2020 United States federal government data breach
Date | |
---|---|
Duration | At least 8[11] or 9 months[12] |
Location | United States, United Kingdom, Spain, Israel, United Arab Emirates, Canada, Mexico, others[13] |
Type | Cyberattack, data breach |
Theme | Malware, backdoor, advanced persistent threat, espionage |
Cause | |
Target | U.S. federal government, state and local governments, and private sector |
First reporter | |
Suspects |
In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.[1][28][29] The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.[35] Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches.[1][36][37] Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.[36]
The attack, which had gone undetected for months, was first publicly reported on December 13, 2020,[25][26] and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce.[42] In the following days, more departments and private organizations reported breaches.[1][5][36]
The cyberattack that led to the breaches began no later than March 2020.[9][10] The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware.[43][21] A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller.[16][17][18] A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software.[12][44] Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents,[23][24][14][15] and to perform federated authentication across victim resources via single sign-on infrastructure.[21][45][46]
In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution.[47][48] U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war.[49][4] President Donald Trump was silent for several days after the attack was publicly disclosed. He suggested that China, not Russia, might have been responsible for it, and that "everything is well under control".[50][51][52]
Background
[edit]SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.[53][54] SolarWinds did not employ a chief information security officer or senior director of cybersecurity.[4][55] Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017.[54][53] SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software.[53] In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers.[56][53][57][54] Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.[58][59]
On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired.[60][61] That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds.[60] The firms denied insider trading.[60][62]
Methodology
[edit]Multiple attack vectors were used in the course of breaching the various victims of the incident.[63][64]
Microsoft exploits
[edit]If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.
The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.[23][15][9][18]
At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.[16][17][18]
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.[23][24] This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.[23][24]
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.[14][15][65]
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months.[9][39][66] This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems.[39][67][68] The presence of single sign-on infrastructure increased the viability of the attack.[46]
SolarWinds exploit
[edit]This is classic espionage. It's done in a highly sophisticated way ... But this is a stealthy operation.
Here, too, the attackers used a supply chain attack.[69] The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point.[70][53][58][59]
The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019.[71][72] In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion.[73][74] The first known modification, in October 2019, was merely a proof of concept.[8] Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.[8]
In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them.[12][44][75][76][77] These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).[9][78] If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers.[79][80][81][82] The communications were designed to mimic legitimate SolarWinds traffic.[70][83] If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further.[82][84] The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.[85][82]
The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets.[79][12] Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components,[86][83] and seeking additional access.[70][1] Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents.[87] This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory.[87][70][88] Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network.[5][89][90] Having accessed data of interest, they encrypted and exfiltrated it.[69][1]
The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others.[91] By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).[81][4][92]
FBI investigators in February 2021 found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.[93]
VMware exploits
[edit]Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.[21][22] As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.[21][22]
Discovery
[edit]Microsoft exploits
[edit]During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.[94][95][14] The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication.[14] Later, in June and July 2020, Volexity observed the attacker utilizing the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals.[14] Volexity said it was not able to identify the attacker.[14]
Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike.[96] That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.[96]
Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol.[23][24] This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.[23][97] Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.[23]
SolarWinds exploit
[edit]On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.[98][99][100][101] FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service.[27][102] FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.[103][104]
After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks.[1] The NSA is not known to have been aware of the attack before being notified by FireEye.[1] The NSA uses SolarWinds software itself.[1]
Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related.[9][27] On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.[56][105]
The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020.[75][86] FireEye named the malware SUNBURST.[19][20] Microsoft called it Solorigate.[53][20] The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.[71][106][74]
Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.[8]
July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on LinkedIn.[107]
VMware exploits
[edit]Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager.[21] VMware released patches on December 3, 2020.[21] On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.[21][108]
Responsibility
[edit]Conclusions by investigators
[edit]SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation.[9][10] Russian-sponsored hackers were suspected to be responsible.[109][9][25] U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29).[27][26] FireEye gave the suspects the placeholder name "UNC2452";[70][14] incident response firm Volexity called them "Dark Halo".[14][95] On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR.[110] One security researcher offers the likely operational date, February 27, 2020, with a significant change of aspect on October 30, 2020.[111]
In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla,[112][106][113][114] a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.[115][116][93]
Statements by U.S. government officials
[edit]On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.[23]
On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack.[117][118][119]
On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, downplaying its severity and suggesting without evidence that China, rather than Russia, might be responsible.[51][50][119][52] The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."[37][120]
On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."[121]
On December 21, 2020, former Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.[122][123][124]
On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit.[125][126][127] On June 10, 2021, FBI Director Christopher Wray attributed the attack to Russia's SVR specifically.[128]
Denial of involvement
[edit]The Russian government said that it was not involved.[129]
The Chinese foreign ministry said in a statement, "China resolutely opposes and combats any form of cyberattacks and cyber theft."[93]
Impact
[edit]SolarWinds said that of its 300,000 customers, 33,000 use Orion.[1] Of these, around 18,000 government and private users downloaded compromised versions.[1][5][130]
Discovery of the breaches at the U.S. Treasury and Commerce Departments immediately raised concerns that the attackers would attempt to breach other departments, or had already done so.[67][25] Further investigation proved these concerns to be well-founded.[1] Within days, additional federal departments were found to have been breached.[1][131][6] Reuters quoted an anonymous U.S. government source as saying: “This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.”[9]
Compromised versions were known to have been downloaded by the Centers for Disease Control and Prevention, the Justice Department, and some utility companies.[1] Other prominent U.S. organizations known to use SolarWinds products, though not necessarily Orion, were the Los Alamos National Laboratory, Boeing, and most Fortune 500 companies.[1][132] Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca.[5][36] FireEye said that additional government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East may also have been affected.[5]
Through a manipulation of software keys, the hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.[124]
Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted.[1][133] These investigations were complicated by: the fact that the attackers had in some cases removed evidence;[63] the need to maintain separate secure networks as organizations' main networks were assumed to be compromised;[63] and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks.[69] As of mid-December 2020, those investigations were ongoing.[1][5]
As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.[9][134] Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come.[58][135][82] Possible future uses could include attacks on hard targets like the CIA and NSA,[how?][4] or using blackmail to recruit spies.[136] Cyberconflict professor Thomas Rid said the stolen data would have myriad uses.[134] He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.[134]
Even where data was not exfiltrated, the impact was significant.[48] The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset.[137] Anti-malware companies additionally advised searching log files for specific indicators of compromise.[138][139][140]
However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review.[63][141] Former Homeland Security Advisor Thomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.[47] Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.[142][143]
The Justice Department disclosed in July 2021 that 27 of its federal prosecutors' offices around the country had been affected, including 80% of Microsoft email accounts breached in four New York offices. Two of the offices, in Manhattan and Brooklyn, handle many prominent investigations of white-collar crime, as well as of people close to former president Trump.[144][145]
List of confirmed connected data breaches
[edit]This section may contain an excessive number of citations. (July 2021) |
U.S. federal government
[edit]
U.S. state and local governments
[edit]Department | Affected part(s) include | Sources |
---|---|---|
Arizona | Pima County | [180][181] |
California | California Department of State Hospitals | [182] |
Ohio | Kent State University | [182] |
Texas | City of Austin | [23] |
Private sector
[edit]Organization | Assets accessed | Sources |
---|---|---|
Belkin | [182] | |
Cisco Systems | [183][184][185][153][181] | |
Cox Communications | [180][8][186][181] | |
Equifax | [185] | |
Fidelis | [187] | |
FireEye |
|
[151][156][80][75] |
Malwarebytes | [188][189][190] | |
Microsoft |
|
[43][161][191][192][193][194][195][3][196][197][185][153][154][155][164][198][199][200][201][202][203][204] |
Mimecast |
|
[205][206][207][208][209][210] |
Nvidia | [182] | |
Palo Alto Networks | [187] | |
Qualys | [187] | |
SolarWinds |
|
[151][156][80][197][196] |
A think tank (unnamed as of December 15, 2020) | [14][133][95][15][65][127] | |
VMware | [182] |
Investigations and responses
[edit]Technology companies and business
[edit]On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.[102][211]
On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.[212][75]
GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the SUNBURST malware, and to discover which SolarWinds customers were infected.[56]
On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks.[1] On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to SolarWinds software.[213]
SolarWinds unpublished its featured customer list after the hack,[214] although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.[56][58][215]
Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price.[216][217] Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.[218]
The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.[219]
U.S. government
[edit]On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.[73]
Security agencies
[edit]On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations.[9] On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks.[1][137] The Russian government said that it was not involved in the attacks.[220]
On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate.[9][27][221] The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group.[222][223] The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.[224]
The DOE helped to compensate for a staffing shortfall at CISA by allocating resources to help the Federal Energy Regulatory Commission (FERC) recover from the cyberattack.[159][69][160] The FBI, CISA, and the Office of the Director of National Intelligence (ODNI) formed a Cyber Unified Coordination Group (UCG) to coordinate their efforts.[225]
On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.[226]
The Cyber Safety Review Board did not investigate the underlying weakness.[227]
Congress
[edit]The Senate Armed Services Committee's cybersecurity subcommittee was briefed by Defense Department officials.[90] The House Committee on Homeland Security and House Committee on Oversight and Reform announced an investigation.[43] Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain.[228] The committee's vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the hack.[229]
Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.[151][147]
On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials.[46][124] Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".[46][124]
On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration.[230][231]
The judiciary
[edit]The Administrative Office of the United States Courts initiated an audit, with DHS, of the U.S. Judiciary's Case Management/Electronic Case Files (CM/ECF) system.[171][178] It stopped accepting highly sensitive court documents to the CM/ECF, requiring those instead to be accepted only in paper form or on airgapped devices.[173][174][175]
President Trump
[edit]President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".[232] On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election.[50][119][117][51][233] He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible.[1][233][234] Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest,[235] calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."[233]
Former Homeland Security Advisor Thomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.[30][236][47]
President Biden
[edit]Then president-elect Joe Biden said he would identify and penalize the attackers.[64][3] Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.[237] On December 22, 2020, Biden reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.[238][239]
In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.[240]
In March 2021, the Biden administration expressed growing concerns over the hack, and White House Press Secretary Jen Psaki called it “an active threat”.[241] Meanwhile The New York Times reported that the US government was planning economic sanctions as well as "a series of clandestine actions across Russian networks" in retaliation.[242]
On April 15, 2021, the United States expelled 10 Russian diplomats and issued sanctions against 6 Russian companies that support its cyber operations, as well as 32 individuals and entities for their role in the hack and in Russian interference in the 2020 United States elections.[243][244][245]
Rest of the world
[edit]NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks."[36] On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.[246] The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.[129]
On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.[110][247]
On December 24, 2020, the Canadian Centre for Cyber Security asked SolarWinds Orion users in Canada to check for system compromises.[248][249]
Cyber espionage or cyberattack?
[edit]The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war.[250] Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).[251] Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.[252] Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks."[253] Law professor Michael Schmitt concurred, citing the Tallinn Manual.[254]
By contrast, Microsoft president Brad Smith termed the hack a cyberattack,[251] stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."[255][256] U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.[49][4]
Debate on possible U.S. responses
[edit]Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).[252]
Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."[253]
Cybersecurity author Bruce Schneier advocated against retaliation or increases in offensive capabilities, proposing instead the adoption of a defense-dominant strategy and ratification of the Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace.[257]
In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.[258]
See also
[edit]- Cyberwarfare in the United States
- Cyberwarfare by Russia
- EternalBlue
- Global surveillance disclosures (2013–present)
- List of data breaches
- Moonlight Maze
- Office of Personnel Management data breach
- Security dilemma
- The Shadow Brokers
- 2008 cyberattack on United States
- 2021 Microsoft Exchange Server data breach
- Vulkan files leak
References
[edit]- ^ a b c d e f g h i j k l m n o p q r s t u v w x y z Sanger, David E.; Perlroth, Nicole; Schmitt, Eric (December 15, 2020). "Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit". The New York Times. Archived from the original on December 18, 2020. Retrieved December 15, 2020.
- ^ a b Morath, Eric; Cambon, Sarah Chaney (January 14, 2021). "SolarWinds Hack Leaves Market-Sensitive Labor Data Intact, Scalia Says". The Wall Street Journal. Archived from the original on June 7, 2021. Retrieved January 14, 2021.
- ^ a b c d Turton, William; Riley, Michael; Jacobs, Jennifer (December 17, 2020). "Hackers Tied to Russia Hit Nuclear Agency; Microsoft Is Exposed". Bloomberg L.P. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b c d e f g h i Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (December 16, 2020). "Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack". The New York Times. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b c d e f g Stubbs, Jack; Satter, Raphael; Menn, Joseph (December 15, 2020). "U.S. Homeland Security, thousands of businesses scramble after suspected Russian hack". Reuters. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ a b c Fung, Brian. "Why the US government hack is literally keeping security experts awake at night". CNN. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
- ^ a b Goodin, Dan (January 7, 2021). "DoJ says SolarWinds hackers breached its Office 365 system and read email". Ars Technica. Archived from the original on February 7, 2021. Retrieved January 11, 2021.
- ^ a b c d e Kovacs, Eduard (December 18, 2020). "SolarWinds Likely Hacked at Least One Year Before Breach Discovery". SecurityWeek.com. Archived from the original on February 18, 2021. Retrieved December 18, 2020.
- ^ a b c d e f g h i j k l m Bing, Christopher (December 14, 2020). "Suspected Russian hackers spied on U.S. Treasury emails – sources". Reuters. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b c d O'Brien, Matt; Bajak, Frank (December 15, 2020). "EXPLAINER: How bad is the hack that targeted US agencies?". Houston Chronicle. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
- ^ "SolarWinds Orion: More US government agencies hacked". BBC. December 15, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b c d e Timberg, Craig; Nakashima, Ellen (December 14, 2020). "Russian hack was 'classic espionage' with stealthy, targeted tactics". The Washington Post. Archived from the original on December 14, 2020. Retrieved December 18, 2020.
- ^ Cook, James (December 18, 2020). "Microsoft warns UK companies were targeted by SolarWinds hackers". The Telegraph. Archived from the original on April 19, 2021. Retrieved December 21, 2020.
- ^ a b c d e f g h i j Kovacs, Eduard (December 15, 2020). "Group Behind SolarWinds Hack Bypassed MFA to Access Emails at US Think Tank". SecurityWeek.com. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b c d e Goodin, Dan (December 15, 2020). "SolarWinds hackers have a clever way to bypass multi-factor authentication". Ars Technica. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b c Nakashima, Ellen (December 24, 2020). "Russian hackers compromised Microsoft cloud customers through third party, putting emails and other data at risk". The Washington Post. Archived from the original on December 8, 2022. Retrieved March 24, 2023.
- ^ a b c Menn, Joseph; Satter, Raphael (December 24, 2020). "Suspected Russian hackers used Microsoft vendors to breach customers". Reuters. Archived from the original on March 24, 2021. Retrieved December 25, 2020.
- ^ a b c d Perlroth, Nicole (December 25, 2020). "Russians Are Believed to Have Used Microsoft Resellers in Cyberattacks". The New York Times. Archived from the original on May 31, 2021. Retrieved December 25, 2020.
- ^ a b Cimpanu, Catalin (December 14, 2020). "Microsoft, FireEye confirm SolarWinds supply chain attack". ZDNet. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b c Block, Bar (December 16, 2020). "Sunburst Trojan – What You Need to Know". Deep Instinct. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b c d e f g h i "VMware Flaw a Vector in SolarWinds Breach?". Krebs on Security. December 7, 2020. Archived from the original on March 11, 2021. Retrieved December 18, 2020.
- ^ a b c Bass, Dina; Wittenstein, Jeran (December 18, 2020). "VMware Falls on Report Its Software Led to SolarWinds Breach". Bloomberg.com. Archived from the original on March 26, 2021. Retrieved December 18, 2020.
- ^ a b c d e f g h i j k l m Hvistendahl, Mara; Lee, Micah; Smith, Jordan (December 17, 2020). "Russian Hackers Have Been Inside Austin City Network for Months". The Intercept. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
- ^ a b c d e Lyngaas, Sean (September 21, 2020). "CISA orders agencies to quickly patch critical Netlogon bug". CyberScoop. Archived from the original on October 30, 2020. Retrieved December 18, 2020.
- ^ a b c d Bing, Christopher (December 13, 2020). "REFILE-EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government – sources". Reuters. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b c d e f Nakashima, Ellen (December 13, 2020). "Russian government spies are behind a broad hacking campaign that has breached U.S. agencies and a top cyber firm". The Washington Post. Archived from the original on December 13, 2020. Retrieved December 14, 2020.
- ^ a b c d e f "Federal government breached by Russian hackers who targeted FireEye". NBC News. December 14, 2020. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ "US cyber-attack: Russia 'clearly' behind SolarWinds operation, says Pompeo". BBC. December 19, 2020. Archived from the original on May 27, 2021. Retrieved December 19, 2020.
- ^ Kantchev, Georgi; Strobel, Warren P. (January 2, 2021). "How Russia's 'Info Warrior' Hackers Let Kremlin Play Geopolitics on the Cheap". Wall Street Journal. ISSN 0099-9660. ProQuest 2474544289. Archived from the original on January 8, 2021. Retrieved January 5, 2021.
- ^ a b Bossert, Thomas P. (December 17, 2020). "Opinion | I Was the Homeland Security Adviser to Trump. We're Being Hacked". The New York Times. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ Sebenius, Alyza; Mehrotra, Kartikay; Riley, Michael (December 14, 2020). "U.S. Agencies Exposed in Attack by Suspected Russian Hackers". Bloomberg.com. Bloomberg L.P. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ Fox, Ben (December 17, 2020). "Cyber attack may be 'worst hacking case in the history of America'". Las Vegas Review-Journal. Associated Press. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Riotta, Chris (December 17, 2020). "US under major active cyberattack from Russia, Trump's former security adviser warns". The Independent. New York. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ Paul, Kari; Beckett, Lois (December 18, 2020). "What we know – and still don't – about the worst-ever US government cyber-attack". The Guardian. Archived from the original on December 20, 2020. Retrieved December 20, 2020.
- ^ [30][31][32][33][34]
- ^ a b c d e Gallagher, Ryan; Donaldson, Kitty (December 14, 2020). "U.K. Government, NATO Join U.S. in Monitoring Risk From Hack". Bloomberg.com. Bloomberg L.P. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
- ^ a b Turton, William (December 19, 2020). "At Least 200 Victims Identified in Suspected Russian Hacking". Bloomberg. Archived from the original on April 6, 2021. Retrieved December 20, 2020.
- ^ Macias, Amanda (December 13, 2020). "White House acknowledges reports of cyberattack on U.S. Treasury by foreign government". CNBC. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b c Sanger, David E. (December 13, 2020). "Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect". The New York Times. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ Rosenberg, Adam (December 13, 2020). "Russian government-backed hackers breached the U.S. Treasury, Commerce departments". Mashable. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ Wade, Peter (December 13, 2020). "Treasury, Commerce, Other Agencies Hacked by Russian Government Spies, Report Says". Rolling Stone. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ [26][38][39][40][41]
- ^ a b c Menn, Joseph (December 18, 2020). "Microsoft says it found malicious software in its systems". Reuters. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b Wolff, Josephine (December 16, 2020). "What We Do and Don't Know About the Massive Federal Government Hack". Slate. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ Cimpanu, Catalin (December 18, 2020). "NSA warns of federated login abuse for local-to-cloud attacks". Zero Day. Ziff-Davis. Archived from the original on February 9, 2021. Retrieved December 19, 2020.
- ^ a b c d e Satter, Raphael (December 22, 2020). "'Dozens of email accounts' were hacked at U.S. Treasury -Senator Wyden". Reuters. Archived from the original on July 25, 2022. Retrieved March 25, 2023.
- ^ a b c Porter, Tom (December 17, 2020). "It could take years to evict Russia from the US networks it hacked, leaving it free to destroy or tamper with data, ex-White House official warns". Business Insider. Archived from the original on August 8, 2022. Retrieved March 24, 2023.
- ^ a b Barth, Bradley (December 15, 2020). "Here are the critical responses required of all businesses after SolarWinds supply-chain hack". SC Media. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b Gould, Joe (December 17, 2020). "No. 2 Senate Democrat decries alleged Russian hack as 'virtual invasion'". Defense News. Archived from the original on January 31, 2021. Retrieved December 21, 2020.
- ^ a b c Axelrod, Tal (December 19, 2020). "Trump downplays impact of hack, questions whether Russia involved". The Hill. Archived from the original on April 26, 2021. Retrieved December 19, 2020.
"The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)," Trump tweeted.
- ^ a b c Colvin, Jill; Lee, Matthew (December 19, 2020). "Trump downplays Russia in first comments on hacking campaign". Associated Press. Archived from the original on February 23, 2021. Retrieved December 20, 2020.
- ^ a b Stracqualursi, Veronica; Liptak, Kevin; Hansler, Jennifer (December 19, 2020). "Trump downplays massive cyber hack on government after Pompeo links attack to Russia". CNN. Archived from the original on May 13, 2021. Retrieved December 19, 2020.
- ^ a b c d e f Seals, Tara (December 16, 2020). "The SolarWinds Perfect Storm: Default Password, Access Sales and More". Threat Post. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b c Satter, Raphael; Bing, Christopher; Menn, Joseph (December 16, 2020). "Hackers used SolarWinds' dominance against it in sprawling spy campaign". Reuters. Archived from the original on December 17, 2020. Retrieved December 16, 2020.
- ^ Gallagher, Ryan (December 21, 2020). "SolarWinds Adviser Warned of Lax Security Years Before Hack". Bloomberg.com. Archived from the original on May 16, 2021. Retrieved December 22, 2020.
- ^ a b c d "SolarWinds Hack Could Affect 18K Customers". Krebs on Security. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ Varghese, Sam (December 15, 2020). "SolarWinds FTP credentials were leaking on GitHub in November 2019". itwire.com. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
- ^ a b c d McCarthy, Kieren (December 15, 2020). "SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks". The Register. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b Claburn, Thomas (December 16, 2020). "We're not saying this is how SolarWinds was backdoored, but its FTP password 'leaked on GitHub in plaintext'". The Register. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b c Novet, Jordan (December 16, 2020). "SolarWinds hack has shaved 23% from software company's stock this week". CNBC. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ McCarthy, Kieren (December 16, 2020). "SolarWinds' shares drop 22 per cent. But what's this? $286m in stock sales just before hack announced?". The Register. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ "SolarWinds falls under scrutiny after hack, stock sales". MarketWatch. Associated Press. December 16, 2020. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b c d Menn, Joseph (December 18, 2020). "Microsoft says it found malicious software in its systems". Reuters. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ a b Sanger, David E.; Perlroth, Nicole (December 17, 2020). "More Hacking Attacks Found as Officials Warn of 'Grave Risk' to U.S. Government". The New York Times. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b Schneier, Bruce (December 15, 2020). "How the SolarWinds Hackers Bypassed Duo's Multi-Factor Authentication". Schneier on Security. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ Massie, Graeme (December 13, 2020). "Russian government hackers behind breach at US treasury and commerce departments". The Independent. Los Angeles. Archived from the original on December 13, 2020. Retrieved December 14, 2020.
- ^ a b "US treasury hacked by foreign government group – report". The Guardian. Reuters. December 13, 2020. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ "Foreign government hacked into US Treasury Department's emails – reports". Sky News. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b c d Newman, Lily Hay (December 14, 2020). "No One Knows How Deep Russia's Hacking Rampage Goes". Wired. Archived from the original on December 17, 2020. Retrieved December 16, 2020.
- ^ a b c d e Goodin, Dan (December 14, 2020). "~18,000 organizations downloaded backdoor planted by Cozy Bear hackers". Ars Technica. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b Cimpanu, Catalin (January 12, 2021). "Third malware strain discovered in SolarWinds supply chain attack". ZDNet. Archived from the original on March 18, 2021. Retrieved January 13, 2021.
- ^ Sebastian, Dave (January 12, 2021). "SolarWinds Discloses Earlier Evidence of Hack". WSJ. Archived from the original on June 7, 2021. Retrieved January 13, 2021.
- ^ a b Sharwood, Simon (December 20, 2020). "Trump administration says Russia behind SolarWinds hack. Trump himself begs to differ". The Register. Archived from the original on February 1, 2021. Retrieved December 21, 2020.
- ^ a b Corfield, Gareth (January 12, 2021). "SolarWinds malware was sneaked out of the firm's Orion build environment 6 months before anyone realised it was there – report". The Register. Archived from the original on March 2, 2021. Retrieved January 13, 2021.
- ^ a b c d e f g h i Cimpanu, Catalin (December 15, 2020). "Microsoft to quarantine SolarWinds apps linked to recent hack". ZDNet. Archived from the original on December 17, 2020. Retrieved March 25, 2023.
- ^ Lyons, Kim (December 13, 2020). "Hackers backed by Russian government reportedly breached US government agencies". The Verge. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
- ^ "CISA Issues Emergency Directive to Mitigate the Compromise of Solarwinds Orion Network Management Products" (Press release). CISA. December 13, 2020. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ Sebbenius, Alyza; Mehrotra, Kartikay; Riley, Michael. "U.S. Government Agencies Hit by Hackers During Software Update". MSN. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b Cimpanu, Catalin (December 15, 2020). "Microsoft and industry partners seize key domain used in SolarWinds hack". ZDNet. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b c d e f Seals, Tara (December 14, 2020). "DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries – Report". Threat Post. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b Timberg, Craig; Nakashima, Ellen (December 16, 2020). "Russians outsmart US government hacker detection system — but Moscow denies involvement". The Independent. Archived from the original on December 18, 2020. Retrieved December 16, 2016.
- ^ a b c d e f g Tidy, Joe (December 16, 2020). "SolarWinds: Why the Sunburst hack is so serious". BBC. Archived from the original on December 16, 2020. Retrieved December 18, 2020.
- ^ a b Gilberti, Nick (December 14, 2020). "SolarWinds Orion and UNC2452 – Summary and Recommendations". TrustedSec. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
- ^ Abrams, Lawrence (December 16, 2020). "FireEye, Microsoft create kill switch for SolarWinds backdoor". BleepingComputer. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
- ^ TTadeusz, Malavika Balachandran; Kipp, Jesse (December 16, 2020). "Trend data on the SolarWinds Orion compromise". The Cloudflare Blog. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b Uchill, Joe (December 14, 2020). "After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation". SC Media. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
- ^ a b Hines, Matt (December 17, 2020). "Mitigating Cloud Supply-chain Risk: Office 365 and Azure Exploited in Massive U.S Government Hack". CipherCloud. Archived from the original on August 28, 2021. Retrieved March 24, 2023.
- ^ a b Cohen, Zachary; Marquardt, Alex; Fung, Brian (December 16, 2020). "Massive hack of US government launches search for answers as Russia named top suspect". CNN. Archived from the original on December 5, 2021. Retrieved March 24, 2023.
- ^ Dorfman, Zach (December 15, 2020). "What we know about Russia's sprawling hack into federal agencies". Axios. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
- ^ a b Miller, Maggie (December 16, 2020). "Schiff calls for 'urgent' work to defend nation in the wake of massive cyberattack". The Hill. Archived from the original on January 16, 2023. Retrieved March 24, 2023.
- ^ "Unraveling Network Infrastructure Linked to the SolarWinds Hack". DomainTools. December 14, 2020. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ Timberg, Craig; Nakashima, Ellen. "The U.S. government spent billions on a system for detecting hacks. The Russians outsmarted it". The Washington Post. Archived from the original on December 29, 2022. Retrieved March 24, 2023.
- ^ a b c d Menn, Christopher Bing, Jack Stubbs, Raphael Satter, Joseph (February 3, 2021). "Exclusive: Suspected Chinese hackers used SolarWinds bug to spy on U.S. payroll agency – sources". Reuters. Archived from the original on May 5, 2021. Retrieved February 8, 2021.
{{cite news}}
: CS1 maint: multiple names: authors list (link) - ^ Cash, Damien; Meltzer, Matthew; Koessel, Sean; Adair, Steven; Lancaster, Thomas (December 14, 2020). "Dark Halo Leverages SolarWinds Compromise to Breach Organizations". Volexity. Archived from the original on May 31, 2021. Retrieved December 18, 2020.
- ^ a b c Tarabay, Jamie (December 15, 2020). "Hacking Spree by Suspected Russians Included U.S. Think Tank". Bloomberg L.P. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b Vavra, Shannon (December 24, 2020). "Microsoft alerts CrowdStrike of hackers' attempted break-in". CyberScoop. Archived from the original on January 4, 2021. Retrieved December 25, 2020.
- ^ "Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets". CISA. December 1, 2020. Archived from the original on May 20, 2021. Retrieved December 18, 2020.
- ^ Fireeye. "Unauthorized Access of FireEye Red Team Tools". Mandiant Blog. Fireeye (Mandiant). Retrieved September 18, 2023.
- ^ "Hackers backed by foreign government reportedly steal info from US Treasury". The Times of Israel. December 13, 2020. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ Sanger, David E.; Perlroth, Nicole (December 8, 2020). "FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State". The New York Times. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ "US cybersecurity firm FireEye says it was hacked by foreign government". The Guardian. December 9, 2020. Archived from the original on December 16, 2020. Retrieved December 15, 2020.
- ^ a b Newman, Lily Hay (December 8, 2020). "Russia's FireEye Hack Is a Statement—but Not a Catastrophe". Wired. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ Murdock, Jason (December 15, 2020). "Suspected Russia SolarWinds hack exposed after FireEye cybersecurity firm found "backdoor"". Newsweek. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ "Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor". FireEye. December 13, 2020. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ Paul, Kari (December 15, 2020). "What you need to know about the biggest hack of the US government in years". The Guardian. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b Gatlan, Sergiu (January 12, 2021). "New Sunspot malware found while investigating SolarWinds hack". BleepingComputer. Archived from the original on May 29, 2021. Retrieved January 13, 2021.
- ^ Goodin, Dan (July 14, 2021). "iOS zero-day let SolarWinds hackers compromise fully updated iPhones". Ars Technica. Archived from the original on July 15, 2021. Retrieved July 15, 2021.
- ^ Goodin, Dan (December 7, 2020). "NSA says Russian state hackers are using a VMware flaw to ransack networks". Ars Technica. Archived from the original on April 21, 2021. Retrieved December 19, 2020.
- ^ Bing, Christopher (December 14, 2020). "Russian-sponsored hackers behind broad security breach of U.S. agencies: sources". The Japan Times. Archived from the original on December 14, 2020. Retrieved December 14, 2020.
- ^ a b Katz, Justin (December 23, 2020). "50 orgs 'genuinely impacted' by SolarWinds hack, FireEye chief says". Defense Systems. Archived from the original on March 9, 2021. Retrieved December 23, 2020.
- ^ Slowik, Joe (December 14, 2020). "Unraveling Network Infrastructure Linked to the SolarWinds Hack". DomainTools. Archived from the original on December 6, 2022. Retrieved March 24, 2023.
- ^ Goodin, Dan (January 11, 2021). "SolarWinds malware has "curious" ties to Russian-speaking hackers". Ars Technica. Archived from the original on April 6, 2021. Retrieved January 13, 2021.
- ^ Corfield, Gareth (January 12, 2021). "Kaspersky Lab autopsies evidence on SolarWinds hack". The Register. Archived from the original on May 18, 2021. Retrieved January 13, 2021.
- ^ Greenberg, Andy (January 11, 2021). "SolarWinds Hackers Shared Tricks With Known Russian Cyberspies". Wired. Archived from the original on March 5, 2021. Retrieved January 13, 2021.
- ^ Roth, Andrew (January 11, 2021). "Global cyber-espionage campaign linked to Russian spying tools". The Guardian. Archived from the original on April 13, 2021. Retrieved January 13, 2021.
- ^ Castronuovo, Celine (February 2, 2021). "US payroll agency targeted by Chinese hackers: report". TheHill. Archived from the original on February 12, 2021. Retrieved February 10, 2021.
- ^ a b Pengelly, Martin (December 19, 2020). "Trump downplays government hack after Pompeo blames it on Russia". The Guardian. New York. Archived from the original on March 8, 2021. Retrieved December 19, 2020.
- ^ Byrnes, Jesse (December 19, 2020). "Pompeo: Russia 'pretty clearly' behind massive cyberattack". The Hill. Archived from the original on March 2, 2021. Retrieved December 19, 2020.
- ^ a b c "Trump downplays massive US cyberattack, points to China". Deutsche Welle. December 19, 2020. Archived from the original on March 3, 2021. Retrieved December 19, 2020.
- ^ "US cyber-attack: Around 50 firms 'genuinely impacted' by massive breach". BBC News. December 20, 2020. Archived from the original on March 11, 2021. Retrieved December 21, 2020.
- ^ King, Laura; Wilber, Del Quentin (December 20, 2020). "Trump finds himself isolated in refusal to blame Russia for big cyberattack". Los Angeles Times. Archived from the original on February 22, 2021. Retrieved December 21, 2020.
- ^ Janfaza, Rachel (December 21, 2020). "Barr contradicts Trump by saying it 'certainly appears' Russia behind cyberattack". cnn.com. CNN. Archived from the original on January 2, 2021. Retrieved December 26, 2020.
- ^ Wilkie, Christina (December 21, 2020). "Attorney General Barr breaks with Trump, says SolarWinds hack 'certainly appears to be the Russians'". CNBC. NBCUniversal News Group. Archived from the original on April 12, 2021. Retrieved December 22, 2020.
- ^ a b c d Sanger, David E.; Rappeport, Alan (December 22, 2020). "Treasury Department's Senior Leaders Were Targeted by Hacking". New York Times. Archived from the original on March 28, 2021. Retrieved December 23, 2020.
- ^ "US: Hack of Federal Agencies 'Likely Russian in Origin'". SecurityWeek. Associated Press. January 5, 2021. Archived from the original on February 11, 2021. Retrieved January 13, 2021.
- ^ Goodin, Dan (January 6, 2021). "Bucking Trump, NSA and FBI say Russia was "likely" behind SolarWinds hack". Ars Technica. Archived from the original on February 7, 2021. Retrieved January 11, 2021.
- ^ a b "Russians are 'likely' perpetrators of US government hack, official report says". The Guardian. Reuters. January 5, 2021. Archived from the original on April 13, 2021. Retrieved January 13, 2021.
- ^ "Oversight of the Federal Bureau of Investigation". fbi.gov. Federal Bureau of Investigation. Archived from the original on June 10, 2021. Retrieved June 11, 2021.
- ^ a b Fox, Ben; Bajak, Frank (December 15, 2020). "U.S. Agencies and Companies Secure Networks After Huge Hack". Time. Associated Press. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ Cimpanu, Catalin (December 14, 2020). "SEC filings: SolarWinds says 18,000 customers were impacted by recent hack". ZDNet. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ Richards, Zoë (December 15, 2020). "Report: Massive Russian Hack Effort Breached DHS, State Department And NIH". Talking Points Memo. Archived from the original on December 15, 2020. Retrieved December 17, 2020.
- ^ Jankowicz, Mia; Davis, Charles (December 14, 2020). "These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia". Business Insider. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ a b "SolarWinds: The Hunt to Figure Out Who Was Breached". bankinfosecurity.com. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b c "Hack may have exposed deep US secrets; damage yet unknown". The Independent. Associated Press. December 15, 2020. Archived from the original on December 18, 2020. Retrieved December 16, 2020.
- ^ Fox, Ben; Bajak, Frank (December 14, 2020). "US agencies, companies secure networks after huge hack". AP NEWS. Archived from the original on December 18, 2020. Retrieved December 16, 2020.
- ^ "Deep US institutional secrets may have been exposed in hack blamed on Russia". The Guardian. December 16, 2020. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b "Emergency Directive 21-01". cyber.dhs.gov. December 13, 2020. Archived from the original on December 15, 2020. Retrieved December 15, 2020.
- ^ O'Neill, Patrick Howell (December 15, 2020). "How Russian hackers infiltrated the US government for months without being spotted". MIT Technology Review. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ "SolarWinds advanced cyberattack: What happened and what to do now". Malwarebytes Labs. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ "Overview of Recent Sunburst Targeted Attacks". Trend Micro. December 15, 2020. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
- ^ Robertson, Jordan; Mehrotra, Kartikay; Turton, William (December 18, 2020). "Hackers' Monthslong Head Start Hamstrings Probe of U.S. Breach". Bloomberg. Archived from the original on April 19, 2021. Retrieved December 18, 2020.
- ^ "Hacked networks will need to be burned 'down to the ground'". The Independent. Associated Press. December 18, 2020. Archived from the original on December 19, 2020.
- ^ Satter, Raphael (December 24, 2020). "Experts who wrestled with SolarWinds hackers say cleanup could take months - or longer". Reuters. Archived from the original on July 15, 2021. Retrieved March 25, 2023.
- ^ a b Suderman, Alan; Tucker, Eric (July 31, 2021). "Justice Department says Russians hacked federal prosecutors". AP NEWS. Archived from the original on July 31, 2021. Retrieved July 31, 2021.
- ^ Rashbaum, William K.; Protess, Ben; Vogel, Kenneth P.; Hong, Nicole (May 27, 2021). "Prosecutors Investigating Whether Ukrainians Meddled in 2020 Election". The New York Times. Archived from the original on June 12, 2021. Retrieved July 31, 2021.
- ^ "Biden taps trusted figures to lead US climate fight; FDA says Moderna vaccine is highly protective; SolarWinds hack fallout spreads". The World from PRX. December 16, 2020. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b c d e Wolf, Zachary B. (December 16, 2020). "The suspected Russian hack of the US government, explained". CNN. Archived from the original on August 11, 2022. Retrieved March 24, 2023.
- ^ a b c d e f g Geller, Eric; Rayasam, Renuka; Ward, Myah (December 17, 2020). "The Big Hack: What we know, what we don't". Politico. Archived from the original on January 26, 2021. Retrieved December 19, 2020.
- ^ a b Bing, Christopher (December 13, 2020). "EXCLUSIVE-U.S. Treasury breached by hackers backed by foreign government – sources". Reuters. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
- ^ a b c Nakashima, Ellen; Timberg, Craig (December 14, 2020). "DHS, State and NIH join list of federal agencies — now five — hacked in major Russian cyberespionage campaign". The Washington Post. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ a b c d e Cohen, Zachary; Salama, Vivian; Fung, Brian (December 14, 2020). "US officials scramble to deal with suspected Russian hack of government agencies". CNN. Archived from the original on December 16, 2020. Retrieved December 18, 2020.
- ^ a b c Haynes, Deborah (December 18, 2020). "US nuclear agency a target in 'massive' cyber attack on federal government by suspected Russian hackers". Sky News. Archived from the original on February 18, 2021. Retrieved December 18, 2020.
- ^ a b c d e f g h Abrams, Lawrence (December 19, 2020). "The SolarWinds cyberattack: The hack, the victims, and what we know". BleepingComputer. Archived from the original on May 29, 2021. Retrieved December 19, 2020.
- ^ a b c d Dozier, Kimberly (December 18, 2020). "U.S. Cyber Experts Scramble to Assess the Scope of the 'Hack of a Decade'". Time. Archived from the original on May 15, 2021. Retrieved December 19, 2020.
- ^ a b c d e f Sanger, David E.; Perlroth, Nicole; Barnes, Julian E. (January 2, 2021). "As Understanding of Russian Hacking Grows, So Does Alarm". The New York Times. Archived from the original on June 6, 2021. Retrieved March 24, 2023.
- ^ a b c d e f Stubbs, Jack; Satter, Raphael; Menn, Joseph (December 15, 2020). "U.S. Homeland Security, thousands of businesses scramble after suspected Russian hack". Reuters. Archived from the original on December 15, 2020. Retrieved December 18, 2020.
- ^ a b Newman, Lily Hay (February 27, 2021). "The SolarWinds Body Count Now Includes NASA and the FAA". Wired. Archived from the original on March 10, 2021. Retrieved March 16, 2021.
- ^ Jowitt, Tom (February 21, 2020). "US DoD Department Hacked And Data Compromised | Silicon UK Tech News". Silicon UK. Archived from the original on January 18, 2021. Retrieved June 4, 2021.
- ^ a b Bertrand, Natasha; Wolff, Eric (December 17, 2020). "Nuclear weapons agency breached amid massive cyber onslaught". Politico. Archived from the original on December 17, 2020. Retrieved December 17, 2020.
- ^ a b "Nuclear Weapons Agency Hacked in Widening Cyberattack – Report". threatpost.com. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b Goodin, Dan (December 17, 2020). "Microsoft is reportedly added to the growing list of victims in SolarWinds hack". Ars Technica. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ "Department of Energy says it was hacked in suspected Russian campaign". NBC News. December 18, 2020. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Zurier, Steve (December 21, 2020). "Security experts warn of long-term risk tied to Energy Department breach". SC Media. Archived from the original on January 26, 2021. Retrieved December 23, 2020.
- ^ a b Perlroth, Nicole (December 31, 2020). "Microsoft Says Russian Hackers Viewed Some of Its Source Code". The New York Times. Archived from the original on June 7, 2021. Retrieved January 13, 2021.
- ^ Suderman, Alan (March 28, 2021). "AP sources: SolarWinds hack got emails of top DHS officials". Associated Press. Archived from the original on March 17, 2023. Retrieved March 25, 2023.
- ^ Paul, Kari (January 6, 2021). "DoJ confirms email accounts breached by SolarWinds hackers". The Guardian. Archived from the original on April 17, 2021. Retrieved January 13, 2021.
- ^ "Justice Department Says It's Been Affected by Russian Hack". SecurityWeek. Associated Press. January 6, 2021. Archived from the original on January 22, 2021. Retrieved January 11, 2021.
- ^ Claburn, Thomas (January 7, 2021). "JetBrains' build automation software eyed as possible enabler of SolarWinds hack". The Register. Archived from the original on February 2, 2021. Retrieved January 12, 2021.
- ^ Perlroth, Nicole; Sanger, David E.; Barnes, Julian E. (January 6, 2021). "Widely Used Software Company May Be Entry Point for Huge U.S. Hacking". The New York Times. Archived from the original on May 31, 2021. Retrieved January 12, 2021.
- ^ Gatlan, Sergiu (January 6, 2021). "SolarWinds hackers had access to over 3,000 US DOJ email accounts". BleepingComputer. Archived from the original on April 16, 2021. Retrieved January 13, 2021.
- ^ a b Volz, Dustin; McMillan, Robert (January 7, 2021). "Federal Judiciary's Systems Likely Breached in SolarWinds Hack". WSJ. Archived from the original on June 7, 2021. Retrieved January 12, 2021.
- ^ Alder, Madison (January 6, 2021). "SolarWinds Hack Compromises U.S. Courts Electronic Filings (1)". Bloomberg Law. Archived from the original on February 1, 2021. Retrieved January 12, 2021.
- ^ a b Miller, Maggie (January 7, 2021). "Federal judiciary likely compromised as part of SolarWinds hack". TheHill. Archived from the original on May 3, 2021. Retrieved January 12, 2021.
- ^ a b Krebs, Brian (January 7, 2021). "Sealed U.S. Court Records Exposed in SolarWinds Breach". Krebs on Security. Archived from the original on March 13, 2021. Retrieved January 12, 2021.
- ^ a b Starks, Tim (January 7, 2021). "Federal courts are latest apparent victim of SolarWinds hack". CyberScoop. Archived from the original on March 25, 2021. Retrieved January 12, 2021.
- ^ Clark, Mitchell (January 7, 2021). "Federal courts go low-tech for sensitive documents following SolarWinds hack". The Verge. Archived from the original on January 28, 2021. Retrieved January 12, 2021.
- ^ Kovacs, Eduard (January 8, 2021). "Probe Launched Into Impact of SolarWinds Breach on Federal Courts". SecurityWeek. Archived from the original on February 1, 2021. Retrieved January 12, 2021.
- ^ a b Gatlan, Sergiu (January 7, 2021). "US Judiciary adds safeguards after potential breach in SolarWinds hack". BleepingComputer. Archived from the original on April 16, 2021. Retrieved January 13, 2021.
- ^ Corfield, Gareth (January 8, 2021). "US courts system fears SolarWinds snafu could have let state hackers poke about in sealed case documents". The Register. Archived from the original on February 2, 2021. Retrieved January 13, 2021.
- ^ a b Stubbs, Jack; McNeill, Ryan (December 18, 2020). "SolarWinds hackers broke into U.S. cable firm and Arizona county, web records show". Reuters. Archived from the original on December 22, 2020. Retrieved December 18, 2020.
- ^ a b c Stubbs, Jack (December 19, 2020). "Hackers' broad attack sets cyber experts worldwide scrambling to defend networks". Reuters. Archived from the original on February 15, 2021. Retrieved December 19, 2020.
- ^ a b c d e Volz, Kevin Poulsen, Robert McMillan and Dustin (December 21, 2020). "WSJ News Exclusive | SolarWinds Hack Victims: From Tech Companies to a Hospital and University". Wall Street Journal. Archived from the original on June 7, 2021. Retrieved January 12, 2021 – via www.wsj.com.
{{cite news}}
: CS1 maint: multiple names: authors list (link) - ^ King, Ian; Mehrotra, Kartikay (December 18, 2020). "Cisco Latest Victim of Russian Cyber-Attack Using SolarWinds". Bloomberg. Archived from the original on December 21, 2020. Retrieved December 19, 2020.
- ^ Asokan, Akshaya; Schwartz, Mathew J. (December 17, 2020). "SolarWinds Supply Chain Hit: Victims Include Cisco, Intel". Bank Info Security. Archived from the original on January 18, 2021. Retrieved December 19, 2020.
- ^ a b c Brewster, Thomas (December 19, 2020). "SolarWinds Hack: Cisco And Equifax Amongst Corporate Giants Finding Malware... But No Sign Of Russian Spies". Forbes. Archived from the original on February 18, 2021. Retrieved December 19, 2020.
- ^ Schmaltz, Trey (December 18, 2020). "La. retirement system warned it may have been target of Russian hack; Cox also investigating". WBRZ. Archived from the original on February 3, 2021. Retrieved December 18, 2020.
- ^ a b c Cimpanu, Catalin (January 26, 2021). "Four security vendors disclose SolarWinds-related incidents". ZDNet. Archived from the original on March 4, 2021. Retrieved February 1, 2021.
This week, four new cyber-security vendors -- Mimecast, Qualys, Palo Alto Networks, and Fidelis -- have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
- ^ Dailey, Natasha (January 19, 2021). "Cybersecurity firm Malwarebytes was hacked by 'Dark Halo,' the same group that breached SolarWinds last year". Business Insider. Archived from the original on January 30, 2021. Retrieved March 16, 2021.
- ^ Sebenius, Alyza (January 19, 2021). "Suspected Russian Hackers Targeted Cyber Firm Malwarebytes". Bloomberg. Archived from the original on February 2, 2021. Retrieved March 16, 2021.
- ^ Satter, Raphael (January 19, 2021). "Malwarebytes says some of its emails were breached by SolarWinds hackers". Reuters. Archived from the original on February 19, 2021. Retrieved March 16, 2021.
- ^ Menn, Joseph (December 18, 2020). "Exclusive: Microsoft breached in suspected Russian hack using SolarWinds – sources". Reuters. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Cimpanu, Catalin (December 17, 2020). "Microsoft confirms it was also breached in recent SolarWinds supply chain hack". ZDNet. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Bass, Dina (December 18, 2020). "Microsoft Says Its Systems Were Exposed to SolarWinds Hack". Bloomberg L.P. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Novet, Jordan (December 17, 2020). "Microsoft was reportedly swept up in SolarWinds hack". CNBC. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Thomson, Iain (December 18, 2020). "US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor". The Register. Archived from the original on April 8, 2022. Retrieved December 18, 2020.
- ^ a b Torres, JC (December 18, 2020). "Microsoft acknowledges it was hacked via SolarWinds exploit". SlashGear. Archived from the original on February 18, 2021. Retrieved December 18, 2020.
- ^ a b Robles, C. J. (December 17, 2020). "Microsoft, SolarWinds Hacking Can Be a National Security Issue?". Tech Times. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Satter, Raphael; Menn, Joseph (January 1, 2021). "SolarWinds hackers accessed Microsoft source code, the company says". Reuters. Archived from the original on November 20, 2022. Retrieved March 25, 2023.
Modifying source code — which Microsoft said the hackers did not do — could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.
- ^ Smith, Chris (January 1, 2021). "Here's why it's so dangerous that SolarWinds hackers accessed Microsoft's source code". BGR. Archived from the original on February 26, 2021. Retrieved January 13, 2021.
More than two weeks after the hacks, Microsoft disclosed that the attackers were able to access a critical piece of software, the source code from one or more undisclosed products. Microsoft explained in a blog post that the hackers were not able to modify the source code. But even just a glance at a source code from a company like Microsoft might be enough for hackers to develop new attacks that compromise other Microsoft products. ... Microsoft's blog post is meant to reassure governments and customers, but the fact remains that hackers might be in possession of the kind of secrets they shouldn't have access to. Time will tell if gaining access to Microsoft's source code will allow the same team of attackers to create even more sophisticated hacks.
- ^ Hope, Alicia (January 7, 2021). "Software Giant Admits That SolarWinds Hackers Viewed Microsoft Source Code". CPO Magazine. Archived from the original on January 26, 2021. Retrieved January 13, 2021.
Microsoft disclosed [that] the hacking group behind the SolarWinds attack also viewed Microsoft source code for unnamed products. ... Microsoft, however, downplayed the breach, saying that the security of its products does not depend on the secrecy of its source code. Contrarily, Microsoft source code for most high-profile products remains to be among the most jealously guarded corporate secrets, shared only with a few trusted customers and governments.
- ^ Stanley, Alyse (December 31, 2020). "Microsoft Says SolarWinds Hackers Also Broke Into Company's Source Code". Gizmodo. Archived from the original on January 27, 2021. Retrieved January 13, 2021.
While hackers may not have been able to change Microsoft's source code, even just sneaking a peek at the company's secret sauce could have disastrous consequences. Bad actors could use that kind of insight into the inner workings of Microsoft's services to help them circumvent its security measures in future attacks. The hackers essentially scored blueprints on how to potentially hack Microsoft products.
- ^ Bradley, Susan (January 4, 2021). "SolarWinds, Solorigate, and what it means for Windows updates". Computerworld. Archived from the original on March 22, 2021. Retrieved January 13, 2021.
Microsoft investigated further and found that while the attackers were not able to inject themselves into Microsoft's ADFS/SAML infrastructure, 'one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made.' This is not the first time Microsoft's source code has been attacked or leaked to the web. In 2004, 30,000 files from Windows NT to Windows 2000 leaked onto the web via a third party. Windows XP reportedly leaked online last year.
- ^ Satter, Raphael (December 31, 2020). "Microsoft says SolarWinds hackers were able to view its source code but didn't have the ability to modify it". Business Insider. Archived from the original on January 14, 2021. Retrieved January 13, 2021.
Ronen Slavin, [chief technology officer at source code protection company Cycode], said a key unanswered question was which source code repositories were accessed. ... Slavin said he was also worried by the possibility that the SolarWinds hackers were poring over Microsoft's source code as prelude for something more ambitious. 'To me the biggest question is, "Was this recon for the next big operation?"' he said.
- ^ Spring, Tom (January 12, 2021). "Critical Microsoft Defender Bug Actively Exploited; Patch Tuesday Offers 83 Fixes". Threatpost. Archived from the original on April 1, 2021. Retrieved January 13, 2021.
Last month, Microsoft said state-sponsored hackers had compromised its internal network and leveraged additional Microsoft products to conduct further attacks.
- ^ "Email security firm Mimecast says hackers hijacked its products to spy on customers". Reuters. January 12, 2021. Archived from the original on January 12, 2021. Retrieved January 13, 2021.
Three cybersecurity investigators, who spoke on condition of anonymity to discuss details of an ongoing probe, told Reuters they suspected the hackers who compromised Mimecast were the same group that broke into U.S. software maker SolarWinds and a host of sensitive U.S. government agencies.
- ^ Kovacs, Eduard (January 13, 2021). "Mimecast Discloses Certificate Incident Possibly Related to SolarWinds Hack". SecurityWeek.Com. Archived from the original on March 17, 2021. Retrieved January 13, 2021.
According to Mimecast, it learned from Microsoft that hackers had compromised a certificate used to authenticate Mimecast Continuity Monitor, Internal Email Protect (IEP), and Sync and Recover products with Microsoft 365 Exchange Web Services. ... The company has not shared any details about the attacks abusing the compromised certificate, but some experts have speculated that the certificate may have allowed the hackers to intercept Mimecast customers' communications. ... According to Reuters, people with knowledge of the situation believe this incident may be related to the recently disclosed supply chain attack involving Texas-based IT management solutions provider SolarWinds.
- ^ Seals, Tara (January 12, 2021). "Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack". Threatpost. Archived from the original on March 17, 2021. Retrieved January 13, 2021.
Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast's servers... A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers' Microsoft 365 Exchange Web Services and steal information. 'The attack against Mimecast and their secure connection to Microsoft's Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies,' Saryu Nayyar, CEO at Gurucul, said via email.
- ^ "SolarWinds attackers suspected in Microsoft authentication compromise". SC Media. January 12, 2021. Archived from the original on February 27, 2021. Retrieved January 13, 2021.
- ^ Spadafora, Anthony (January 12, 2021). "Mimecast may also have been a victim of the SolarWinds hack campaign". TechRadar. Archived from the original on January 13, 2021. Retrieved January 13, 2021.
The reason that Mimecast may have been attacked by the same threat actor behind the SolarWinds hack is due to the fact that these hackers often add authentication tokens and credentials to Microsoft Active Directory domain accounts in order to maintain persistence on a network and to achieve privilege escalation.
- ^ McMillan, Robert (January 13, 2021). "SolarWinds Hackers' Attack on Email Security Company Raises New Red Flags". WSJ. Archived from the original on June 7, 2021. Retrieved January 13, 2021.
The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp., according to people familiar with the investigation. The link to the SolarWinds hackers was reported earlier by Reuters.
- ^ "fireeye/red_team_tool_countermeasures". GitHub. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ Abrams, Lawrence (December 15, 2020). "Microsoft to quarantine compromised SolarWinds binaries tomorrow". BleepingComputer. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
- ^ Lyngaas, Sean (December 23, 2020). "Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are". CyberScoop. Archived from the original on February 16, 2021. Retrieved December 24, 2020.
- ^ Brandom, Russell (December 15, 2020). "SolarWinds hides list of high-profile customers after devastating hack". The Verge. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ Varghese, Sam (December 15, 2020). "iTWire - Backdoored Orion binary still available on SolarWinds website". iTWire. Archived from the original on December 14, 2020. Retrieved December 25, 2020.
- ^ Kovacs, Eduard (January 6, 2021). "Class Action Lawsuit Filed Against SolarWinds Over Hack". SecurityWeek.Com. Archived from the original on February 1, 2021. Retrieved January 13, 2021.
- ^ McCarthy, Kieren (January 5, 2021). "Ah, right on time: Hacker-slammed SolarWinds sued by angry shareholders". The Register. Archived from the original on March 17, 2021. Retrieved January 13, 2021.
- ^ Kovacs, Eduard (January 8, 2021). "SolarWinds Taps Firm Started by Ex-CISA Chief Chris Krebs, Former Facebook CSO Alex Stamos". SecurityWeek.Com. Archived from the original on February 19, 2021. Retrieved January 13, 2021.
- ^ Vaughan-Nichols, Steven J. (January 14, 2021). "SolarWinds defense: How to stop similar attacks". ZDNet. Archived from the original on March 10, 2021. Retrieved January 15, 2021.
- ^ "Potentially major hack of government agencies disclosed". CBS News. December 14, 2020. Archived from the original on December 15, 2020. Retrieved December 16, 2020.
- ^ Tucker, Eric; Krisher, Tom; Bajak, Frank (December 14, 2020). "US government agencies, including Treasury, hacked; Russia possible culprit". WTVD. Associated Press. Archived from the original on December 14, 2020. Retrieved December 15, 2020.
- ^ Geller, Eric (December 14, 2020). "'Massively disruptive' cyber crisis engulfs multiple agencies". Politico. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ Kaplan, Fred (December 15, 2020). "Trump Has Been Whining About Fake Fraud—and Ignoring a Real Cybersecurity Crisis". Slate. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ O'Connor, Tom; Jamali, Naveed (December 14, 2020). "US vows 'swift action' if defense networks hit by alleged Russia hack". Newsweek. Archived from the original on December 16, 2020. Retrieved December 16, 2020.
- ^ Kovacs, Eduard (December 17, 2020). "FBI, CISA, ODNI Describe Response to SolarWinds Attack". SecurityWeek.com. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
- ^ Satter, Raphael (December 24, 2020). "U.S. cyber agency says SolarWinds hackers are 'impacting' state, local governments". Reuters. Archived from the original on January 1, 2021. Retrieved December 25, 2020 – via uk.reuters.com.
- ^ Silverman, Craig (July 8, 2024). "The President Ordered a Board to Probe a Massive Russian Cyberattack. It Never Did". ProPublica. Retrieved July 9, 2024.
- ^ Daugherty, Alex (December 18, 2020). "Intel chairman Rubio says 'America must retaliate' after massive cyber hack". Miami Herald. Archived from the original on December 27, 2020. Retrieved December 19, 2020.
- ^ Dwyer, Colin (December 19, 2020). "Pompeo Says Russia 'Pretty Clearly' Behind Cyberattack, Prompting Pushback From Trump". NPR. Archived from the original on June 3, 2021. Retrieved December 20, 2020.
- ^ Vavra, Shannon (December 23, 2020). "Lawmakers want more transparency on SolarWinds breach from State, VA". CyberScoop. Archived from the original on January 26, 2021. Retrieved December 24, 2020.
- ^ Cameron, Dell (December 24, 2020). "Veterans Affairs Officials Inexplicably Blow Off Briefing on SolarWinds Hack". Gizmodo. Archived from the original on January 21, 2021. Retrieved December 25, 2020.
- ^ Paul, Kari (December 17, 2020). "Hacking campaign targeted US energy, treasury and commerce agencies". The Guardian. Archived from the original on December 17, 2020. Retrieved December 18, 2020.
- ^ a b c Sink, Justin (December 19, 2020). "Trump Downplays Huge Hack Tied to Russia, Suggests China". Bloomberg. Archived from the original on January 5, 2021. Retrieved March 25, 2023.
- ^ Canales, Katie (December 19, 2020). "Former US cybersecurity chief Chris Krebs warned not to 'conflate' voting system security with SolarWinds hack despite Trump's claim". Business Insider. Archived from the original on December 20, 2020. Retrieved December 20, 2020.
- ^ Bing, Christopher; Landay, Jonathan (December 19, 2020). "Trump downplays impact of massive hacking, questions Russia involvement". Reuters. Archived from the original on January 4, 2021. Retrieved December 19, 2020.
- ^ Murdock, Jason (December 17, 2020). "Russia Could Fake Government Emails After SolarWinds Hack: Ex-Trump Adviser". Newsweek. Archived from the original on August 8, 2022. Retrieved March 25, 2023.
- ^ Satter, Raphael (December 20, 2020). "Biden chief of staff says hack response will go beyond 'just sanctions'". Reuters. Archived from the original on April 7, 2021. Retrieved December 20, 2020.
- ^ Fabian, Jordan; Epstein, Jennifer (December 22, 2020). "Biden Says Hack of U.S. Shows Trump Failed at Cybersecurity". Bloomberg. Archived from the original on April 7, 2022. Retrieved December 23, 2020.
- ^ Lewis, Simon (December 23, 2020). "Trump must blame Russia for cyber attack on U.S., Biden says". Reuters. Archived from the original on January 21, 2021. Retrieved December 23, 2020.
- ^ Sanger, David E. (January 13, 2021). "Biden to Restore Homeland Security and Cybersecurity Aides to Senior White House Posts". The New York Times. Archived from the original on March 29, 2021. Retrieved January 13, 2021.
President-elect Joseph R. Biden Jr., facing the rise of domestic terrorism and a crippling cyberattack from Russia, is elevating two White House posts that all but disappeared in the Trump administration: a homeland security adviser to manage matters as varied as extremism, pandemics and natural disasters, and the first deputy national security adviser for cyber and emerging technology. ... Mr. Trump dismantled the National Security Council's pandemic preparedness office, and while he had an active cyberteam at the beginning of his term, it languished. 'It's disturbing to be in a transition moment when there really aren't counterparts for that transition to be handed off,' Ms. Sherwood-Randall said. ... The SolarWinds hacking, named after the maker of network management software that Russian intelligence agents are suspected of having breached to gain access to the email systems of government agencies and private companies, was a huge intelligence failure.
- ^ "Microsoft hack: White House warns of 'active threat' of email attack". BBC News. March 6, 2021. Archived from the original on March 7, 2021. Retrieved March 6, 2021.
- ^ Sanger, David E.; Barnes, Julian E.; Perlroth, Nicole (March 7, 2021). "Preparing for Retaliation Against Russia, U.S. Confronts Hacking by China". The New York Times. Archived from the original on March 11, 2021. Retrieved March 15, 2021.
- ^ Tucker, Eric; Madhani, Aamer (April 15, 2021). "US retaliates against Russian hacking by expelling diplomats, imposing new sanctions". FOX 10 Phoenix. Associated Press. Archived from the original on December 18, 2022. Retrieved April 15, 2021.
- ^ Jain, Akshita; Spocchia, Gino (April 15, 2021). "Biden expels Russian diplomats and announces new sanctions in retaliation for hacking". The Independent. Archived from the original on April 15, 2021. Retrieved April 15, 2021.
- ^ "US expels Russian diplomats, issues sanctions". DW. April 15, 2021. Archived from the original on January 7, 2023. Retrieved March 25, 2023.
- ^ Corera, Gordon (December 18, 2020). "SolarWinds: UK assessing impact of hacking campaign". BBC News. Archived from the original on March 11, 2021. Retrieved December 18, 2020.
- ^ "UK organisations using SolarWinds Orion platform should check whether personal data has been affected". ico.org.uk. December 23, 2020. Archived from the original on January 27, 2021. Retrieved December 23, 2020.
- ^ Paas-Lang, Christian (December 19, 2020). "CSE warns companies to check IT systems following SolarWinds hack". CBC. Archived from the original on March 30, 2021. Retrieved December 25, 2020.
- ^ "Canadian Centre for Cyber Security". Canadian Centre for Cyber Security. August 15, 2018. Archived from the original on May 24, 2021. Retrieved December 25, 2020.
- ^ Wolfe, Jan; Pierson, Brendan (December 19, 2020). "Explainer-U.S. government hack: espionage or act of war?". Reuters. Archived from the original on March 25, 2023. Retrieved December 19, 2020.
- ^ a b Dilanian, Ken (December 18, 2020). "Suspected Russian hack: Was it an epic cyber attack or spy operation?". NBC News. Archived from the original on March 11, 2021. Retrieved December 19, 2020.
- ^ a b Erica Borghard; Jacquelyn Schneider (December 17, 2020). "Russia's Hack Wasn't Cyberwar. That Complicates US Strategy". Wired. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
- ^ a b Goldsmith, Jack (December 18, 2020). "Self-Delusion on the Russia Hack". thedispatch.com. Archived from the original on May 16, 2021. Retrieved December 18, 2020.
- ^ Schmitt, Michael (December 21, 2020). "Russia's SolarWinds Operation and International Law". Just Security. Archived from the original on May 29, 2021. Retrieved December 23, 2020.
- ^ Goodin, Dan (December 18, 2020). "Microsoft president calls SolarWinds hack an 'act of recklessness'". Ars Technica. Archived from the original on May 7, 2021. Retrieved December 18, 2020.
- ^ "US cyber-attack: US energy department confirms it was hit by Sunburst hack". BBC News. December 18, 2020. Archived from the original on June 6, 2021. Retrieved December 18, 2020.
- ^ Schneier, Bruce (December 23, 2020). "The US has suffered a massive cyberbreach. It's hard to overstate how bad it is". The Guardian. Archived from the original on May 7, 2021. Retrieved December 23, 2020.
- ^ Kolbe, Paul R. (December 24, 2020). "With Hacking, the United States Needs to Stop Playing the Victim". The New York Times. ProQuest 2473435248. Archived from the original on May 19, 2021. Retrieved December 24, 2020.
External links
[edit]- SolarWinds Security Advisory
- FireEye Research Report
- GuidePoint Security Analysis
- Russian SVR Targets U.S. and Allied Networks (pdf file)
- A 'Worst Nightmare' Cyberattack: The Untold Story Of The SolarWinds Hack by Dina Temple-Raston, Friday, April 16, 2021 (NPR text only version)