A hack of Austin-based SolarWinds’ Orion IT software is “ongoing,” and is “remarkable for its scope, sophistication and impact,” in the words of Microsoft president Brad Smith. Russian government hackers have infiltrated the systems of up to 18,000 SolarWinds customers who downloaded a compromised Orion software update. The “supply chain attack” works by hiding malicious code in legitimate software updates.
SolarWinds clients include most Fortune 500 companies, all major telecommunications providers, every branch of the U.S. military, the State Department, the National Security Agency, the U.S. Treasury, the Pentagon, Los Alamos National Laboratory, the departments of Commerce, Veterans Affairs, and Homeland Security, and the Office of President of the United States.
Sen. Richard Blumenthal confirmed in a tweet that Russia was to blame, citing a classified congressional briefing.
The Russian foreign ministry denies involvement.
This vulnerability was reportedly present as early as March. The breaches may be connected to a broad campaign involving a recently disclosed hack on FireEye, a U.S. cybersecurity company with government contracts.
The Washington Post said the attack was carried out by Russian government hackers known as APT29 or Cozy Bear and are part of that nation’s foreign intelligence service.
SBS CyberSecurity explained:
Two cybersecurity defense and research organizations – Mandiant (FireEye) and Crowdstrike – track and monitor threat actors across the globe. Advanced Persistent Threat (APT) groups are numerically named by Mandiant, and depending on the country. Crowdstrike names APT groups by animals. For example, a China APT group would be designated with “Panda,” Russian groups with “Bear,” and Iran with “Kitten.”
An APT is an attack (typically performed by state-sponsored hacking groups and/or organized crime syndicates) that occurs when an unauthorized user utilizes advanced and sophisticated techniques to gain access to a system or network. APTs are more concerning than the everyday “hacker,” as they typically target high-value organizations and governments with the goal of stealing information over a long period of time. A regular hacker would gain access to a system, do what they needed, and leave quickly. However, an APT group tends to hack and use small businesses as steppingstones to reach larger organizations because the smaller organizations are not as well defended.
The Intercept covers how the breach affects Austin:
By compromising the network of America’s 11th-most populous city, (hackers) could theoretically access sensitive information on policing, city governance, and elections, and, with additional effort, burrow inside water, energy, and airport networks.
The hacking outfit believed to be behind the Austin breach, Berserk Bear, also appears to have used Austin’s network as infrastructure to stage additional attacks.
While the attacks on SolarWinds, FireEye, and U.S. government agencies have been linked to a second Russian group — APT29, also known as Cozy Bear — the Austin breach represents another battlefront in a high-stakes cyber standoff between the United States and Russia. Both Berserk Bear and Cozy Bear are known for quietly lurking in networks, often for months, while they spy on their targets. Berserk Bear …is also known as Energetic Bear, Dragonfly, TEMP.Isotope, Crouching Yeti, and BROMINE.
Berserk Bear is suspected to be a unit of Russia’s Federal Security Service, or FSB. Cozy Bear, the group behind the attacks on federal government agencies, is affiliated with the Russian Foreign Intelligence Service, or SVR. Both the SVR and the FSB are considered successors to the Soviet-era KGB.
The Austin City Council appears to have been aware of the breach since October. CISA and FBI published an initial advisory on October 9 warning of “advanced persistent threat actors,” or APTs, targeting state and local governments, before publishing a follow-up advisory on October 22 in which the agencies attributed the campaign to Berserk Bear. Four days after the initial advisory, on October 13, the City Council went into a closed meeting to discuss “confidential network security information,” according to the posted agenda.
The council discussed the topic again two days later during an executive session of its regular meeting, according to that agenda. The portions of the meetings in which the council discussed network security were closed to the public, and the agendas cited an exemption in the state’s rules governing open meetings related to “the vulnerability of a network to criminal activity.”
An assistant to Mayor Steve Adler declined to comment, as did three other council members. “Any info council would have received on this would have been in executive session, and as such, any council member would not be able to comment,” a staffer for a fourth council member wrote in an email. The remaining six members did not respond to The Intercept’s questions.
On December 8, according to a transcript of the City Council meeting, the city authorized a $2.4 million contract for cyber liability insurance — a product that typically covers losses from data breaches and hacks.
SBS CyberSecurity says Cozy Bear is also responsible for attacks on the Pentagon (2015) and a phishing campaign in the USA (2018).
With Trump silent, reprisals for hacks may fall to President-elect Joe Biden, who says his new administration “will make dealing with this breach a top priority from the moment we take office.”
A response might include criminal charges, sanctions or retaliations in cyberspace. Exposing Kremlin corruption, including how Russian President Vladimir Putin accrues and hides his wealth, may amount to even more formidable retaliation.
Trump’s response, or lack thereof, is being closely watched because of his preoccupation with a fruitless effort to overturn the results of last month’s election and because of his reluctance to acknowledge Russian interference (in his favor) in the 2016 presidential election.
As reported by Texas Monthly, SolarWinds is valued at more than $6 billion and earned $938.5 million in revenue last year. In 2016, the company went private after being acquired for $4.5 billion by private equity firms Silver Lake Partners and Thoma Bravo. In 2018, SolarWinds hit the stock market again with an IPO that valued the company at $4.57 billion.
Major changes were afoot before the hacking news, some of them now under scrutiny by the Securities and Exchange Commission. Silver Lake and Thoma Bravo sold about $286 million worth of shares in the company shortly before the breach was disclosed. Thompson announced his resignation two days later. SolarWinds named Pulse Secure CEO Sudhakar Ramakrishna as Thompson’s successor and had been working to spin off its SolarWinds MSP remote management business into its own company.
From the SolarWinds site:
SolarWinds’ comprehensive products and services are used by more than 275,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions. Our customer list includes:
- More than 425 of the US Fortune 500
- All ten of the top ten US telecommunications companies
- All five branches of the US Military
- The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
- All five of the top five US accounting firms
- Hundreds of universities and colleges worldwide
Partial customer listing:
Best Western Intl.
Blue Cross Blue Shield
Booz Allen Hamilton
Cable & Wireless
Cablecom Media AG
City of Nashville
City of Tampa
Ernst and Young
Federal Reserve Bank
Ford Motor Company
Gillette Deutschland GmbH
Johns Hopkins University
Kennedy Space Center
Leggett and Platt
Level 3 Communications
National Park Service
New York Power Authority
New York Times
Nielsen Media Research
Perot Systems Japan
Procter & Gamble
San Francisco Intl. Airport
Smart City Networks
St. John’s University
Time Warner Cable
U.S. Air Force
University of Alaska
University of Kansas
University of Oklahoma
US Dept. Of Defense
US Postal Service
US Secret Service