SolarWinds Breach: “The Week Has Literally Exploded.” This week I’m dedicating the Security Roundup to looking at the devastating impact of the recently discovered massive hacking attack against the U.S. Government and what appears to be thousands of companies and other organizations. Geekwire quotes security expert Alex Gounares as saying: “The week has literally exploded. It is tough to overstate the impact of the SolarWinds breach.”
Hacked Networks Will Need to be Burned “Down to the Ground.” The Los Angeles Times carries an article headlined “Hacked U.S. government networks will need to be burned ‘down to the ground.’” The article begins: “It’s going to take months to kick elite hackers widely believed to be Russian out of the U.S. government networks they have been quietly rifling through since as far back as March in Washington’s worst cyberespionage failure on record.” The article notes that “There simply are not enough skilled threat-hunting teams to identify all the government and private-sector systems that may have been hacked.” It quotes Bruce Schneier, a security expert and Harvard fellow as saying: “We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they have left.” Schneier goes on to say the only way to be sure a network is clean is “to burn it down to the ground and rebuild it.” If that isn’t frightful enough, Schneier goes on to describe the situation as living in a mansion that you know has been visited by a serial killer. “You don’t know if he’s gone. How do you get work done? You kind of just hope for the best.”
“It May Take Years” to find where “the Russians Hid Themselves and Their Code.” The Wall Street Journal carries an opinion piece “The Cyber Threat Is Real and Growing,” that says: “The SolarWinds breach could be the most significant cyber incident in American history. Russian intelligence—likely the SVR, the foreign-intelligence branch—infiltrated and sat undetected on U.S. government networks for nearly 10 months. It was a sophisticated, smart and savvy attack that should alarm the public and private sectors.” The author, Mike Rogers, who was chairman of the House Permanent Select Committee on Intelligence, 2011-15, notes: “Turning off the system and uninstalling SolarWinds software isn’t enough. It may take years and thousands of hours to unpack fully where the Russians hid themselves and their code.”
The Threat is Everywhere. The SolarWinds breach was insidious because it was a “software supply chain” attack, meaning that the bad actors penetrated so deeply into SolarWinds, which makes Orion, a widely used network monitoring tool, that they were able to plant malicious software into SolarWind software updates. This means the malware came hidden within code from a trusted source. CSO Online, in an article that points to how wide spread the threat could be, writes: “On a page on its website that was taken down after news broke out, SolarWinds stated that its customers included 425 of the US Fortune 500, the top ten US telecommunications companies, the top five US accounting firms, all branches of the US Military, the Pentagon, the State Department, as well as hundreds of universities and colleges worldwide.” Chillingly, Politico reports that “Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.”
Please Use Strong Passwords, NOT “solarwinds123.” By all accounts the attack was multifaceted, complex, and precisely engineered—and not simply taking advantage of a weak password. However, The New York Times reports that: “The company did not have a chief information security officer, and internal emails shared with The New York Times showed that employees’ passwords were leaking out on GitHub last year. Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds’ update mechanism — the vehicle through which 18,000 of its customers were compromised. The password was ‘solarwinds123.’”
Insecure Software Opened the Door. Politico carries an article “How U.S. agencies’ trust in untested software opened the door to hackers,” that says “The government doesn’t do much to verify the security of software from private contractors. And that’s how suspected Russian hackers got in.” The article quotes Sen. Ron Wyden (D-Ore.) as saying: “It is incredibly self-defeating for federal agencies to spend billions on security and then give government contracts to companies with insecure products.”
On the Bright Side . . . “Those of Us on the Side of the Angels.” The Register managed to find a bright side to the Solar Winds attack and the “Sunburst” backdoor it installs, noting that “We have to be smarter than the baddies and expect the unexpected.” The article tips a hat to the sophistication of the ‘baddies,’ saying: “It revealed a very good knowledge of not only the fabric of modern IT infrastructure, but the psychology of those who develop for and maintain it. Beautifully obfuscated, delicate in its use of steganography and layers of diversion. Sunburst will trigger another round in the arms race between hackers and opsec researchers.” The Register sees the bright side as the need to evolve our knowledge: “The best aspect of Sunburst, which will become apparent over time, is that it is a highly evolved real disaster of substantial impact. Those of us on the side of the angels have to take this chance to evolve ourselves.”
Clinton A. Pownall is the President & CEO of Computer Business Consultants and has been in the IT field since 1990. Pownall served in the U.S. Navy for six years as a Weapons Systems Technician and has a Bachelor of Science in Computer Engineering. Through Computer Business, he was one of the first to pioneer VoIP technology using satellite communications. Pownall serves on several boards and committees and has a strong affiliation with various education groups, local school districts, and served in regional efforts of the Bill & Melinda Gates NextGen Foundation. He serves as a Vice President of the Board of Director for the Orlando Shakes Theater and is heavily involved in the South Lake Chamber of Commerce, West Orange Chamber of Commerce, and the Orlando Economic Partnership.