A lot of cyber experts consider it to be the US’s IT Pearl Harbor, while others think it’s more like the Greeks employing to ride the Trojan Horse to enter the city of Troy in the final moments of the Trojan Wars. Whatever way they define the incident, all experts across the cyber world acknowledge that the devastating Russian hacking of a variety of federal agencies, as well as more than 18,000 private and public networks, was accomplished through subversion of Security protocols in SolarWind’s own Orion system for monitoring networks, was an alarming wake-up alarm that to the United States cyber community must quickly take action to.
According to an article on the ZDNet blog that was published on the 6th of January The U.S. Department of Justice has confirmed that SolarWinds cybercriminals who targeted the supply chain targeted DOJ internal networks and accessed around 3500 email accounts of the agency in Outlook365.
Sources SolarWinds Poland Pelarus YorkTimes
These accounts were later removed, but the DOJ is in good company with it is among other Federal and private organizations that were hacked in March 2020 but were not identified until December 1st, when cybersecurity company FireEye revealed it was compromised, which included federal agencies such as that of the U.S. Treasury Department, the Department of Commerce’s National Telecommunications and Information Administration (NTIA) as well as the department of health’s National Institutes of Health (NIH) and the Cybersecurity and Infrastructure Agency (CISA) and the Department of Homeland Security (DHS) and The State Department, the National Nuclear Security Administration (NNSA) and the U.S. Department of Energy (DOE). Other victims included three state governments, as well as a number of city administrations, in addition to businesses such as Cisco, Intel, VMWare, and Microsoft.
“The first part of the breach relates to SolarWinds themselves being breached. While we still don’t fully understand how the threat actors gained access to the SolarWinds source code, it is assumed that their Git repository was breached. It is normal practice for companies to review code when committing to the master branch by a second person, but it is not common practice for periodic reviews.
Therefore, once the code was changed and committed, it is unlikely the change would be noticed in the code. Once the malicious code was executed on the end customers’ servers, there was a delay timer. This is a common tactic called sandboxing used by attackers to avoid detection,” claims Danny Jenkins, the CEO/Co-Founder of ThreatLocker Security, a security company based in Orlando a company that provides zero-trust security for endpoints.
Espionage, Plain and Simple
However, there is no doubt about the motives, according to Christopher Painter, the former State Department cybersecurity coordinator under both the Trump and Obama administrations. He is a known leader and expert in cybersecurity, cyber policies cybersecurity, cyber diplomacy, and fighting cybercrime.
He spoke to SecurityInfoWatch recently about this attack, as well as others that he thinks will uncover the truth about good old-fashioned Russian spying over the next months. Christopher Painter, the former State Department cybersecurity coordinator under both the Trump and Obama administrations.
“In terms of determining the identities of the other victims who were the victims, the magnitude of the breaches as well as the nature and quantity of the data collected, it is unclear if as it is portrayed at the moment, this was the result of an act of spying, or is there something more taking place, such as prepositions. It’s all unclear. However, it appears to be spying and the reports indicate that it’s Russia and, in particular, the Russian intelligence agency, so this makes it appear more like an espionage plot,” explains Painter. “
Paul Joyal is uncomfortably familiar with Russian spying and the consequences it has. Joyal has been a consultant for a long time in security as well as Russian matters. From 1984 until 1989, Joyal was the head of the security department at the Senate Intelligence Committee and worked on Soviet counterintelligence issues during President Ronald Reagan’s presidency.
He was close to the former Soviet Foreign Minister Eduard Shevardnadze when he was President of the Republic of Georgia on security issues as well as integration with the Euro-Atlantic Alliance and was decorated with the Georgian Order of Honor for his services.
In 2007 Joyal stated on Dateline NBC that the murder of the former KGB agent Alexander Litvinenko served as an alarm to anyone who is critical of Putin’s Putin government. A few days after the appearance, Joyal was shot and wounded in front of his house at Adelphi, Maryland. The attacker(s) is not identified, however, he is certain of the person who ordered the shooting. Paul Joyal is a long-time consultant in security and Russian matters.
From 1984 to 1989 Paul Joyal was the Director of Security of the Senate Intelligence Committee and worked on Soviet counterintelligence issues during President Ronald Reagan’s administration. He also was closely associated with the former Soviet foreign minister Eduard Shevardnadze.
“The utilization of foreign-owned offshore companies to supply software engineering poses a major danger. SolarWinds utilized companies from Belarus, Poland, and the Czech Republic. JetBrains was established in the year 2003 by three Russians. It also had a lab in Russia. It’s such a huge security breach that the possibility of restoring trust in identity is subject to debate.
When an adversary with this kind of capability has discovered the system, they’ll then get further into the system and find it extremely dangerous,” asserts Joyal. “As I’ve written in the past I think the first breach dates back to the year 2019. The primary goal was espionage, but if the crucial infrastructure was affected by a system that is believed to have been compromised by this hack, then it is necessary to consider the possibility of spreading and risk. This isn’t a certainty.”
Politics Weakens U.S. Response
And it’s the Russian perspective that Painter believes has deterred the proper U.S. cybersecurity response, and the genesis of the deficiency beginning after the presidential election in 2016. Politics and the absence of a coherent cyber policy in the last four years have exacerbated the weakness of the security doctrine in the United States.
“We haven’t, at any time, take our eyes off the ball in light of the amount of cash we’ve invested in this, which is not enough, nor the amount we’ve focused on certain aspects of the more strict DOD operations, the continuous commitment and defend-forward as well as searching for networks. We didn’t even see it coming. The majority of the companies that deal with computer security did not realize this until it was too late this is exactly the situation when FireEye discovered the issue when their tools were hacked.
“This is a major failure, and it could suggest that we haven’t yet achieved enough. This is a problem that has existed for a long time however it has become more evident since the current administration. We haven’t yet made cybersecurity a central issue for national security and haven’t considered it a serious issue. We treat it as a technical problem when we ought to view the issue as one that is essential to our security in general.
We haven’t allocated resources to it, we haven’t prioritized it. It’s certainly not like the president Trump who did not make this a top priority,” paints Painter by citing a scene in Rage, the Bob Woodward 2019 book Rage in which, according to reports, Tom Bossert, the former Homeland Security Advisor to U.S. President Donald Trump and a Vice the Homeland Security advisor to President George W. Bush, comes in and tells Trump, “Hey, I would like to discuss cybersecurity,” and, according to reports, Trump states, “You know, I’d prefer to watch the Masters tournament.”
Painter states that in the past four years cybersecurity has become increasingly political, which has diminished the security of the country due to the lack of clear communication at the highest levels. The painter believes that it is essential to not only prioritize it for your own administration as well as for the general public but to convey to potential adversaries that this isn’t acceptable.
“That’s the place where we’ve observed serious issues with president Trump who subverted everything else the administration has been doing by questioning whether Russia is actually responsible or had any responsibility in various incidents. It puts us in a less favorable position. We’ve also eliminated certain most important positions in our government that deal with these issues. The recent dismissal of Chris Krebs (Director of the Cybersecurity and Infrastructure Security Agency) was clearly not the ideal time.
However, CISA even as great as it is and has a long way to move has always played the third, fourth, or even fourth fiddle in the immigration department at DHS under the current administration. My previous position in CISA at the State Department was downgraded and somewhat mixed up. The first time Trump was in office the cyber coordinator in the White House was eliminated. We haven’t taken any steps to move in the direction we should be going,” charges Painter.
A Hacker Tells Cyber Experts to Look Inward
Being one of the more well-known hackers in the world, Chris Roberts was impressed by the capabilities of attackers, even if they aren’t ready to hop on the Russian blame train. He added that the techniques can be learned, leaving the door open for others who could be suspects. There is no doubt about the seriousness of the attack as well as the repercussions that follow.
“We are able to go in all sorts of ways with this because truthfully it was a beautiful job. When I think about the issue from a strictly technical point of view, it’s this, it was the capability to think, ‘Look! I’m required to open the doorway of some particular target. We cannot do that as quickly nowadays, so we have to ask, ‘Okay, what options do I have? What can I do to gain access through a third-party supply chain or another supply chain? and etc.?
It’s possible to tackle them, however, some are quite closed. What can I do to gain access to those supply chains? This is the place where SolarWinds was placed under scrutiny. Then, to devote one time period of about a year conducting recon, conducting analysis, executing the initial exploit, and then putting things in and then pivoting as and when needed I’m saying that for me, suggests they were playing the long game. Chris Roberts is a former hacker and is now working with multinational companies to help secure their networks. sport” says Roberts, the former hacker, and CISO of Sports Authority, who is now an expert in cyber security and a consultant during an interview to SIW.
“There are many troubling aspects of this attack. The first is that someone has walked into the majority of these U.S. intelligence agencies left the whoopee cushion, which was a digital whoopee pillow on the director’s seat, and then walked out without our noticing. This is a bit of a shocker there are multi-billion-dollar programs designed to stop any person who enters the front door, the front gate, or anywhere in between, and they didn’t burp, snort or acknowledge that there was a breach or even if they did, they weren’t paying to the breach, then we need to examine our own structure and ask”What’s missing?'” Roberts adds. “These hackers have created instability, and our cybersecurity experts are frightened. Someone enters, planted a flag, then walked out. It was hard to believe that they had been there. We were given a warning shot over our bows on this one.”
How to Mitigate the Damage and Prepare for the Next Attack
The warning shot raises the obvious questions that revolve around how the cybersecurity community adjusts and implements the necessary security measures to ensure the security of organizations and agencies. prepared.
Chris Hickman, the chief security officer at Keyfactor, a major provider of digital identity management software claims that these breaches do not concern FireEye, SolarWinds, or Mimecast more so, they’re an alarming and increasing pattern of frequent attacks.
“The attackers behind these attacks, whether they’re employing SolarWinds backdoor or SolarWinds backdoors or another attack, is targeting certificate and credential holders. They are using digital assets for cryptographic use to obtain access to networks and to bypass security controls. The current trendline shows that some companies remain adamant about treating certificates as just certificates instead of cryptographic assets that have a greater part in enhancing the security of networks.
Technology alone will not be able to stop breaches such as this. Companies should ensure they have the appropriate guidelines, controls, and industry-standard practices to safeguard themselves from the changing threats. Companies must review how they handle and secure cryptographic keys and digital certificates to protect them and their customers.” Hickman says.
Painter states that one of the characteristics that this attack has noted that it’s still under investigation is that once the vulnerability is present on a variety of computers, the vulnerability will beep out and basically say, “Hey, I’m here.” Then, the apparent Russian hackers get further using a customized or customized program that exploits specific areas. It is clear they had the ability to conceal the method by which it was carried out, thereby avoiding warning signs to detect suspicious behavior. In addition to changing the technical safeguards, He insists that any changes to the policy must be made in line with.
“I don’t believe there’s any way to guarantee that the same thing won’t repeat itself. The thing you’ll need to ensure is that you recognize the problem earlier, that you have resilience, and ways to bounce back, and that you are capable of assessing the damages quickly. There are two things that could be done today.
One, increase our defenses against resource threats higher than we had before. Secondly and make this an important issue, more than we’ve prior to. This raises awareness across all vessels. There are some fundamental changes that need to be made. It is possible to change the way in which your U.S. government in terms of how cybersecurity is conducted and the role played by DHS and the amount of power it has to deal with federal networks. I believe that all of these are likely to be beneficial changes to consider,” admits Painter.
“But the other side of this is spying. Some will argue”Well, it’s impossible to effectively stop espionage. There must be a cost for the act of espionage. In the world of physical the moment a spy is arrested, there is a case diplomat is exiled or PNG’d (rendered persona non-grata) in the sense they refer to it in the business. There are usually economic sanctions as well as other types of sanctions. It’s certainly not unjust to demand an amount even for espionage.
As I mentioned, we’re trying to determine the difference between this and something else, but being more secure against potential adversaries is an element of it. It’s not an issue of cyber security It’s a Russian issue. This isn’t just a matter of cyber with China but it’s a China issue. It’s important to consider this into the wider scope of our interactions with these countries, and make use of all the tools we can to move forward.”
Heed the Warning!
Joyal adds that there are ways to improve cyber security.
“Right now, computers should be separated. Cloud systems shouldn’t be able to connect to on-prem servers or vice versa. DHS has provided specific software that can help businesses and government agencies tackle the issue. Every system must be patched immediately and I would take it further and completely erase and install new updated software in all its entirety.
“I am urging all companies to pay note of this warning. I am convinced that the SVR is the culprit behind this. If they are inside your system, they’ll focus on identifying and watching the actions of Cyber incident Responders. The communication about the actions taken to fix the system shouldn’t be sent through an email system. It is essential to assume that the members of the response team and their communications are affected,” concludes Joyal. “
We should also presume that the attackers are employing additional attacks on the original target using various methods. Since the information revealed SolarWinds was known to have weak passwords and was not necessarily using other authentication methods to verify identity I’d guess that password-based attacks are being used by the adversaries. We must increase the number of encryption options to 256K to make things as challenging as they are in their favor.”
Daniel was born in Auckland and raised in Calgary, except for the time when he moved back to Quebec and attended high school there. He studied Physics and Science at the University of Auckland. He began writing after obsessing over books.