Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

February 28, 2021 11:13 AM

Parler Shutdown, Big Tech, and Liberal Politics

Controversial social media site Parler, has been facing some problems regarding spreading of misinformation and the influence of several far-right groups. The platform became the most-downloaded free app in the Apple App Store on the weekend of November 8 - the day major media outlets called the election for Joe Biden. It was deplatfomized by Silicon Valley giants Apple, Google and Amazon after the storming of Capitol Hill. This article explains what is parler, how it influences people and what is the controversy about it.

What is Parler?

Parler is a social media website founded by Rebekah Mercer, John Matze and Jared Thomson. The platform refers to itself as an “unbiased social media” where people can “speak freely and express yourself openly without fear of being 'deplatformed' for your views," according to its website and App Store description.

The app mainly attracts conservative users—some of the Parler’s active users among public figures include Fox News host Sean Hannity, far-right activist Laura Loomer, radio personality Mark Levin, Senator Ted Cruz, and Congressman Devin Nunes. Eric Trump and Donald Trump's presidential campaign also have accounts on the platform.

With big tech companies like Twitter, Facebook and Instagram taking strict actions against the ex-President Donald Trump, and flagging misinformation, Parler became the free for all space for the conservatives.

Problems and influences

According to some reports, members of the Proud Boys, adherents of conspiracy theory QAnon, anti-government extremists, and white supremacists all openly promote their views on Parler. Holocaust denial, anti-Semitism, racism and other forms of bigotry can also be found among their ideas.

The co-founder of the website, Rebekah Mercer and her family came into national politics in 2016 elections when they donated more than $23 million to groups backing conservative candidates.

Rebekah Mercer is widely reported to have persuaded then-candidate Trump to reshuffle his campaign organization and hire Steve Bannon and Kellyanne Conway to help run his presidential bid in the final stretch of the 2016 election.

The shutdown: opinions on Parler and the monopoly of tech giants

The social networking site went dark when Amazon stopped providing it cloud hosting services after it was revealed the platform was used to help organize the Capitol Hill attack on January 6—which left five people dead. Amazon's actions were followed by Apple and Google that banned the Parler mobile app from their respective stores.

After the app went offline, it made a comeback after several days, registered with Epik as its provider. But Epik denies in an official statement that the company had any “contact or discussions with Parler in any form regarding our becoming their registrar or hosting provider.”

A Reuters report, citing an infrastructure expert, pointed to a Russian tech firm as supporting Parler's return online. It said that the IP address Epik used is owned by DDos-Guard, which is “controlled by two Russian men and provides services including protection from distributed denial of service attacks.”

The united Silicon Valley attack began on January 8, when Apple emailed Parler and gave them 24 hours to prove they had changed their moderation practices or else face removal from their App Store. The letter claimed: “We have received numerous complaints regarding objectionable content in your Parler service, accusations that the Parler app was used to plan, coordinate, and facilitate the illegal activities in Washington D.C. on January 6, 2021 that led (among other things) to loss of life, numerous injuries, and the destruction of property.”

It ended with this warning: “To ensure there is no interruption of the availability of your app on the App Store, please submit an update and the requested moderation improvement plan within 24 hours of the date of this message. If we do not receive an update compliant with the App Store Review Guidelines and the requested moderation improvement plan in writing within 24 hours, your app will be removed from the App Store.” The next day, Apple removed it from its App Store.

This was a kind of monopoly and alleged misuse of power by the tech giants to ban the website, but, in October, the House Judiciary Subcommittee on Antitrust, Commercial, and Administrative Law issued a 425-page report concluding that Amazon, Apple, Facebook and Google all possess monopoly power and are using that power anti-competitively. According to the report, iOS and Android hold an effective duopoly in mobile operating systems. However, the report concludes, Apple does have a monopolistic hold over what you can do with an iPhone. You can only put apps on your phone through the Apple App Store, and Apple has total gatekeeper control over that App Store.

Not only did leading left-wing politicians not object but some of them were the ones who pleaded with Silicon Valley to use their power this way. After the internet-policing site Sleeping Giants flagged several Parler posts that called for violence, Rep. Alexandria Ocasio-Cortez asked: “What are @Apple and @GooglePlay doing about this?” Once Apple responded by removing Parler from its App Store — a move that House Democrats just three months earlier warned was dangerous antitrust behaviour — she praised Apple and then demanded to know: “Good to see this development from @Apple. @GooglePlay what are you going to do about apps being used to organize violence on your platform?” The same steps were taken by Google later.

These actions showed the amount of power the Silicon Valley giants have, which can actually control the other company’s fate. The powers which were revealed by the steps taken by these companies were dangerous but at the same time helpful when done for the good. The liberal New York Times columnist Michelle Goldberg called herself “disturbed by just how awesome [tech giants’] power is” and added that “it’s dangerous to have a handful of callow young tech titans in charge of who has a megaphone and who does not.” She nonetheless praised these “young tech titans” for using their “dangerous” power to ban Trump and destroy Parler. Her opinion shows that liberals are happy until Silicon Valley censorship is used to silence their adversaries, not on themselves.

As put by Glenn Greenwald “Liberals like Goldberg are concerned only that Silicon Valley censorship powers might one day be used against people like them, but are perfectly happy as long as it is their adversaries being deplatformed and silenced (Facebook and other platforms have for years banned marginalized people like Palestinians at Israel’s behest, but that is of no concern to U.S. liberals).”

Clearly, the way Parler was misused for spreading propaganda had to be stopped as it led to one of the worst days in American history – the storm of the Capitol Hill – but the way they were censored and banned from the internet by the virtual unity of Silicon Valley giants Apple, Google and Amazon, has brought forth another dangerous fact to the world regarding how much power these companies hold. And if misused, they can prove to be more dangerous than Parler itself. But as long as they are using the power and censorship to maintain peace and lawfulness, even the liberals don’t have any problems with it, at least for now.

Read More