Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

July 19, 2021 11:59 AM

3D Printing: The direction to go for the Indian Defense and Aerospace Industries

3D printing is the next big game-changer on the technological front, almost a revolution if you will. 3D printing, also known as additive manufacturing, is a process of creating three-dimensional objects by layering two-dimensional cross sections on top of one another. The two-dimensional cross sections are computer-designed and rendered, which makes it all the more advanced. From Aerospace to Defense and Medical to Automotive, products manufactured via 3D printing are spreading their reach in the markets quite swiftly. This article will take a look at how 3D printing is beneficial and how the technology can transform the Indian and Defense and Aerospace sectors once utilized to its full potential.

Additive manufacturing has the power to unlock a wide range of opportunities. It uses a 3D printer to create a layer-by-layer “addition” of material which is digitally constructed. Different types of materials which are currently being used for the same are metals, ceramics, special plastics, synthetic resins, and etc. 3D printing not only reduces the cost of production of various components but also gives the power to manufacture locally with design flexibility. The technology significantly speeds the process of designing; this is mainly because there is no requirement of tools. Traditional manufacturing usually takes months to either acquire necessary tools and further produce parts and components or import components from various places. However, once 3D printers are acquired, which they might be costly in themselves, they would ensure a smoother production process. Hence, due to the combination of localized manufacturing and no tools, tailor-made designs can be produced to match the necessities of various industries.  

https://upload.wikimedia.org/wikipedia/commons/thumb/7/75/MakerBot_ThingOMatic_Bre_Pettis.jpg/220px-MakerBot_ThingOMatic_Bre_Pettis.jpg
Figure 2: A typical 3D printer. Source: Bre Pettis via Flickr

India is gradually growing with respect to its utilization of 3D printing technology. In 2014, the 3D printers market was at an early stage with just 200-500 combined workforce of engineers, designers and sales representatives. Currently, start-ups are springing up in places like Bangalore, Chennai, Mumbai, Visakhapatnam, etc and they are producing essential parts for sectors like the Indian Navy, Air Force, ISRO and the HAL.  India’s 3D printing market is projected to reach $79 million by the end of 2021, while the global market is at around $15.8 billion, which suggests that India has a lot of catching up to do.

Applications in the Aerospace and Defense Industry

The Aerospace and Defense Industries are keen to pursue additive manufacturing, mainly because of benefits such as weight reduction, cost cutting and to meet their highly specific requirements. The additive process uses less material to manufacture components and also ensures minimal waste of material. Overall reduced weightage means that less fuel would be used in aircrafts and hence result in better environmental compatibility. Let’s examine a few instances in India where 3D printing startups have assisted and provided the defense and aerospace sectors with unique solutions.

Recently, in 2020, the Centre-run defense company Hindustan Aeronautics Limited (HAL) had signed a MoU (Memorandum of Understanding) with Wipro 3D, the metal additive manufacturing branch of Wipro Infrastructure Engineering. The initiative would primarily focus on the design, development, testing, manufacturing, and repairing of aerospace components using metal additive technology. HAL is using 3D printing to manufacture engine components, although it also provides support to helicopter and rotary wing products. HAL also provides products to the Indian Army, Air Force, Navy, and Coast Guard. Speaking about this collaboration, Shekhar Shrivastava, CEO of the Bangalore division of HAL, said, “This initiative between HAL and Wipro 3D will create a unique synergy of capabilities that can accelerate the adoption of metal additive manufacturing in aerospace in India. Qualification of parts for aerospace is challenging as it would require prove out and extensive testing followed by certification by regulatory authorities which may also include flight testing."

Down south, Karnataka, which produces more than 65 percent of India’s aerospace-related components and exports, has taken a number of initiatives to promote additive manufacturing by setting up 3D printing clusters and sponsoring 3D printing startups. For example, through its flagship programme ‘Start Up Karnataka’, the State has given grants to ‘Deltasys E-Forming’, a Belgaum based start-up, to develop hybrid composite 3D printers. These initiatives are quite appropriate since two-thirds of India’s aircraft and helicopter manufacturing for the defense takes place in Karnataka, and 3D printing would revolutionize these processes quite rapidly.

On the other coast, Chennai-based 3D printing startup, Fabheads Automation, was established in 2015 by an ISRO engineer turned entrepreneur Dhinesh Kanagaraj. The deep tech startup designs and develops high-end carbon fibre helicopter blades for the Indian Air Force. Traditionally, carbon fibre parts are fabricated by laborious manual processes with a lot of fabrication time and money spent. Dhinesh also observed a lot of material wastage when he worked on carbon fibres at ISRO.  Based on this, Fabheads has designed an automated 3D printer series to eliminate material waste and also improve efficiency of production of carbon fibre. Sectors like the DRDO are currently approaching the company given these innovative methods of production.

3D Printing Saves the Day for the Indian Navy

Further, the Indian Navy has partnered with ‘think3D’, a Hyderabad-based 3D printing start-up, to produce spare components via additive manufacturing for both on and off-shore set-ups. The Indian Navy uses a lot of machinery on its ships which are imported from other countries and are quite old.  Whenever a component gets damaged, it is hard to replace it either because there is no availability of the part or because there is significant delay before a part is received. This often proved to be costly for the Navy since the machines would have to be kept idle before a spare part was replaced along with the fact that procurement of the parts was no less expensive.

This is where think3D had stepped in and supplied 3D printed parts to the Indian Navy, which were successfully tested and incorporated into its machinery. An example of such a 3D printed part, which proved to be of crucial help, is that of a centrifugal pump impeller- a key component for a ship’s operation.

https://3dprintingindustry.com/wp-content/uploads/2020/04/4.jpg
Figure 3: An original impeller (left) vs. a 3D printed impeller (right). Image source: think3D

The impeller is a rotating component and it is very important for a ship as it transfers energy from the motor to a fluid that needs to be pumped by accelerating the fluid outwards from the centre of rotation.  On ships, this component is used to import seawater into various parts of the ship for regular use of the crew. These impellers are required to rotate at high speeds for long durations and need to be very carefully designed. 3D printing was the best solution to replace these parts, given the speed of production and lower expenses.

Given all the benefits of 3D printing, it is high time for the Indian market to expand its 3D printing industry and utilize it to its full potential. There are many other instances like the one of the impeller in the Aerospace and Defense industries which can easily be solved using 3D printing.

Read More