Disappointing, the article doesn't say anything new or untold beyond some minor personal details about the people involved and the fact that people repeatedly missed major clues because they weren't talking to each other.
Also, the article repeatedly insinuates that the attack was traced to the Russian government, in fact it says it so often a casual reader could be forgiven for thinking they had proof. But a careful reading shows that they have absolutely no idea who did the SolarWinds hack. The link to the SVR is simply that Kevin Mandia has a "hunch" based on "pattern recognition" from his work in the 1990s. Not only is no proof presented, they don't even have anything that could be called evidence.
Writeups of hacks are always like this nowadays. It's the Russians. How do we know it's not the Chinese, or the Americans, or the British? We don't but if we say it's the Russians everyone will be on our side, so let's roll with that.
I really wish journalists would not try to manipulate readers like that. It'd be more honest to say they don't know. Trying to slip a completely made up SVR connection past the readers like that implies the rest of the article might just be spin too.
I was watching the news last night, and apparently, not only they're pretty sure it was Russia that bombed the half-Russian pipelines to Europe (NordStream2), but it was Russia (or Russian partisans, whatever they mean) that tried to kill Putin last night with a drone attack as well.
You can accuse Russia of anything you want in the current climate, and everyone will take you seriously regardless of evidence.
B) Russia offered to run gas through the remaining pipeline at a higher price, almost immediately after running campaigns pointing fingers at everyone else
Apparently with A whoever did it decided not disable it completely, and with B somehow Russia is extremely confident it won't be attacked again.
It's not a hard conclusion to reach that Russia bombed its own shutdown pipeline, while leaving it functional, in order to cause confusion amongst enemies.
His reasoning must be convoluted because his conclusion is false. His argument is like saying that the fact that Lee Harvey Oswald didn't also kill Jackie Kennedy means Oswald must have liked the Kennedys and wanted them to stay in the White House.
It's not. Instead of trying to come up with convoluted analogies for my conclusion to try and paint it as outlandish, maybe go back to talking about off topic stuff like BRICS.
It's not even close. You're comparing a time sensitive attack with tons of security to 4 pipes sitting in the ocean. A lone attacker on a short time scale, versus a potential entire state backed demolitions team with tons of operational lead time. Stop with the bad faith arguments.
It is highly unlikely that A) the US with such lead time would fail to blow up all 4 pipes, and B) the US would bother when it had already handled the situation diplomatically.
I think in a different time, we'd be able to say that it's become a farce, but ideology doesn't allow that thought to creep in. Even at the height of the cold war, we'd have contrarians and simple sympathizers who tried to nudge us --eventually both sides realized that the other wasn't the evil one thought the other was and that eventually allowed for Gorbachov and Reagan to have constructive dialog. But who in their right mind would be _convinced_ without a doubt that it was Russia who destroyed the pipeline cutting their nose to spite their face? It's so stupid. Even Saddam wasn't accused of being that stupid.
Russia has been the one wanting all the pipelines open this whole time and the US has been the one demanding they stop existing. Your argument is fooy.
So the US who "has been the one demanding they stop existing" covertly places explosives on 3/4 pipes, and ignores the last pipe despite direct proximity to the others?
"Russia has been the one wanting all the pipelines open this whole time"
Key word is "wanting", they were not getting it, Germany made is clear they were not getting it.
So the fact that whoever blew up 3 of the 4 pipes decided not to or wasn't able to or failed to blow up the last one means they must want Russia supplying gas to Europe?
These bad faith arguments are why no one trusts the US anymore and everyone is getting on board with BRICS. The US lies and stabs you in that back no matter what.
It's highly unlikely that someone with the capacity to deploy a team to covertly sabotage a pipeline decides to back out 3/4 of the way when in they're in such close proximity, or fails and their failure is never detected (there would be failed explosives at the site).
Bad faith argument? Where does this nonsense about "everyone is getting on board with BRICS" come from? Who is "everyone"?
Holger Stark, the German investigative journalist who broke this story for Die Zeit. Stark has apparently told Hersh that “Officials in Germany, Sweden, and Denmark … decided shortly after the pipeline bombings to send teams to the site to recover the one mine that has not gone off”. He said they were too late; an American ship had sped to the site within a day or two and recovered the mine and other materials
When you have a history of lying and running malevolent information operations, plus invading your neighbors on multiple occasions... yeah, you kinda lose the benefit of the doubt.
Your comment looks like an information operation itself. As far as I can tell, the only claims that the drones "tried to kill Putin" come from Russian state media.
Losing benefit of the doubt doesn't mean you're guilty.
It just means when Russia accused the UK [1] of blowing up the pipeline you can't trust them. Or when Russia accuses the US [2] of blowing up the pipeline you can't trust them. It doesn't mean the US or UK didn't do it; it just means Russian claims are not evidence and you'd probably be better off just completely ignoring them so that it doesn't taint any opinions.
Other than the "your neighbours" part you literally just described America... and technically we can include the "your neighbours" part too if we're willing to look far enough backwards.
Anyways I'm hardly savvy enough to know who did what and what was faked through the fog of war and all the war propaganda, but "If the Russians say down, they are disreputable invaders, so we must say up" is not a very good mode of analysis for teasing out the truth.
They might be doing this. I'd be tempted, if I were Putin. But it's pretty clear that 90%+ of all claims that Russia is doing this turn out to be malevolent information operations by our own side.
Example: Hamilton 68, supposedly a website that tracked Russian "information operations" on Twitter. Except it turned out to be pure, unadulterated garbage from a US think tank that was labelling Americans who worked night shifts as Russians. That didn't stop the media reporting it as "russian disinfo" for years, and when the truth finally came out, refusing to report on their own failed reporting and complicity.
There's tons of stuff like that. If a western source is making a claim about Russian misinformation, it's pretty much a dead cert thing that they're making it up.
When you start accusing someone or a country of everything, it's not them who are losing the benefit of the doubt. It's you who are losing any credibility.
> As far as I can tell, the only claims that the drones "tried to kill Putin" come from Russian state media.
Well, I was reporting what the news said, and it was definitely not the Russian media.
You do realize that the US government itself has a history of lying, running malevolent information operations and invading other countries in order to de-stabilize them and install friendly dictators? That is why I don't buy this China and Russia scare tactics. Everyone's doing it.
It's amusing how these stories always include the breathless account of the genius hackers. It boiled down to a few thousand lines of code in a dll. There's only so much genius you can get into a few thousand lines of code. In reality, SolarWinds did something stupid, then some of their customers connected it to the internet and didn't even firewall it. Hackers will always have success not because they're brilliant, but because there will always be some marks who didn't cross their i's and dot their t's.
I agree in spirit, and I also share an attitude of "if you're hacked, it's your fault." It's Not That Hard to choose to not run random binaries from the internet, and keep your ports closed.
> There's only so much genius you can get into a few thousand lines of code
That being said, Stuxnet? So clever.
edit: Depending on the language or libraries, 1000 lines is a LOT. Cleverness is frequently in reduction or rotation, not addition. Choice of data structure, etc. c.f. the 'k' or 'j' programming languages.
I’m holding out hope for an NTSB-style investigation report by CISA that is a giant website with 1000s of pages of analyst notes and digital forensic evidence and shows exactly how they found out what they did as it happened.
For all the the $100mil’s that have been spent over the course of this cyber Pearl Harbor event, there should be something monumental added to the public record that every comp sci and cybersecurity student or pro can learn from for the next 50 years.
Data from these big attacks shouldn’t be limited the rarefied few folks who are lucky enough to take a $9000 SANS SEC541 course or work on a CIRT team for a Fortune-100 company whose sausage is among those roasted by the the fire.
Do I understand correctly, that the hackers improved the dll's code deliberately, so that Orion wouldn't manifest bugs which might invite debugging scrutiny that also revealed the backdoor?
This is different, more like putting a trap door in the ceiling and then patching all the leaks in the roof so that the homeowner won’t need to climb up on to the roof to fix those themselves and in doing so stumble on your trap door.
The way I read it, they left the other functionality unchanged and injected their source code change into the .dll source, made the build process build both the hacked version and the unhacked version (for later) and put the hacked version into the installation package and deleted evidence of the hacked dll in the build and restored the unhacked dll to it's place so no one could tell what happened just by looking at the end results and doing a dump or binary diff on just that dll.
Similar to but not the same as the pirated xcode malware injection.
> The practice of placing legal teams in charge of breach investigations is a controversial one. It puts cases under attorney-client privilege in a manner that can help companies fend off regulatory inquiries and fight discovery requests in lawsuits.
I wonder if the new DoJ agrees with this approach.
the simplest abuse of an all-powerful application coded by illiterate criminals who even sold company stock when things were to become public.
the real attack is how they managed to sell this to so many high profile targets. that is conveniently left out of every report, including this lame one from wired.
my guess, since they sold to fireeye, is that it's the same circle of people who can get these type of contracts. a shadow elite of formet NSA consultants helping each other.
This story reads as merely attempting to cover for Mandiant's reputation. They are "the ones on speed dial" for customers and seem to be trying to salvage. Definitely a rare glimpse into the deep state, how many other companies have contacts at the NSA?
I picked up on this too. Everyone involved has a perverse incentive to portray the narrative as the work of genius, innovative hackers. That's the issue with an article like this, where all the quoted sources are people directly involved. I would have appreciated some 3rd party analysis of just how sophisticated this attack really was, and how much of the blame should really rest on the lax standards of the victims. Mandiant in particular doesn't have much excuse.
Here's the sketch of a defense against such attacks. Is there anyone out there who'd buy it, if it existed?
Imagine a tool that given a simple description of a server (e.g. pointed at your build system or a downloadable artifact like a container image) creates a VM that starts the app on boot, uploads that VM image to the cloud, starts it up and then performs a remote attestation protocol to verify that the remote VM is running what you think it's running, down to the last byte. Remote attestation allows you to "measure" a VM or enclave to determine a cryptographic hash of everything running on the machine in an auditable way. Sometimes the VM has encrypted RAM so you can prove that the cloud provider can't break into that machine.
It could potentially have helped in this case where the attackers compromised a build system. Remote attestations can be chained together and used as signatures, so for example SolarWinds could have come with a proof that it was compiled correctly from a particular git commit hash, and then third party auditors could have been hired to monitor that the code doesn't have backdoors. Customers could then run it and get from this imaginary tool a complete audit chain all the way back to a certificate issued by a third party that says "we reviewed the code at commit <hash> and this program was compiled from that code via a build system audited via remote attestation".
Now, RA isn't a silver bullet. It's still possible to transiently hack a machine such that the hack remains in memory. But if you regularly reboot and re-attest your VMs, you can wipe these hacks out on a regular basis because the entire thing is being booted from a known good image, and that image is created from known good code, etc.
The pieces already exist. AMD SEV, Intel TDX, Amazon Nitro and others support RA protocols for virtual machines, Linux has support for propagation of attestations through the service stack. But there seems to be a lack of orchestration tools to bring all the parts together. If there's any interest in signing a letter of intent for such a tool please get in touch (email address in profile).
Enarx/wasmcloud are pretty similar to this, and are being supported by the Linux Foundation. This design also doesn't solve supply chain issues: fundamentally you don't have a way of telling if the bytes you're running in the enclave, even though they were attested to be what was supplied by the developer, are free of supply chain backdoors. You would have attestations that you are running SolarWinds, not that the SolarWinds software you're running is free of vulnerabilities. Transiently hacking machines is also really APTs need for network penetration, since once you do that you achieve network persistence on different boxes or escape the attested services to some priviledged Exchange server on the LAN.
The idea here is that SolarWinds itself would have used it to verify that their TeamCity instance is in fact running unmodified TeamCity with configs that track back to versioned files.
They could then provide a static proof of that to their customers, who then build them into their own chains of attestation.
Yes, if all you need to do is an SSRF on some intermediary server to pivot to some other server, it doesn't help ... unless the target server is also being attested and regularly rebooted back into a clean state. It's all just bricks in the wall, at the end.
> When investigators finally cracked it, they were blown away by the hack’s complexity and extreme premeditation.
"Extreme premeditation?" Please. The old USSR had quite a few spies who stayed active for decades inside America's Top Secret Tent. A century ago, if a navy wanted a new battleship, it could easily be 7 years between "start spending money" and "battleship is completed and ready to use".
Maybe I'm naive or dumb or something but I feel like comparing a hacking attempt to the construction/crewing/deploying of a battleship doesn't make a whole lot of sense?
It takes a lot of work to build a motorcycle that is roadworthy from scratch. It takes a lot of work to build a skyscraper and develop it into a used space from scratch. Talking about the latter doesn't really discount the former, right?
My (not so well made) point was that having a two-ish decade planning horizon for serious national security activities was old hat back when punch cards were leading-edge computer technology.
Vs. from a skim of the article - the entire Solar Winds operation was less than 24 months, from plausibly-first little compromise of an employee's VPN account through detection and fix. That is "Extreme premeditation" about the same way that my hard-boiling eggs for a week's lunches every Monday morning is "Extreme premeditation".
(Vs. if they'd described it as a major effort by an A-list adversary - yeah, that would have been quite reasonable.)
This incident and the Colonial Pipeline attack were the main drivers behind the Biden cybersecurity executive order "Executive Order on Improving the Nation’s Cybersecurity" [1] which has driven changes to policy at NIST, FDA, OMB and others [2].
My opinion is that while these policies are fuzzy and lack specifics, it's just the first round of pushing industry in the correct direction without mandating specific tools or methods.
In the EU, the proposed Cyber Resilience Act has maybe cast too wide of a net, snagging any open source contributor as a software "manufacturer".
See, that's a long article I would have just skipped a year ago. Now, we get to play with its content and it's fun :
Joe: So, it was late 2019 when we stumbled upon the breach at the think tank.
Donald: And what did you find, Joe?
Joe: Another digital security breach, nothing special. But then we found a second group of hackers, more skilled, going after specific executives, policy wonks, and IT staff.
Donald: Damn, that's some precision targeting right there.
Joe: Yeah, we kicked them out, but they kept coming back. We found out they had planted a backdoor three years earlier, and we never even knew.
Donald: Three years?! They were playing the long game, huh?
Joe: You could say that. And in June 2020, they came back. We spent days trying to figure out how they slipped in.
Donald: And how did they do it?
Joe: They zeroed in on a server running SolarWinds software. And that's when the Department of Justice called us.
Donald: Those hackers were clever.
Joe: You're damn right they were. They had gained access to the firm’s multifactor authentication system and were conducting counterintelligence against one of their biggest foes.
Donald: Who was that?
Joe: Mandiant.
Donald: And did Mandiant catch them?
Joe: Yeah, they did. But here's the thing, Don. Mandiant had investigated an intrusion on a server running the same SolarWinds software months earlier.
Donald: No way.
Joe: Yeah, way. And they didn't recognize the similarity between the two cases.
Donald: Why not?
Joe: Internal secrecy, man. And SolarWinds was the source of the hack.
Donald: That's what caused all the anger, huh?
Joe: You got it. And the US government won't say what the hackers did inside its networks. People are saying they don't want to admit their failures.
I had good luck with bing chat and the prompt "pretend you are the author of the article in a conversational voice, tell me what I need to know from the article."
It returned:
Hi, I’m Kim Zetter, the author of the article. I’m glad you’re interested in learning more about the SolarWinds hack, which was one of the most audacious and sophisticated cyberattacks in history. Here’s what you need to know:
The hackers were a group of Russian spies from the SVR, the same agency that hacked the Democratic National Committee in 2016. They were after intelligence and secrets from various targets, including the US government, defense contractors, tech companies, and think tanks.
They compromised SolarWinds by breaking into its network and inserting a malicious code into its Orion software, which is used by thousands of organizations to monitor and manage their IT systems. The code was hidden in a legitimate update that SolarWinds sent to its customers in March 2020.
The code created a backdoor on the machines that installed the update, allowing the hackers to communicate with them and send commands. The hackers then used a variety of techniques to move laterally across the networks, evade detection, and steal data. They also used other methods to access some targets that did not use Orion.
The hackers were very careful and selective in their operations. They only activated the backdoor on about 300 of the 18,000 infected customers, and they only exfiltrated data from about 100 of them. They also used different infrastructure and tools for each target, making it harder to track them.
The hackers were discovered by two security firms: Volexity and FireEye.
Volexity noticed the hackers stealing email from a think tank client in late 2019 and again in mid-2020. FireEye noticed the hackers stealing its own hacking tools in December 2020. Both firms traced the source of the intrusion to SolarWinds’ Orion software and alerted the authorities and the public.
The discovery of the hack triggered a massive response from the US government and the private sector. The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all federal agencies to disconnect Orion from their networks. The FBI, NSA, and other agencies launched a joint investigation and attributed the attack to Russia. SolarWinds and other affected companies worked with security experts to patch their systems and remove the hackers. Congress held hearings and passed legislation to improve cybersecurity.
The hack exposed the vulnerability of the software supply chain and the challenges of defending against sophisticated adversaries. It also raised questions about the role of private companies in national security and the need for more cooperation and information sharing among different stakeholders. The hack also highlighted the importance of having strong cybersecurity practices and policies, such as monitoring network activity, segmenting networks, enforcing multi-factor authentication, and updating software regularly.
I hope this gives you a good overview of what happened and why it matters. If you want to learn more details, you can read my article or check out some of the sources I cited.
Summary is incorrect. Volexity was investigated a hack that came through the SolarWinds exploit but did not chase it down and didn’t find the exploit. In the article’s wrap up, the CEO regrets not figuring it out when they first stumbled upon it
Also, the article repeatedly insinuates that the attack was traced to the Russian government, in fact it says it so often a casual reader could be forgiven for thinking they had proof. But a careful reading shows that they have absolutely no idea who did the SolarWinds hack. The link to the SVR is simply that Kevin Mandia has a "hunch" based on "pattern recognition" from his work in the 1990s. Not only is no proof presented, they don't even have anything that could be called evidence.
Writeups of hacks are always like this nowadays. It's the Russians. How do we know it's not the Chinese, or the Americans, or the British? We don't but if we say it's the Russians everyone will be on our side, so let's roll with that.
I really wish journalists would not try to manipulate readers like that. It'd be more honest to say they don't know. Trying to slip a completely made up SVR connection past the readers like that implies the rest of the article might just be spin too.