What's The SolarWind Prognosis?

Probably not great.

I'm still mulling over Jen Dyer's latest on the Trump "Operational Timeline" and some related matters. However commenter DFinley has written at some length on the SolarWind situation, and since Dyer devotes a fair amount of space to that issue, I thought it would be useful to republish that comment. I think you'll quickly see that what he has to say is directly relevant. DFinley:

I've seen several cases where people who should know better are saying that, once this infection is cured we're good, our systems are clean again. But CISA's directive to isolate or power down, and in many cases completely reinstall all software, suggests they don't think so. Neither do I.

Any entity going to as much trouble as the attacker did to blend in, hide, and operate in the background would almost certainly have several other hooks into the system. If they didn't install a couple of root kits, they've been negligent, and properly done root kits can be almost impossible to find and root out. 

All they need is a little of the unmapped space on a hard drive, or the storage on a video card or some other place, and a tweak to the Master Boot Record; all very hard to detect.

They almost certainly infected more of SolarWinds' portfolio than has been reported so far. Again, anyone going to this much trouble, showing this much patience and expertise, would not settle for infecting a single file.

WRT breaking in and taking nothing, it's too soon to make that claim. But even if nothing was taken, that doesn't mean a lot. The intrusion was slow and painstaking to avoid catching the attention of SolarWinds' security team (assuming they have one, as they certainly should). The intruder may be only part way to its ultimate goal, which we cannot know at this time. And that ultimate goal could easily be a “cyber Pearl Harbor.”

SolarWinds has many thousands of customers, including critical government agencies and critical infrastructure. If you wanted to take it all down at once, SolarWinds is the way to do it in a massive instantaneous attack with no apparent outside initiation. The attacker has displayed so much patience thus far that we shouldn't discount an ultimate goal far beyond what we've seen, and exercising patience would mean foregoing any short-term gain in order to avoid jeopardizing the ultimate goal.

And there's still another factor I haven't seen adequately addressed yet. The left has demonstrated that they're perfectly willing to do anything to achieve total control. With NSA and US Cyber Command in one organization under one leader, lefty control of someone at the right level (not necessarily at the top) within Cyber Command (especially) gives them access to NSA's hacking tools (and everyone breathing has access to the CIA hacking tools released by Wikileaks a few years ago) and the ability to do the SolarWinds thing unnoticed by NSA or anyone else. I wouldn't put it past them.

In the cyber world, attribution is a bitch. If you're following the flow of outbound data, or backtracking to find the command and control servers, whatever you find isn't the end of it. There's so much smoke and mirrors, and there are so many ways of faking and disguising that you can rarely know you've found the culprit that way. Another method is to reverse compile the hack, examine the results, and try to tie it back to some known entity. Compiled code (the binaries, or executables) contain artifacts the compiling system throws in, and those artifacts may offer a clue. Stuxnet, for example, contained a couple of names from the Old Testament, leading many to believe that Israel was involved. Or the code may look like something previously seen from a known entity.

But an attacker as patient and expert as this one knows how attribution works, so you can bet the farm that any artifacts found in the compiled code will point away from the real attacker. If it looks Russian, it's probably from China, Iran, or North Korea. CIA even had a tool to help with this.

I'd bet there's an insider at SolarWinds and maybe one or more in our government.

 

UPDATED: A Cyber Pearl Harbor?

The last time I posted extensive videos and print material from a purported expert, it was Michael Osterholm. 'Nuff said.

Nevertheless, there's stuff going on with this cyber attack of incredible proportions--if we're to believe half of what we're hearing. I certainly haven't the background to assess what's being said, nor to know to which expert to turn. Presumably the people backing up Lou Dobbs have a handle on who Lou should be having on his show, so I present this interview of Morgan Wright:

Prelude to War: @MorganWright_US lays out how a foreign power infiltrated our federal agencies to carry out a cyberattack #MAGA #AmericaFirst #Dobbs pic.twitter.com/t4QJvYM6Iu

— Lou Dobbs (@LouDobbs) December 17, 2020

I offer no opinion here because I really have no basis for doing so. Information at my usual sources has been scanty at best. Does this play into the election politics--Ratcliffe's delayed report, the shutdown of DoD transition talks? I don't know, and I'm loath to speculate. And yet we should be paying attention.

Insights, assessments, are welcome.

ADDENDUM: I just saw that TGP has a very partial transcript of what Wright had to say, so as tease to the video above ...

Lou Dobbs said he doesn’t remember the cyber community ever saying an attack was of “grave, grave danger” and that the Department of Homeland Security has no capacity to stop it.

Here are portions of what Wright said in response:

Any time you call a meeting on Saturday in the National Security Counsel it’s serious.  This is almost like a prelude to war!  … Not only were the government agencies hit, we got Lockheed Martin, we’ve got Firerite…this very well could have started after the 2018 election…. this is Russia’s way of getting back in the game… they attacked… SolarWinds…the updates were secure but they contained a malicious payload… it could be hundreds, it could be thousands of companies.

The companies in the military – industrial complex – were attacked.  This looks like what Russia did to Ukraine in 2016.

UPDATE: At the FireEye site there's a fairly lengthy report. I'm pasting in just the executive summary. Note that while this report characterizes the "actor" as "highly skilled", it makes no attempt to identify the actor, nor even to speculate in that regard as to whether this is a State sponsored actor or others. Notably, while the compromise is characterized as "global" in its effects, I couldn't find any suggestion as to how access was gained, i.e., was access gained by an outside actor or could the actor have had some form of internal access:

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

December 13, 2020 | by FireEye

Executive Summary

• We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
• FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST. 
• The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
• The campaign is widespread, affecting public and private organizations around the world.
• FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.

Summary

FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.