Submit Your Work
Security
Internet
Privacy and Surveillance
Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by
Vaishnavi Krishna Mohan
Vaishnavi Krishna Mohan
North America

Share this article
Download as PDF
Cite this Article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

Publisher

Global Views 360

Publication Date

January 13, 2021

URL

SolarWinds office in Texas

SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain” to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

February 28, 2021 11:13 AM

Internet Shutdowns in India: From Kashmir to Haryana

India has one of the world’s largest internet user base and also has the maximum number of internet shutdowns. In 2018, India recorded 134 shutdowns which is the highest the country has seen yet. The article delineates the implications of Internet shut-down—while looking at specific cases of Kashmir, CAA-NRC, and Farm Bill Protests—and the legal procedures associated with the same.

The internet shutdown imposed in Kashmir on 4th August 2019, when Article 370 of the Constitution was abrogated by the Parliament of India recorded the longest shutdown in India.  In the initial days, landline and mobile services were restricted as well. While the ban on landline and mobiles was lifted soon, 2G services were restored for “verified users” on 25th January 2020. Only whitelisted websites could be accessed and social media remained prohibited. A new order was passed on 4th of March 2020, by the administration of J&K, according to which the whitelist was removed but internet could only be accessed using 2G on verified SIM's. As Kashmir is still languishing without high-speed internet, at least 7 million have been affected due to the shutdown.

Anti CAA-NRC Protests in Lucknow | Source: Youtube

In December, 2019, during the notable protests against the Citizenship Amendment Act, the authorities in the states of Assam, Meghalaya and Tripura severed internet connection as they supposedly cited a threat of violence and false rumors. Parts of West Bengal and Uttar Pradesh were also under a digital lockdown. Internet shutdowns come with a great cost. Every time the central or state government decides to cut the internet, a large number of students, businesses, travelers, online journalists and influencers are affected resulting in a huge monetary loss. According to a report by TopVPN, India has lost nearly $2.7 billion due to all the 83 internet shutdowns in 2020 alone. This loss is greater than the combined loss of the next 10 countries in the list. The report also revealed that India also stayed offline for longer than any other country, at 8,927 hours last year. The largest contributor to this figure is the 213-day shutdown in Kashmir.

The Kashmir Chamber of Commerce reported that the cumulative loss due to the internet shutdown and restriction in the region was $5.3 billion. The authorities say that these shutdowns are simply to stop the spread of dangerous misinformation which they believe moves faster in social media like Facebook and messaging apps like WhatsApp. However, the internet shutdowns are usually enforced after a piece of misinformation has been spread widely. In 2018, 33 of the shutdowns were justified by the government claiming that they wanted to curb dis/misinformation. The problem is that, when you cut people off from being able to access information, the only access they have is to previous misinformation. In fact, cutting off the internet can turn a previously predictable situation into a highly volatile one. A study conducted by Stanford suggested that mass mobilization in India can occur even in the absence of social media and digital platforms. Another report published by Stanford stated, “Rumours and disinformation continue to spread with or without access to digital communication networks, whose primary role is that of accelerators of information diffusion.” In addition to this, the study found that internet shutdowns force protesters to substitute non-violent tactics for violent ones which are less reliant on effective communication and coordination. In April 2019, Sri Lankan government shutdown all social media platforms as a result of the Easter Suicide Bombings. The IFCN (International Fact-Checking Network) reported that fake news was rampant despite the shutdown. IFCN also noticed an increase in false reports on Facebook from that area. However, the above mentioned facts did not have the potential to stop India from once again disregarding the negative implications of Internet shut-down. India continues to be indifferent.

Protesting farmers at Singhu Border | Source: Harvinder Chandigarh via Wikimedia

The ongoing farmers’ protest in India against the three farm bills (now acts) passed in the parliament turned violent on 26th of January. A group of the protesting farmers who were on a tractor rally, deviated from their route and entered the Red Fort. The Union Ministry of Home Affairs temporarily suspended internet in Singhu border, Ghazipur border, Tikri border, Mukarba Chowk and Nangloi for 24 hours. On 29th of January, the State government of Haryana ordered telecom operators to shut down all mobile internet services, all SMS services, and all dongle services in 17 of the 22 districts of the state until 5 pm on January 30, 2020.

The shutdown was based on the grounds of preventing protestors from mobilising through social media and to constrain the plague of disinformation, which was spread due to the tensions at farmer camps between unidentified miscreants, farmers and later the police. But there was a lack of media coverage of the police violence while they highlighted the protestors’ response to it, essentially disseminating biased disinformation which they ‘intended’ to curb with an internet shutdown.

The Indian Telegraph Act, 1885 permits the government to block internet access in case of a public emergency. After 2017, Temporary Suspension of Telecom Services (Public Emergency or Public Safety) Rules was deployed in cases of internet shutdowns. The Rule 2(1) describes the protocol and powers for the ‘competent authority’ to issue a direction for the suspension of Internet.  The ‘competent authority’ here refers to the Home Secretary of the Union government or the State government. If obtaining prior directions from either of these authorities is not feasible, the order may be issued by an officer, not below the rank of a Joint Secretary to the Government of India. This officer should be duly authorized by the competent authority to issue suspension order and must receive confirmation from the competent authority within 24 hours of issuing such order. In January 2020, the Supreme Court directed that in addition to the Telecom suspension rules, all internet shutdowns must be made public and the orders must be a committee must review all internet shutdown orders once every seven working days to ensure if it is in accordance with the Telecom suspension rules. In November 2020, a new rule was introduced stating that a single order cannot authorize a shutdown for a period exceeding 15 days. Despite several regulations, the Internet Freedom foundation found out that there is low compliance by state governments. Even in 2019, in multiple cities, including the national capital, the suspension orders were issued by the State Police. The New York times reported there were instances where local authorities of India ordered the shutdown with just a few phone calls to the local service providers.

In addition to repression of dissent, telecom shutdowns also have an impact on healthcare services, doctors and ambulances especially in the cases of violence when they certainly have a harder time communicating with people on the ground hence creating a vacuum of information.

Arbitrarily shutting down the internet is a fundamental right violation. The frequencies of internet shutdowns in India are highly alarming. Besides, it is ironic that in 2020, the government announced its plan to bring high-speed fibre-optic based broadband to all Indian villages in the next three years. While it is most certainly beneficial to those living in these villages and to those wanting to spread propaganda, all the effort would be insignificant if the nation continues to shut down the internet at this rate of recurrence.

Read More