Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

March 4, 2021 4:43 PM

Does giving the Lieutenant Governor more authoritative power have an impact on India's Federal structure?

On 3rd of February 2021, the NCT bill cleared by cabinet along with 20 other bills proposed to be introduced in the parliamentary session. The amendment was passed on 9th of February in the Rajya Sabha.

“The Bill proposed to amend the Government of National Capital Territory of Delhi Act, 1991, in the context of judgment dated 14.02.2019 of Hon’ble Supreme Court (Division bench) in Civil Appeal No 2357 of 2017 and other connected matters.”

The article explains the timeline and the practical implications of the NCT Amendment Act 2021 on the federal structure.

The Centre's amendments to the NCT of Delhi Act, gives more powers to the Lieutenant Governor and Delhi’s Kejriwal government were totally against the amendment as due to their bitter experience with the previous and current LG.

The Arvind Kejriwal government described the NCT Bill, as a murder of constitutional democracy and accused BJP of secretively drafting the amendments so as to govern Delhi in an unconstitutional manner using the LG's office.

The new amendment is expected to now clearly define the powers and functions of the Lieutenant Governor and the Delhi Government based on the 2019 judgement. The amendments add a category of bills, which fall outside the ambit of Delhi legislative assembly and which the Lieutenant Governor must reserve for consideration of the President. This category is supposedly added for the sake of “better governance” and to reduce potential conflicts. The amendments also specify that the elected government needs to send legislative proposals to Lieutenant-Governor (LG) at least 14 days in advance to seek his opinion and avoid any delays.

The tussle between the Delhi government and the Centre reached the Supreme Court 2017. The honourable Supreme court defined the role of the LG in Delhi and ruled that the LG cannot interfere in every decision of the Delhi Government. The tussle between the Union and Delhi government has that Article 239 AA of the Constitution at its core. The Article 239 AA gives Delhi the special recognition of a Union Territory with a Legislative Assembly that has a lieutenant governor as its administrative head.

In July 2018, a five-judge Constitution bench of the Supreme Court led by Chief Justice Dipak Misra stated that the lieutenant governor’s powers in the National Capital were only limited to land, police and public order.

“The lieutenant governor must work harmoniously with the elected government. The LG is the administrative head but can’t act as an obstructionist”, the bench stated. The supreme court also stressed upon the fact that the power and status of the LG was different from the state governors. They mentioned that the Lieutenant Governor must not be an obstructionist and must work harmoniously with the Delhi government. “There is no room for absolutism and no room for anarchy,” the bench stated. The verdict is not complete yet as the issue of services divided the bench that delivered the order and the matter is now addressed by a three-judge bench on the Supreme Court which has not concluded the hearing yet.

So far, the AAP has argued that former LG Najeeb Jung and the current LG Anil Baijal are undermining the federal structure of the Republic of India by objecting the decisions made by the Delhi government and overruling their authority in bureaucratic matters.

Former LG of Delhi with Prime Minister Modi | Source: Wikimedia

In July 2013, Najeeb Jung took charge as the LG of Delhi and Arvind Kejriwal swore in as the Chief Minister (CM) of Delhi in December 2013. After 49 days of governance, Arvind Kejriwal stepped down as his minority government was unable to pass the anti-corruption legislation due to lack of support provided by other political parties. In February 2015, the Aam Aadmi Party came back to power by a staggering majority of 67 out of 70 seats. However, the party faced a higher veto obstruction while making several decisions. In May 2015, LG Jung annulled all the bureaucratic postings by Delhi government and stated that power to appoint and transfer rests with him.

In June 2015, five officers of Bihar Police joined Delhi Government’s Anti-Corruption Branch (ACB). Jung rejected their employment at the ACB claiming that he was the person in charge even before the new amendment. In the same month, the Delhi government replaced the Home Secretary Dharam Pal and Jung obstructed the decision by vetoing the order. When the AAP government decided to hike circle rates in Delhi for agricultural land, the former LG Jung objected to the decision although the State government has the complete authority to take such decisions. In another instance in 2016, Jung set up a panel to probe over 400 files related to decisions taken by Delhi government. The CM of Delhi deemed it to be illegal.

Kejriwal and the AAP government blamed the former LG and Prime Minister Narendra Modi for the CBI raids of his office, FIRs filed by ACB against Arvind Kejriwal and former Delhi CM Late Sheila Dikshit in water tanker scam, restriction of control on appointing state bureaucrats and general obstruction of decisions.

Anil Baijal, the now LG of Delhi with Defence Minister Rajnath Singh | Source: Wikimedia

On 31st December 2016, Anil Baijal swore in as the Lieutenant Governor of Delhi. While the tussle between AAP and the LG continued, the alleged assault of Chief Secretary Anshu Prakash by AAP leaders at CM Arvind Kejriwal’s residence in February 2018 gave a new momentum to the tug of war.

Following the incident, the IAS association reportedly skipped routine meetings with ministers as a mark of protest but claimed that they have not suspended work. Before that, on December 2017, the turf war between Kejriwal and Baijal reached Parliament, with a Rajya Sabha member claiming that the CM was being treated like a “peon”.

In 2018, the AAP government demanded LG’s approval for the proposal for doorstep delivery of rations and also demanded grant of complete statehood for Delhi and installation of CCTVs. Baijal did not approve both the demands directly and further complicated the process. Kejriwal stated that the LG rejected the demands over “petty-politics”.

In June 2018, Delhi CM Arvind Kejriwal sat in a nine-day long hunger strike at the Lieutenant Governor’s office against the “strike” by IAS officers and Kejriwal wrote to Prime Minister Narendra Modi, requesting him, “with folded hands”, to intervene and end the agitation of the IAS officers.

The Aam Aadmi Party argues that the BJP is hell bent on ruining efficient governance of Delhi through the LG. Critics believe that the tussle has failed the federal system of our Democracy.

Chief Justice Dipak Misra, Justice Sikri and Justice Khanwilkar, in their written opinion devoted a significant portion to explain the understanding of federalism, and its fusion with democracy to achieve an “egalitarian social order”. According to our Constitutional scheme neither the States isolated islands, with their distinct vision, nor the Union government can make decisions that are meant to affect the interests of the States. The Chief Justice highlighted that there should be a sincere effort to avoid conflict and not encroach on each other spheres in a collaborative framework of federalism. To exercise authority, “there should be perception of mature statesmanship so that the constitutionally bestowed responsibilities are shared by them.” To attain the ideal balance in a federal structure, the Chief Justice suggested the Union and the States to have “mutual respect and deference to actualise the workability of a constitutional provision.”

Collaborative federalism involves healthy negotiation and coordination between the Union and State governments to ensure that the governance works within the circumference of the Constitution and in harmony.

Read More