Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

February 22, 2021 11:14 PM

Iran, Turkey, Qatar Alliance: Will this mark a shift in MENA's Balance of power?

Qatar, Iran and Turkey have been forming an alliance—which impacts several countries—especially in the MENA (Middle East and North Africa) region. The move comes after Israel recently established its diplomatic relations with four Arab league countries, namely, United Arab Emirates (UAE), Bahrain, Morocco and Sudan. The article covers how this move can have an impact on the balance of power in the region.

Support for the Palestinian Cause

The three countries are critical of the Israel-Arab ties and support the Palestinian cause. Various Palestinian factions, including Hamas and Fatah as well, are shoring up ties with Turkey and other countries in the region that stand against normalization with Israel.

During his speech in the 75th United Nations General Assembly, Erdogan called out on Israel and proclaimed, “The occupation of Palestine is a bleeding wound.”

Since the Gaza attack, which killed 10 Turkish social activists aboard a ship by the Israeli commandos in international waters, the relationship between the two has only soured. After this incident, Turkey recalled its ambassador from Israel, downgrading the diplomatic status. Yet in 2016—after a few meetings—the relationship was restored. However, after another attack in Gaza in 2018, Turkey called back its ambassadors again and expelled the Israeli ambassador to Turkey. Since then they do not have full diplomatic status.

Following the attacks Erdogan—the president of Turkey—even called Israeli PM Benjamin Netanyahu “a terrorist.” The country has been openly supportive of the Palestinian cause, and has also sent aid for humanitarian relief to the Palestinians. Several Hamas leaders have been visiting, taking refuge, and even meeting with Erdogan.

On August 22, 2020, Hamas leader Ismail Haniyeh met Erdogan in Istanbul. Jibril Rajoub, secretary of Fatah’s Central Committee, as well arrived in Turkey on September 21, 2020 to meet with Haniyeh and his deputy Saleh al-Arouri and discuss ways to end the internal Palestinian division.

On the same day, Palestinian President Mahmoud Abbas phoned Erdogan and thanked him for his support for the Palestinian cause. The two have shared several calls since—discussing political developments and US pressure on the region to normalize ties with Israel and ways to face such pressure.

Turkey has tried to balance its relations with both Saudi Arabia and Iran, who happen to be arch rivals. But after the recent growing closeness with two of Saudi Arabia’s rival countries, Iran and Qatar, Turkey might end up straining its relations with Saudi Arabia.

Qatar-Saudi Arabia conflict

This diplomatic conflict is also known as the Second Arab Cold War (the first one being the Iran-Saudi Arabia Cold War). There is an ongoing struggle between the two countries to gain influence in the Gulf. Their relations strained especially after the emergence of Arab Spring. During that time, Qatar became in favour of the revolutionary wave, whereas Saudi Arabia was against it. Both the States are allies of the United States, but have a tussle in their ideologies. Both have avoided direct conflict with each other.

There are other issues between them which leads to further tussle-

1. Qatar broadcasts a news channel, Al Jazeera, which favours the Arab Spring.

2. Qatar has good relations with Iran, Saudi Arabia's rival.

3. Qatar also allegedly supported Muslim Brotherhood in the past. Which it denies.

The Qatar diplomatic crisis became worse in 2017. Saudi Arabia, the UAE, Bahrain and Egypt severed diplomatic relations and trade ties with Doha, and imposed a sea, land and air blockade on Qatar, claiming it supported “terrorism” and was too close to Iran. Yemen, the Maldives and Libya's eastern-based government also followed later. Qatar rejected the claims and said there was “no legitimate justification” for the severance of the relations.

How does this new alliance affect the other countries in the region?

The new alliance seems to lead into formations of two alliance groups or blocs in the region, with some countries siding with Iran, Qatar and Turkey and others with the Saudis and their allies. Another point to keep in mind is that Saudi Arabia is supported by the US, while two countries from the former alliance—Turkey and Iran—are supported by Russia. This will lead to further division among the Middle Eastern countries.

President Trump, Minister of Foreign Affairs of Bahrain, Israeli Prime Minister, and Minister of Foreign Affairs for the UAE Signing the Abraham Accords | Source: Trump White House Archives

This alliance can also affect the trade among these countries, and can severe the ties of many Middle Eastern countries. The biggest beneficiary is going to be Israel, which doesn’t have good relations with most of the Muslim world, except the ones which established diplomatic ties recently by signing the Abraham Accords.

In North Africa countries like Egypt and Morocco recognise Israel. However, most of the North African countries also supported the Arab Springs, which is against the ideas of Saudi Arabia. The Islamic holy land seriously seems to have less Arab allies when it comes to opposing the Arab Springs.

In fact, there can be impacts on trade and diplomatic ties with other countries outside the Middle East and North African region as well. Countries will have to balance their relations with both these groups.

How does it affect the Balance of power in the region?

In international relations, balance of power refers to the posture and policy of a nation or group of nations protecting itself against another nation or group of nations by matching its power with the power of the other side.

There has been a Cold War situation between Iran and Saudi Arabia as they are very (perhaps most) influential powers in the region. But Saudi Arabia is still more influential as a business as well as a soft power—it has a richer economy, oil exports, and most importantly, being the holy land where every Muslim comes for Hajj pilgrimage—it has Mecca and Medina. It is the land where the Prophet Muhammad first delivered his messages and teachings. Iran may try to compete in the economic part, but isn't equally as challenging in the religious part—although it is an important country for the Shia Muslims.

There have been arms embargo on Iran by the UN for arms race. Russia and China have been eager to supply Iran with advanced jets, tanks and missiles, which is quite alarming for its Gulf Arab neighbours, especially its primary adversaries like Saudi Arabia and the UAE.

On 14 September 2019, drones were used to attack the state-owned Saudi Aramco oil processing facilities at Abqaiq and Khurais in eastern Saudi Arabia. The Houthi movement in Yemen claimed responsibility, joining it to events surrounding the Saudi Arabian intervention in the Yemeni Civil War and stating that they used ten drones in the attack from Yemen. Saudi Arabian officials said that many more drones and cruise missiles were used for the attack and these originated from the north and east, and that they were of Iranian manufacture. The United States and Saudi Arabia have stated that Iran was behind the attack while France, Germany, and the United Kingdom jointly stated Iran bears responsibility for it. Iran has denied any involvement. The situation has only exacerbated the Persian Gulf crisis.

By forming this new alliance, supporting the Palestinian cause—with Qatar—even supporting the idea of Arab Springs; the Iran-Turkey-Qatar alliance has a new power with them. What remains to be seen is the other Middle Eastern country’s decision—whether they support this new alliance and the Palestinian cause or go for yet another fragile “peace-building” initiative in the already disturbed region.

Read More