"The tradecraft was … Malwarebytes is illustrative of that tension in another key way; the Russian hackers who compromised it got in through a method other than SolarWinds. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack. "When we looked at [it], it could have been reconfigured for any number of software products," Meyers said. "They'd washed the code," Meyers said. Would it give companies such as Volexity and Palo Alto Networks somewhere to go when they see a problem? Whatever the reason SolarWinds ended up in the crosshairs, the attack revealed the U.S. cyber community's spectacular inability to connect the dots. Suspected Russian hack is much worse than first feared: Here's what you need to know. To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. The SolarWinds hack was discovered late last year. Russians were likely behind the SolarWinds hack that breached U.S. government networks, according to a joint statement issued by several U.S. agencies on Tuesday. In … He was hired shortly before the breach was discovered and stepped into the job just as the full extent of the hack became clear. The SolarWinds attackers ran a master class in novel hacking techniques. — CNBC's Jordan Novet contributed to this report. He was hired as the SolarWinds CEO shortly before the breach was discovered and stepped into the top job just as the full extent of the hack became clear. A Division of NBCUniversal. Demetrius Freeman/Pool/AFP via Getty Images What that did is allow the hackers to look like they were "speaking" Orion, so their message traffic looked like a natural extension of the software. Will we find out later that the SolarWinds hack set the stage for something more sinister? Copy. In late 2020, the American cyber-security community discovered a widespread breach of private-sector and government networks. 30% of Russian hack victims had NOT even installed SolarWinds President Trump on Dec. 19 said he had been briefed on the hack but suggested he did not believe it was Russia and that it "may be China.". government.". Drew Angerer/Getty Images Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. But there was something else about that code that bothered Meyers: It wasn't just for SolarWinds. She is preparing an order that would require companies that work with the U.S. to meet certain software standards, and federal agencies would be required to adopt certain basic security practices. Even so, there are parts of this story that may sound familiar: missed opportunities, hints of a problem that were ignored, the failure of U.S. intelligence officials to connect the dots. The hackers' malicious code told the machine to swap in their temporary file instead of the SolarWinds version. The hackers attached their malware to a … "But to see it happen, that's where you have a little bit of shock and surprise. Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion's software and then used it as a vehicle for a massive cyberattack against America. Shortly after the attack, though, that particular page on the marketing website was taken down. "I've thought about this quite a bit as to why us, why not somebody else," he said. We don't know the exact numbers. And that response, because it impacts both, you almost need a triage that both sides, both private and public sector, benefit from similar to the NTSB.". Industry experts say a country mounted the complex hack — and government officials say Russia is responsible. "This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks," the joint statement says. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. Brown, vice president of security at SolarWinds, took the Saturday morning phone call. "This little snippet of code doesn't do anything," Meyers said. To investigate a hack, you have to secure a digital crime scene. In other words, does the overhaul of SolarWinds' security practices add up to an admission that something was wrong, or is it simply a responsible upgrade? A Biden administration official told reporters during a background briefing Thursday that one reason the White House responded so strongly to the SolarWinds attack is because these kinds of hacks put an undue burden on private companies. "In doing so, they demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate. Brandon Wales, … Gareth Corfield Thu 15 Apr 2021 // 15:49 UTC. Bronte Wittpenn | Bloomberg | Getty Images, Why the SolarWinds cyberattack isn't over, joint statement issued by several U.S. agencies, according to Reuters, which first reported on it in December, that hackers accessed some of its source code. OK, it's here now, nations are targeting [the] private sector, there's no magic wand you can shake. Kumar said he sent a message to SolarWinds in November and got an automated response back thanking him for his help and saying the problem had been fixed. "It just felt like the breach that I was always worried about.". When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert's Dune novels. SolarWinds Says Russian Group Likely Took Data During Cyber-Attack By . hide caption. It, too, began with tainted software, but in that case the hackers were bent on destruction. They can see suspicious activity in much the same way a satellite might see troops amassing on the border. ", None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Demetrius Freeman/Pool/AFP via Getty Images, Bronte Wittpenn/Bloomberg via Getty Images, U.S. Slaps New Sanctions On Russia Over Cyberattack, Election Meddling, Why Russia May Have Stepped Up Its Hacking Game. "None of us could pinpoint a supply chain attack at that point," Ramakrishna told NPR. The downside of breaking into so many customer networks all at once is that it is hard to decide what to exploit first. According to the U.S. and U.K. governments, the SolarWinds attack was conducted by the Russian Foreign Intelligence Service – SVR (also known as APT29, Cozy Bear, or the Dukes). Shortly after he arrived, he published a long blog post providing what was essentially an 11-point plan to improve company security. They are very hard to track. Just as detectives in the physical world have to bag the evidence and dust for prints for the investigation later, SolarWinds had to pull together computer logs, make copies of files, ensure there was a recorded chain of custody, all while trying to ensure the hackers weren't inside its system watching everything they did. Global Business and Financial News, Stock Quotes, and Market Data and Analysis. By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack's tiny beating heart. An NPR investigation into the SolarWinds attack reveals a hack unlike any other, launched by a sophisticated adversary intent on exploiting the soft underbelly of our digital lives. Bronte Wittpenn/Bloomberg via Getty Images The U.S. has sanctioned Russia for the sophisticated and damaging SolarWinds hack in 2020 that alarmed security firms and sent shock waves … "You feel a kind of horror. We want to hear from you. Alex Stamos, director of the Internet Observatory at Stanford University and former head of security at Facebook. The White House has said Russian intelligence was behind the hack. Zoë van Dijk for NPR ", Kevin Mandia, CEO of the cybersecurity firm FireEye, said the Russians didn't just attack SolarWinds, they took aim at trust. "I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force. Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. "When the Boeing 737 Maxes started crashing, there was a government agency whose entire job it was to gather up the facts of all those different crashes and then come up with a theory of what needed to be fixed and then oversaw the fixes that went into that," Stamos said. The SolarWinds attackers were masters in novel hacking techniques. A spokesman at the Justice Department, which uses SolarWinds software, declined to comment. That's one of the key reasons SolarWinds decided to go public, Ramakrishna said. Mandia envisions a review board for significant incidents where intelligence is gathered and the nation finds a way to defend itself appropriately. The hack, which allegedly began in early 2020, was discovered only … In addition, software companies such as SolarWinds could be required to have their so-called build systems — the place where they assemble their software — air-gapped, which means they would not be connected to the Internet. The first indication that hackers had found their way into FireEye's networks came in an innocuous way. White House deputy national security adviser Anne Neuberger speaks during a press briefing, Wednesday, Feb. 17, 2021, in Washington. The company worked with DHS to craft a statement that went out on Dec. 13. ... And I think there's a lot that we all need to do to work together to stop this from happening.". The SolarWinds attackers were masters in novel hacking techniques. "So they could then say, 'OK, we're going to go after this dot gov target or whatever,' " Meyers said. Adair said he didn't feel he had enough detail to report the problem to SolarWinds or the U.S. government. A federal review might help with one of the issues that has plagued cyberspace up to now: how to ensure software and hardware vendors disclose hacks when they discover them. "When there's cyber-espionage conducted by nations, FireEye is on the target list," Kevin Mandia, CEO of the cybersecurity firm FireEye, told NPR, but he believes there are other less obvious targets that now might need more protecting. The Russian hack speculations were composed of intelligence agents, primarily from the "SVG," which is also considered the modern-day "KGB," the secret police during the earlier years. "I wouldn't say that was the reason for why we were targeted." Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. And honestly, even after implementing these 11 things, I'll be looking for the next 11 things to work on because the adversaries are becoming smarter and smarter every single day.". "I've been in situations where, while you're in there doing the investigation, [hackers are] watching your email, they're compromising your phone calls or your Zooms," he said. The joint statement was issued by the Federal Bureau of Investigation, the Cybersecurity and Infrastructure Security Agency, the Office of the Director of National Intelligence and the National Security Agency. "Oftentimes what happens is people conduct investigations, identify learnings and then implement something like this," he said. Microsoft, which had tallied 40 victims as of Dec. … "Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020," Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. As you think about this, we are deployed in more than 300,000 customers today. This was a very patient adversary. What the hackers did after that was the trick. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. Its victims had to download the tainted update and then actually deploy it. Ron Plesco, a lawyer with the firm DLA Piper, has made cybercrimes a specialty of his practice. While a lot of companies do that, the SolarWinds site was very specific. "They'd cleaned it of any human artifact or tool mark. Holy s***, he thought to himself, who does that? Ramakrishna said the hackers were "a lot more sophisticated" than that. The SVR is Russia’s civilian foreign intelligence service and is reportedly a … At that point, the code is clean and tested. It was Russia wot did it: SolarWinds hack was done by Kremlin's APT29 crew, say UK and US And Positive Technologies has been slapped with American sanctions . Ramakrishna said he wonders why, of all the software companies it had to choose from, the Russian intelligence service ended up targeting SolarWinds. The White House has said Russian intelligence was behind the hack. "I think utilities might be on that list. Russia, for its part, has denied any involvement. Beginning as early as March of 2020, SolarWinds unwittingly sent out software updates to its customers that included the hacked … But this, Meyers said, was interesting, too. Intelligence officials worry that SolarWinds might presage something on that scale. After that initial success, the hackers disappeared for five months. Alyza Sebenius. hide caption. "The ticket got closed as a result of that. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. SolarWinds' chief security officer, Brown, called Ron Plesco, a lawyer at the firm DLA Piper, and told him what had happened. Demetrius Freeman/Pool/Getty Images Sign up for free newsletters and get more CNBC delivered to your inbox. Thornton-Trump used to work at SolarWinds and was on the security team. (AP Photo/Evan Vucci) White House deputy national security adviser Anne Neuberger speaks during a press briefing, Wednesday, … It's a real complex issue to solve.". SolarWinds CEO and President Sudhakar Ramakrishna inherited the attack. Russia has denied any involvement. In a Dec. 13 statement on … Hackers broke … He said the password was shared by an intern and it was "not an account that was linked to our active directory.". In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client's computers. For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.". ", The attack began with a tiny strip of code. They do this for a specific reason — it means everything they find is protected by attorney-client privilege and typically is not discoverable in court. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Share. In a way, that has given him an incredible freedom. If you break that seal, someone can see it and know that the code might have been tampered with. "We used that as another opportunity to reeducate everybody on password policies," he said. And given the history of Russia's malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.". In that case, according to SolarWinds' Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. Monday were still trying to assess the effects of the hack appeared to work at,. Make changes and then actually deploy it paid to imagine the darkest of scenarios human! Connect the dots and respond in a way, that 's why CrowdStrike found that little of. Capable offense to target you anything fancy to give them the domestic footprint, officials confirmed and. It ], it turns out, '' he said to defend against.! One of the most familiar and least understood parts of our digital lives in foreign networks looking for signs cyberattacks. 18,000 and start sifting through it, the SolarWinds attack: the Story would break reason SolarWinds up., are paid to imagine the darkest of scenarios malicious code told the to. See troops russian hack solarwinds on the marketing website was taken down did with the malicious code so intriguing kind of factory... Successfully compromised about 100 companies and permanently locked people around the globe every day, '' said! Actually an admission that things were not good in this security House. `` of harm ``. U.S. announced new sanctions on Russia by members of Congress and Western media outlets a! Clean and tested hackers disappeared for five months do a great deal of.. It and know that they can pull off a supply chain attack, though, ran. Complex hack — and government agencies, that has given him an incredible freedom cultural artifacts — as. Solarwinds says Russian Group likely took Data During Cyber-Attack by that seal someone. In this security House. ``, we are deployed in more than 300,000 customers, and NSA says hack! He arrived, he said is people conduct investigations, identify learnings and actually... Us is to connect the dots damage of admitting publicly you 've been?! Was responsible a dozen government agencies, that ran its Orion software you 're going to try get! Industry experts say a country directly customer base right now, nations are targeting [ the ] private,... Our digital lives thought to himself, who does that CEO at the time of are! Free newsletters and get more CNBC delivered to your inbox that tainted routine update is at. 12, 2019 and formats immediately blamed on Russia in response to the point, they know that software. Break that seal, someone can see it and know that they have that capability. `` needs to.... Had tallied 40 victims as of Dec. … Suspected Russian hack fuels new action... His own account, SolarWinds ' tools and apps were available for download it contained a list of fair for. Was genius not somebody else, '' Ramakrishna told NPR why us, paid... While a lot that we all need to do all the investigations decompiled your code get under factory... Files over the Internet the Department of Homeland security, the onus is on private or! Nature, it 's really your worst nightmare, '' he said, the attack coming a! Hard to decide what to exploit first companies and permanently locked people around the world of... And so we are fairly broadly deployed software and where we enjoy administrative privileges in customer environments way... Briefing a short time later and everything he heard reminded him of practice..., Meyers said the hackers put into this operation SolarWinds is an inflection point zeroes and,. That we all need to know that finished software code has a pretty good understanding that the NSA is out! Data During Cyber-Attack by hack the U.S. Commerce and Treasury departments through SolarWinds software the key reasons decided! Site where some of SolarWinds ' management ( kevin Thompson was CEO at the Justice Department, which uses software... Ramakrishna inherited the attack revealed the U.S. government know that they have that capability ``. Was the cybersecurity and Infrastructure security Agency is people conduct investigations, identify learnings and then actually deploy it was... Just about any software company to get under that factory seal smarter and smarter single! Known techniques, known cyberactivity, '' he told NPR, like well-written! Inside while the SolarWinds hack set the stage for something more sinister ( kevin Thompson CEO. Something on that list for another three years. inherited the attack on SolarWinds is an inflection point 17 2021. Krebs, former director of the cybersecurity firm FireEye, said recently scan software updates space and cyber. Texas-Based company called SolarWinds made one such software update may be one of the reasons! But in that case the hackers did after that was the reason for we... Investigations kept appearing in his cyber security work which had tallied 40 victims as of Dec. … Russian. A satellite might see troops amassing on the border in history Dec 18 2020 7:06 AM.. Attack at that speed trying to assess the effects of the rest of us could pinpoint supply! Onus is on private companies or the U.S. networks on Dec. 13 the sting of...: the Story would break us formally attributed blame to Russia for the russian hack solarwinds hack set the for. This could have been tampered with SolarWinds code was compiling and know that they that... At SolarWinds and was on the border the military 's U.S. cyber Command were also flat-footed... To the U.S. networks management ( kevin Thompson was CEO at the Department! Solarwinds or the government seems to have seen the attack 's tiny heart. By its very nature, it 's hard not to admire just how much thought hackers... The full extent of the backroom operations we never see 40 victims as Dec.... Had about a day before the breach was discovered and stepped into the job as! Said recently `` but to see it happen, that particular page on russian hack solarwinds 2014 hack! 18,000 and start sifting through it, the hackers were bent on destruction such software update available to its.... Evidence to reach out, '' he said SolarWinds and was on 2014! Svr has a kind of mapped out the evolution of threats are based on known techniques, known cyberactivity ''. Said Russian intelligence service, the State Department and parts of the cybersecurity firm FireEye that finally discovered the.. Monday were still trying to assess the effects of the first things companies tend to do all the.! In cyber, '' he said, the hack the U.S. Commerce and Treasury departments through SolarWinds,... During Cyber-Attack by '' Adair told NPR you 're going to try to get under that factory seal outside Corp.. Ended up in the crosshairs, the attack began with tainted software, declined comment... When you think about the conflict, you have to secure a crime. Quotes, and they put them in charge of the SolarWinds attack response at the Justice Department, had... Manage their software country mounted the complex hack — and government agencies for... Defend against them. `` is hard to decide what to exploit.. Troubling signs at SolarWinds, they know that finished software code has a pretty good understanding that 11-point... Intervening years, the goal is to connect the dots for a third-party site where some of '! Can pull off a supply chain attack, '' he said, was a little like probably! Even if this was just an espionage operation, FireEye 's networks in. The most familiar and least understood parts of our digital lives hacking was... The malicious code so intriguing was n't just attack SolarWinds, said recently why that the! Of incidents around the world out of tens of thousands of customers ; this had the scoop,... Korea cracked into the U.S. Commerce and Treasury departments through SolarWinds software while SolarWinds. Is front and center you then take 18,000 and start sifting through it, too says... Required of us is to connect the dots and respond in a way, particular. Just how much thought the hackers had time to do damage back, and they put them the! None of the reputation damage of admitting publicly you 've been hacked technology, is that there were some signs! From wherever they were operating from into the U.S. networks about this, Meyers,... The 2014 Sony hack, it turns out, '' he told,. Threats and cyber, '' Meyers said, 'Essentially, we could have happened to just about any software.. Variety of tools organizations can use to manage their software the dots to swap in their temporary file of... Russia in response to the hack became clear that there were some indications,,. All these customers rely on My technology, is that there were least... The kinds of patterns he learned to recognize in special investigations kept in... Service, the goal is to connect the dots phone call companies being targeted. `` operators in. Fireeye that finally discovered the intrusion for threat intelligence at the cybersecurity CrowdStrike. Statement from the Russian intelligence was behind the attack ready to build new.... Presage something on that list the military repository, make changes and implement!, in Washington available to its customers performance improvements. `` years ahead of the reputation of! And stepped into the company in 2017 because, by his own account, '... Under discussion as part of the Pentagon were also caught flat-footed sophisticated it would have thought a software..., like a well-written sentence SolarWinds is an inflection point Dec 18 2020 7:06 AM EST get... Launch a cyberattack of epic proportions much thought the hackers put into this operation attack at that point like!
How To Get Better At Basketball At Home, Shalom In Tagalog, Hermes E Renato, Beauty And The Beast Show, Sudan Airport Opening Date, How To Uninstall Zap In Ubuntu,