Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

July 17, 2021 6:39 PM

How facebook helps the Authoritarian Regime in Vietnam

The ability of coercing American tech giants like Facebook into compliance is definitely a talking point to brag for the Vietnamese leaders. In October 2019, Facebook’s CEO Mark Zuckerberg stated that “Facebook stands for free expression. In a democracy, a private company shouldn’t have the power to censor politicians or the news.” However, Facebook’s double standard is no novelty. In August 2019, the Minister of Information and Communications, Nguyen Manh Hung took the parliamentary floor and stated that Facebook was restricting access to “increasing amounts” of content in Vietnam. Further, Hung stated that Facebook was complying with 70-75% of the Vietnamese government’s requests for post restrictions. In October 2020, this number went up to 95% for Facebook. Facebook acknowledged that the amount of content on which restrictions were imposed jumped by over 500% in the second half of 2018 alone.

Unlike China, Vietnam has adopted a relatively open attitude to western social media. Vietnamese politicians consider social media beneficial, perhaps it helps the promotion of their missions, personal agendas and even propagandas. In fact, Vietnam happens to have a military unit—called Force 47—with the purpose to correct “wrong views” on the internet. Whereas, there is no set set definition of the “wrong views,” people—if found guilty—can be jailed upto 20 years.

Furthermore, blocking western social media might not be in the self-interest of Vietnam, as doing so can hamper relations with the U.S.—with whom Vietnam desires to strengthen ties. The top communist strata of Vietnam for decades, have been single-minded on what they identify as “toxic information”. The definition of “toxic information” has only broadened over the years and has enabled the authorities to bend the term as per their whims. Vietnamese leaders have misused the threat of “toxic information” by branding content unfavorable to their regime with the term.

Facebook removed over 620 supposed fake accounts, over 2,200 links and several thousand posts which are deemed to be ‘anti-state’ from Vietnam in 2020. In a country without independent media, Vietnamese people are reliant on platforms like Facebook to read and discuss vital and controversial issues such as the dispute in Dong Tam. Dong tam is a village outside Vietnam’s capital, Hanoi, where residents were fighting the authorities’ plans to seize their farmlands in order to build a factory. 40-year-old Bui Van Thuan, a chemistry teacher and blogger, showed his solidarity to the fight and condemned the country’s leaders in one of his Facebook posts which stated “Your crimes will be engraved on my mind. I know you, the land robbers, will do everything, however cruel it is, to grab the people’s land.” On government’s insistence, Facebook blocked his account the very next day preventing over 60-million Vietnamese users from seeing his posts. A day later, Dong tam village was stormed by police with grenades and tear gas. A village leader and three officers were killed just as Thuan had anticipated. Thuan’s account remained suspended for three months after which Facebook informed him that the ban would be permanent. “We have confirmed that you are not eligible to use Facebook,” the message read in Vietnamese. Towards the end of murder trial held over the clash, a Facebook spokesperson said Thuan’s account was blocked due to an error and the timing of the lifting of restrictions was coincidental. The spokesperson denied censoring profiles as per the demands of the government. Thuan’s blacklisting illustrates how willingly Facebook submits to the authoritarian government’s censorship demands.

In April 2018, 16 activist groups and media organizations and 34 well-known Facebook users wrote an open letter to the CEO Mark Zuckerberg, accusing Facebook of assisting Vietnam to suppress dissenting voices. Force 47 or E47, a 10,000-member cyber unit was singled out in the letter. The letter called the unit “state-sponsored trolls” that spread misinformation about the Vietnamese pro-democracy activists.

Force 47 was deployed in 2016 by the state to maintain a “healthy” internet environment. The cyber unit took advantage of the very apparent loophole in Facebook’s community guidelines which automatically removes content if enough people lodge a complaint or report the post/account. The letter alleged that the government used Force 47 to target and suspend accounts or content.

According to a report by The Intercept, the modus operandi of E47 is that a member shares a target who is often a pro-democratic political dissident writer or activist. The information of the target who is nominated for censorship is accompanied with an image of the target with a red “X” marked over it. Anyone interested in victimizing the target needs to just report the account or post for violating Facebook’s pliant community standards regardless of whether the rules were actually broken. The E47 users are asked to rate the targeted page one out of five stars, falsely flag the post and report the page itself.  

Do Nguyen Mai Khoi, a singer and a pro-democracy activist, popularly known as “the Lady Gaga of Vietnam” has been tirelessly trying for over two years to get Facebook to care about the censorship in Vietnam. She has tried to get Facebook’s attention to the fact that groups like Force 47, a pro-government Facebook group of police, military, and other Communist party loyalists have actively been collaborating to suppress the voice of dissidents both offline and online. Her evidence has been substantial and her arguments carry ample clarity. Despite several interactions with Alex Warofka, a Facebook product policy manager for human rights, Mai khoi’s efforts have not been sincerely addressed. Instead, what they claimed was more infuriating. They said “We were not able to identify a sufficient level of community standards violations in order to remove that particular group (E47) or those particular actors.” Since E47 actors are under real names, photos and authentic identities, Facebook dismissed Mai Khoi’s evidence. “At a high level, we require both widespread coordination, as well as the use of inauthentic accounts and identity,” Warofka told Khoi.

Dipayan Ghosh, a former public policy advisor at Facebook and the co-director of the Digital Platforms & Democracy Project at Harvard’s Kennedy School stated:

“I think for Zuckerberg the calculus with Vietnam is clear: It’s to maintain service in a country that has a huge population and in which Facebook dominates the consumer internet market, or else a competitor may step in. The thought process for the company is not about maintaining service for free speech. It’s about maintaining service for the revenue.”

It wouldn’t be surprising to note that the inconsistency of Facebook’s ostensible community guidelines and policies extend beyond Vietnam. In 2016, during the time of political unrest in Turkey, access to Facebook and other social media were repeatedly restricted and further complied to the Turkish government’s request to restrict 1,823 pieces of content which the government deemed unlawful. In 2018, Facebook owned Instagram complied with demands of the Russian government to remove content related to opposition activist Alexei Navalny’s anti-corruption investigation therefore making it inaccessible for over 5 million users who watched and followed Navalny’s investigation. Facebook also routinely restricts posts that governments deem sensitive or off-limits in countries including Cuba, India, Israel, Morocco and Pakistan.

While the CEO of Facebook, Mark Zuckerberg, claims that the platform protects free expression, Facebook has been an active facilitator and flag-bearer of autocratic regimes. The social media giant’s apparent indifference and ignorance has failed its users terribly.

Read More