Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

February 18, 2021 12:47 PM

Story of Rakesh Tikait: Farmer Leader Whose Tears were More Powerful Than the UP Government

On the evening of 28th January, 2021‚ Rakesh Tikait—national spokesperson of the Bharatiya Kisan Union (BKU)—had an emotional outburst—while addressing the media. His outburst however became a major call back to the farmers across the Western Uttar Pradesh and was a turning point in the protest of the Centre’s new farm reform laws. But who is Rakesh Tikait? And how did he emerge as the new face of the protest? These are the questions which this article is going to answer.

51-year-old Rakesh Tikait hails from Sisauli village of Muzaffarnagar district, Uttar Pradesh. He is the second son of the elder farmer leader, late Mahendra Singh Tikait, who was the president of the Indian Farmers Union. Rakesh Tikait also has four brothers, the eldest one being Naresh Tikait—the national president of the BKU. Rakesh Tikait married Sunita Devi from Dadri village in Baghpat district in 1985. They have a son Charan Singh and two daughters, Seema and Jyoti. Tikait holds a Master of Arts degree from Meerut University.

Tikait joined the Delhi police force in 1985. He was a part of the police force until 1992—an year before which his father Mahendra Singh Tikait held a series of protests against the enhanced rate of fertilisers, hike in electricity rates, and regulation in supply of sugarcane to the sugar mills. He also pitched in for local farmers who were seeking higher compensation for land acquired on the outskirts of Lucknow for setting up a TELCO unit. The movement started fading due to pressure from the government. Hence, Rakesh decided to quit his job in 1993-94 and started taking part in the farmers’ fight with BKU. In the recent past, he has contested two elections, one on a Rashtriya Lok Dal ticket and another as an Independent, but was unsuccessful both times.

As the Tikait family hails from Sisauli, Muzaffarnagar, the family heads Baliyan Khap of 84 villages, giving it considerable influence within the Jat community of Western UP and Haryana.

Due to the Jat community's custom of passing on authority to the eldest son, Tikait’s elder brother Naresh Tikait took over the mantle of both the BKU and Baliyan Khap from Mahendra Singh Tikait. The BKU also has strong influence among the Malik and Deshwal Khaps. The Tikait brothers have been trying to live up to the towering standards that their father has set. Mahendra Singh Tikait was a well-knows figure among both Hindu and Muslim farmers of Western UP, who had shared economic interests.

He has led numerous massive demonstrations against the Centre and state government on farmers' issues and was the voice of farmers. In 1988, lakhs of farmers gathered at Boat Club in the heart of Delhi and placed their 35 point charter of demands, seeking various concessions for farmers including higher prices for sugarcane, cancellation of loans, lowering of water tax and waiver of electricity dues. The protest was Tikait’s biggest protest which eventually brought the Rajiv Gandhi government to its knees.

In 2007, Rakesh Tikait, for the first time contested independently from Khatauli, Muzaffarnagar. In 2014, Rakesh Tikait Joined the Rashtriya Lok Dal (RLD) and contested the 2014 Lok Sabha elections from Amroha. This came as a shock to many as Tikait had been critical of RLD and some argue a BJP supporter. A striking case in point being Mahapanchayat in Muzaffarnagar in 2013 that led to communal riots in west UP was in fact jointly addressed by leaders of BKU and BJP.

“I had to choose between RLD and others. I found RLD better. It is the party that has taken up the issue of farmers,” Tikait told the Times of India. However, Tikait failed in both his attempts.

Rakesh Tikait has constantly been the voice of farmers. In 2014, Tikait organized the Dunkal movement at the Red Fort in Delhi demanding the government to increase the price of millet in the interest of farmers of Rajasthan. Tikait’s demonstrations against the government landed him in Jaipur Jail. However, his protests were successful as the government eventually agreed to the farmers’ demand.  

The ongoing farmers protest lost support after the unfortunate events which took place at Red Fort on 26th of January. On this day, the Indian tricolor was allegedly disrespected, several farmers and policemen were victims of violence, the protest aggravated to an extent where a farmer even lost his life. The leaders and the decision makers of the movement did not realize that it is always difficult to control and discipline a rally. A rally on move is more vulnerable to anti-social elements and government linked saboteurs to blend with the crowd and create mayhem. This not only discredited the farmers’ movement but over 13 prominent leaders of the movement including Yogendra Yadav were detained by the police. On 28th of January, Tikait’s turned emotional as he said “ I saw the BJP MLA [allegedly identified by the farmers as Loni MLA Nand Kishore Gurjar] who had come here to attack our elders, my sardar brothers. I could not let that happen, they have all come here on my call, I am responsible for them. This is wrong, the people have chosen them, the people cannot be harmed. I had told the government that I would surrender, but it is my responsibility to make sure all my farmers are safe. I knew what could happen if the police took them if they left from here on their tractor’s trolleys. I knew when they reached Hapur and beyond, BJP and RSS workers would begin pelting stones on them. I cannot let that happen. The farmer was never scared, the farmer will never be scared. Those who incited violence on (January 26th) must be investigated by the government. Tell people the truth.” With a parched throat and welling eyes he said, “I will drink water when the farmers send it from their homes.” This emotional video went viral across Uttar Pradesh through WhatsApp and television telecast. Hundreds of people packed food and water and set off from Uttar Pradesh to reach Delhi. They all broke their fast after Tikait sipped the water that they brought. Tikait’s tears not only guarded the Ghazipur protest site from what seemed like a crackdown but he also reignited the spark and revived the dying protest.

Rakesh Tikait addressing press | Source: Twitter

Critics said that the government had committed a blunder by falsely assuming that the protest had lost its support and sympathy amongst the public after the unfortunate events of Jan 26th. The police did not face much difficulty vacating the camps at the Ghazipur border by late evening of 28th Jan. The government too perceived Tikait as a loose canon and an irresponsible leader. Furthermore, the police did not detain Tikait along with other leaders. At a point of time, he was the only leader left on the stage at the protest site in Ghazipur. Critics speculate that they did not detain him as he previously was a supporter of BJP and in fact voted for the party in the 2019 elections and hence the BJP thought they could still convince him to take a middle ground and further dilute the movement.  However, Tikait turned the tables on the administration. His address resonated across the entire Jat community of western UP, which till then had been passive in extending support to him. The Yogi government cannot afford to take any more chances as the “Jat land” has firmly supported BJP for the past six years, especially after the Muzaffarnagar riots of 2013. In addition to this, since the Yogi government came to power in 2017, they have increased the state advised price of Sugarcane by only Rs.10 per quintal. The state advised price for 2020-21 has not been announced yet although the crushing operations have begun at mills as early as November 2020. What is more is that the UP government owes the farmers over Rs.12,000 crore against the cane purchased in the current and the previous season. In UP, a greater source of farmer anger apart from the three reform laws and the SAP of sugarcane is for doubling electricity charges for both irrigation pumps and domestic use. The hike in diesel price by Rs.10/L in one year has further fueled their anger.

Now, a Kisan Mahapnachayat is also taking place in Muzaffarnagar. The same district where the Mahapanchayat was held after the riots in Muzaffarnagar. The latter Mahapanchayat played a crucial role in the 2017 elections.

The Indian Farmers Union has constantly been in talk with the government. Rakesh Tikait has once again been the voice of farmers. Now, the government has to decide whether the movement will end or not given that the Farmers are demanding a complete withdrawal of all three laws.

Read More