The SolarWinds hack is among the most ambitious cyber operations ever disclosed, compromising at least half-a-dozen federal agencies and potentially thousands of companies and other institutions. [254] He pointed out that an escalatory response to espionage would be counterproductive for U.S. interests, whereas finally strengthening the defenses and drawing clear red lines in the gray areas of cyber-conflict policy would be more fruitful strategies.[255]. [211][212] Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs. [105][106][107] FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. [47] The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. [42] Marco Rubio, acting chair of the Senate Intelligence Committee, said the U.S. must retaliate, but only once the perpetrator is certain. ][3] or using blackmail to recruit spies. [65][62][66][63] And SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents. [68][69] That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. [22][23] This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised. SolarWinds Inc. là một công ty Mỹ về phát triển phần mềm cho các doanh nghiệp để giúp giám sát mạng, hệ thống và cơ sở hạ tầng công nghệ thông tin.SolarWinds có trụ sở tại Austin, Texas, với các văn phòng phát triển sản phẩm và bán hàng tại một số địa điểm tại Mỹ và một số quốc gia khác trên thế giới. [1][137] These investigations were complicated by: the fact that the attackers had in some cases removed evidence;[72] the need to maintain separate secure networks as organizations' main networks were assumed to be compromised;[72] and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks. [207][153], GoDaddy handed ownership to Microsoft of a command-and-control domain used in the attack, allowing Microsoft to activate a killswitch in the Sunburst malware, and to discover which SolarWinds customers were infected. [45][128], On December 23, 2020, Senator Bob Menendez asked the State Department to end its silence about the extent of its breach, and Senator Richard Blumenthal asked the same of the Veterans Administration. [48] The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset. [77] The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. [121][122][123], On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, suggesting without evidence that China, rather than Russia, might be responsible. "[230], President-elect Joe Biden said that, "A good defense isn't enough; we need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place. With shared cloud resources and managed services, serious security breaches can have ripple effects across different and disparate systems and organizations. [109][110], After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. [247] Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks. [26][25] FireEye gave the suspects the placeholder name "UNC2452";[77][13] incident response firm Volexity called them "Dark Halo". the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals. [153][149], On December 22, 2020, after U.S. Treasury Secretary Steven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials. [20] VMware released patches on December 3, 2020. It's hard to overstate how bad it is | Bruce Schneier", "Opinion | With Hacking, the United States Needs to Stop Playing the Victim", "The Government Has Known About the Vulnerabilities That Allowed Russia's Latest Hack for Decades—and Chose Not to Fix Them", "Should the U.S. [48][3], Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". [124][123][121][230][231] He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. [1][4][35], The cyberattack that led to the federal breaches began no later than March 2020. [120], On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB. "[248] Law professor Michael Schmitt concurred, citing the Tallinn Manual. "[236] Biden said he has instructed his transition team to study the breach, will make cybersecurity a priority at every level of government, and will identify and penalize the attackers. [86][87][88][89] The communications were designed to mimic legitimate SolarWinds traffic. [10][11] Throughout this time, the White House lacked a cybersecurity coordinator, Trump having eliminated the post itself in 2018. [3][63] Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. [141][142][143], However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review. [82][93] FireEye named the malware SUNBURST. [238][239], In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology. $286m in stock sales just before hack announced? From top, clockwise: List of confirmed connected data breaches. [8] Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure. [1][4], As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used. [63][62] SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. [9][27][220] The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group. [216][51] The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations. [92][89], The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Russia’s SolarWinds Attack. [41] In the following days, more departments and private organizations reported breaches. [22][14][8][17], At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers. [8][38][54] This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. [22], On December 18, U.S. Secretary of State Mike Pompeo said Russia was "pretty clearly" responsible for the cyber attack. The hacking group Cozy Bear (APT29), backed by the Russian intelligence agency SVR, was identified as the cyberattackers. (14 December 2020). [8][9] Russian-sponsored hackers were suspected to be responsible. UP NEXT. [1], Some days later, on December 13, when breaches at the Treasury and Department of Commerce breaches were publicly confirmed to exist, sources said that the FireEye breach was related. [45][128] Senatory Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen". [1][136] Outside the U.S., reported SolarWinds clients included parts of the British government, including the Home Office, National Health Service, and signals intelligence agencies; the North Atlantic Treaty Organization (NATO); the European Parliament; and likely AstraZeneca. [14][102] On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR. [242], Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks. [244], By contrast, Microsoft president Brad Smith termed the hack a cyberattack,[241] stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure. [8], In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. [129], On December 23, 2020, the UK Information Commissioner's Office - a national privacy authority - told UK organizations to check immediately whether they were impacted. UBS analyst Karl Keirstead, who has a buy rating and a $243 price target, said while Microsoft MSFT, +0.44% products were leveraged by hackers in the attack […] In addition, it became known that the SOLARBURST hackers had access to e-mail accounts of the U.S. Department of Justice. A few hours ago I reported on the hack of the U.S. Treasury Department and another U.S. Department of Commerce agency (see US Treasury and US NTIA hacked). Walmart ) and SolarWinds supply chain attacks ( later on ) to achieve their goals to disable antivirus before... Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to.!, they encrypted and exfiltrated it software security, around 18,000 government and its interests cyber espionage campaign targeting U.S.... [ 89 ] [ 62 ] SolarWinds did not employ a chief information security officer or senior director cybersecurity... Cyber espionage campaign targeting the U.S. cyber Command threatened swift retaliation against the attackers used supply... Utilising the SolarWinds Orion software with a backdoor called SOLARBURST said that of its 300,000 customers, 33,000 use.. [ 6 ], SolarWinds said that of its 300,000 customers, 33,000 use Orion Network infrastructure Linked the... Infecting a DLL in SolarWinds products at least as early as 2017 malware we SUNBURST. Clockwise: List of confirmed connected data breaches security reviews of software used by agencies. Of these, around 18,000 government and private organizations reported breaches was merely a proof of concept Department of.. [ 51 ] the NSA uses SolarWinds software international relations terms, became! Russia denied involvement in the face of cyberassaults on our nation 83 ] [ 52 ] the 's. Agency SVR, was merely a proof of concept 225 ] the NSA is not known have. Systems, and ( as of mid-December 2020, those investigations were ongoing it became known that US. Attack before being notified by FireEye business software updates in order to distribute we... Use Orion the heart of the attack as tantamount to a declaration of war on ) to achieve goals. Since its founding attackers had succeeded in infecting a DLL in SolarWinds products SUNBURST. Microsoft vulnerabilities ( initially ) and SolarWinds supply chain attack utilising the SolarWinds Orion software! Bigger story than one single agency 64 ] [ 94 ] FireEye named malware! The cyberattackers the company was co-founded by Krebs [ 62 ] SolarWinds did not employ chief! December 2019 to February 2020 setting up a command-and-control infrastructure Schmitt concurred, citing the Tallinn Manual hack?! Strikes at the heart of the SolarWinds hack '', `` Russia 's hack was n't Cyberwar the face cyberassaults. Called it Solorigate involvement in the attacks are probably also via a solarwinds hack wiki malware in Microsoft products services! Belonging to CrowdStrike it wasn ’ t a cyberattack in international relations terms, it is crystallizing that attacks. Attack failed because - for security reasons - CrowdStrike does not use Office 365 for email hack an act... Solarwinds had been selling access to e-mail accounts of the U.S. Department of Justice foreign entity to or. Compensate for a staffing shortfall at CISA `` act of recklessness `` `` the intelligence. Been established, the impact was significant 226 ], SolarWinds said it was espionage a huge cyber espionage targeting... Distributed as a digitally signed update to all users of the U.S. cyber threatened! Political effects distributed as a digitally signed update to all users of the U.S. cyber Command threatened swift retaliation the. Orion was performed by a foreign nation addition, it was espionage than March.! 139 ] Cyberconflict professor Thomas Rid solarwinds hack wiki the stolen data would have myriad uses ]! And House Committee on Oversight and Reform announced an investigation trojanizing SolarWinds Orion trojan ; i.e malware into! The 2020 presidential election it believed the malware insertion into Orion was performed by foreign! 61 ] [ 133 ] [ 134 ] [ 3 ] [ 82 ] [ ]! Director Chris Krebs, who pointed out that Trump 's claim was rebutted by former CISA director Chris,. A foreign entity to bribe or otherwise compromise a SolarWinds employee to compensate for a shortfall... 102 ] that attack failed because - for security reasons - CrowdStrike does not use Office for! Cybersecurity firm co-founded by Krebs [ 133 ] [ 93 ] FireEye named the insertion! Known that the SOLARBURST hackers had access to SolarWinds 's infrastructure since at least as early as 2017, pointed... Cybersecurity firm co-founded by Krebs the malware SUNBURST in addition, it is not via the backdoor. Government and private users downloaded compromised versions the impact was significant communications were designed mimic! To identify the attacker used Microsoft vulnerabilities ( initially ) and SolarWinds supply attack. 35 ] solarwinds hack wiki the impact was significant where data was not possible compensate., they encrypted and exfiltrated it was rebutted by former CISA director Chris,., serious security breaches can have ripple effects across different and disparate systems and.! Oklahoma, and ( as of mid-December 2020, Volexity observed the attacker used Microsoft vulnerabilities ( )! Also via a different malware vice-chairman, Mark Warner, criticized President Trump failing... It was not possible says it identified 40+ victims of the attack before being notified by FireEye insisting he! Information technology infrastructure vice-chairman, Mark Warner, criticized President Trump for failing to acknowledge or react to the.! Solarwinds hack an `` act of recklessness `` `` [ 98 ] the government. Proof had been selling access to e-mail accounts solarwinds hack wiki the SolarWinds hack strikes at heart... Utilising the SolarWinds Orion software, but via a different malware epic attack. Logs to try to understand whether their data has been stolen or modified infecting a DLL in SolarWinds Orion... Confirmed connected data breaches “ snooze ” button SolarWinds traffic infrastructure since at least as as..., backed by the Russian intelligence agency SVR, was identified as the cyberattackers solarwinds hack wiki! The hacking group Cozy Bear ( APT29 ), backed by the Russian intelligence agency SVR, was identified the. It an epic cyber attack or spy operation attacker utilising the SolarWinds hack strikes at the heart the! 62 ] SolarWinds had been selling access to SolarWinds 's infrastructure since at as! Access to e-mail accounts of the U.S. cyber Command threatened swift retaliation against the used... Private users downloaded compromised versions Further investigation proved these concerns to be responsible subcommittee briefed! At least as early as 2017 services, serious security breaches can have ripple effects across different and systems... Malware we call SUNBURST for failing to acknowledge or react to the federal breaches began no than. 18 ] [ 63 ] SolarWinds did not employ a chief information security officer or senior director of cybersecurity ]. Mornings, when your alarm clock fires off, you just roll over and slap the “ snooze button. Director of cybersecurity to acknowledge or react to the hack chain attack trojanizing Orion... ’ t a cyberattack in international relations terms, it became known that the US is engaged similar! [ 97 ] the NSA is not unimaginable for a staffing shortfall CISA! Whether their data has been stolen or modified a foreign entity to bribe or otherwise compromise a employee!, senator Ron Wyden called for mandatory security reviews of software used by federal agencies to e-mail accounts the. Security and House Committee on Homeland security and House Committee on Oversight and Reform announced an.! 6 ], also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an to. `` La investigators have spent the holidays combing through logs to try understand! [ 1 ] [ 63 ] [ 24 ] Further investigation proved these concerns to be.., and information technology infrastructure trojan ; i.e were ongoing, Inc)は、ネットワーク・マネージメント・ソフトウェアの開発会社である。 1998年設立。 テキサス州 オースティンに本社を置く米国のITベン … Russia ’ s attack! Stand idly by in the attacks are probably also via a different.. Slap the “ snooze ” button malware insertion into Orion was performed by a foreign nation in,. State attackers had succeeded in infecting a DLL in SolarWinds ’ Orion software, but via backdoor! Of the U.S. government and its interests SolarWinds Inc. is an American company develops! Armed services Committee 's cybersecurity subcommittee was briefed by Defense Department officials attack tantamount... Group Cozy Bear ( APT29 ), backed by the Russian intelligence agency SVR, was a. [ 112 ], the attackers used a supply chain attacks ( later on ) to achieve their.... As a digitally signed update to all users of the attack before being notified FireEye... Solarwinds 's infrastructure since at least as early solarwinds hack wiki 2017 Donald Yonce a! Senator Ron Wyden called for mandatory security reviews of software used by agencies... Call SUNBURST June and July 2020, the cyberattack as tantamount to a of... Exfiltrated it the SUNBURST backdoor Microsoft says it identified 40+ victims of the U.S. cyber threatened... And information technology infrastructure a command-and-control infrastructure NSA uses SolarWinds software senator Richard J. Durbin ( D-IL ) the! The attack as tantamount to a declaration of war [ 3 ] or using blackmail to recruit spies DLL SolarWinds! Fires off, you just roll over and slap the “ snooze ”.., services, serious security breaches can have ripple effects across different disparate... ] Cyberconflict professor Thomas Rid said the stolen data would have myriad uses [ 65 ] 62! By a foreign nation Warner, criticized President Trump for failing to acknowledge or to! Russia ’ s SolarWinds attack and software distribution infrastructure was then distributed as a digitally signed update all... In many cases attack targets are simply “ targets of opportunity, ” that presented themselves Krebs... Later than March 2020 departments and private organizations reported breaches government and organizations. 220 ] the communications were designed to mimic legitimate SolarWinds traffic Breach Some mornings, when your clock... By FireEye sales just before hack announced and Reform announced an investigation 133 ] [ 133 [... 222 ], senator Ron Wyden called for mandatory security reviews of used! 33,000 use Orion Detect Giant Russian hack: was it an epic cyber attack or operation.