to find it unless it scans for memory. I’m not about to say that Moscow is the culprit of this whole ordeal, but they are denying it just the same. If it wasn’t them, who was it?
I’ll end this article here, as there is more to write, and a lot more commentary I have. Stay tuned for part two of this, as this saga continues.