Monday, December 21, 2020

What's The SolarWind Prognosis?

Probably not great.

I'm still mulling over Jen Dyer's latest on the Trump "Operational Timeline" and some related matters. However commenter DFinley has written at some length on the SolarWind situation, and since Dyer devotes a fair amount of space to that issue, I thought it would be useful to republish that comment. I think you'll quickly see that what he has to say is directly relevant. DFinley:

I've seen several cases where people who should know better are saying that, once this infection is cured we're good, our systems are clean again. But CISA's directive to isolate or power down, and in many cases completely reinstall all software, suggests they don't think so. Neither do I.

Any entity going to as much trouble as the attacker did to blend in, hide, and operate in the background would almost certainly have several other hooks into the system. If they didn't install a couple of root kits, they've been negligent, and properly done root kits can be almost impossible to find and root out. 

All they need is a little of the unmapped space on a hard drive, or the storage on a video card or some other place, and a tweak to the Master Boot Record; all very hard to detect.

They almost certainly infected more of SolarWinds' portfolio than has been reported so far. Again, anyone going to this much trouble, showing this much patience and expertise, would not settle for infecting a single file.

WRT breaking in and taking nothing, it's too soon to make that claim. But even if nothing was taken, that doesn't mean a lot. The intrusion was slow and painstaking to avoid catching the attention of SolarWinds' security team (assuming they have one, as they certainly should). The intruder may be only part way to its ultimate goal, which we cannot know at this time. And that ultimate goal could easily be a “cyber Pearl Harbor.”

SolarWinds has many thousands of customers, including critical government agencies and critical infrastructure. If you wanted to take it all down at once, SolarWinds is the way to do it in a massive instantaneous attack with no apparent outside initiation. The attacker has displayed so much patience thus far that we shouldn't discount an ultimate goal far beyond what we've seen, and exercising patience would mean foregoing any short-term gain in order to avoid jeopardizing the ultimate goal.

And there's still another factor I haven't seen adequately addressed yet. The left has demonstrated that they're perfectly willing to do anything to achieve total control. With NSA and US Cyber Command in one organization under one leader, lefty control of someone at the right level (not necessarily at the top) within Cyber Command (especially) gives them access to NSA's hacking tools (and everyone breathing has access to the CIA hacking tools released by Wikileaks a few years ago) and the ability to do the SolarWinds thing unnoticed by NSA or anyone else. I wouldn't put it past them.

In the cyber world, attribution is a bitch. If you're following the flow of outbound data, or backtracking to find the command and control servers, whatever you find isn't the end of it. There's so much smoke and mirrors, and there are so many ways of faking and disguising that you can rarely know you've found the culprit that way. Another method is to reverse compile the hack, examine the results, and try to tie it back to some known entity. Compiled code (the binaries, or executables) contain artifacts the compiling system throws in, and those artifacts may offer a clue. Stuxnet, for example, contained a couple of names from the Old Testament, leading many to believe that Israel was involved. Or the code may look like something previously seen from a known entity.

But an attacker as patient and expert as this one knows how attribution works, so you can bet the farm that any artifacts found in the compiled code will point away from the real attacker. If it looks Russian, it's probably from China, Iran, or North Korea. CIA even had a tool to help with this.

I'd bet there's an insider at SolarWinds and maybe one or more in our government.



  1. And who is the guy who is taking “credit” for its having happened on his watch? Krebs. The same guy who was all over the State media “verifying” that the Georgia election was the most secure ever.

    1. @Bebe; check this out...

  2. So in other words we've been compromised, will continue to be compromised, and look forward to further cyber bombs in the near future. Sounds rather menacing.

    I work in I/T in a large Fortune 500 company and I believe we use SolarWinds products as well. Orion may be a part of the products we use I'm just not sure. However, I can say w/in the company I/T community nary a word is being shared about any exposure, risk, or loss of data.

    So the question remains "What are we gonna do now?"... "Do?.. We're going to war... That's what we're gonna do." - (Scarface)

  3. How could this happen to us?! Being under-prepared, complacent, arrogant, and stupid is how.

    China and Russia are not our friends and the sooner we start paying attention to that the better. Not hot enemies(yet), every time something like this happens the closer to hot it becomes. I'm sure tired of being played for a patsy. Wake up and smell the coffee, USG!!

  4. I like scorched earth plans. Just for the sake of being safe, let's go ahead and close down most of the agencies mentioned.

    I would also be more apt to blame the CIA or NSA before Russia. I've also said we may never know "who", the math on that favors not knowing beyond a "reasonable doubt".

    Still not buying much of the hype though, I'd gamble on a lot of this being over sold. At the same time I do agree with the difficulty those infected are going to have.

  5. You can infect bootstraps. Yep, the firmware starting up your devices can be hacked and has been ... a lot.

    The bootstrap or boot loader, is firmware (software programmed into the computer’s chips) that starts up the computer and loads the operating system.

    A way into a downed computer is to bypass part of the loader. You use the bootstrap/loader to signify where the OS is to come from ... internal or external. That inherently means the bootstrap is not fully corrupted. Thing is, even if it is, you can still access the computer, it just takes even more “magic.”

    Why is this relevant?

    Anything software/computer is vulnerable. Anything connected to the internet or even linked together is vulnerable. Computers like the iPhone I am typing this on is vulnerable. It is what it is. Cliche, I know, but it’s truth.

    This is not to say we should have a Dune like Butlerian Jihad, but Frank Herbert was prescient on many issues that we are experiencing currently.

    There is a reason why the US Navy teaches navigation by the stars and by the sextant.