Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government Security United States

Russia Breached Update Server Used by 300,000 Organizations, Including the NSA (seattletimes.com) 115

Sunday Reuters reported that "a sophisticated hacking group" backed by "a foreign government" has stolen information from America's Treasury Department, and also from "a U.S. agency responsible for deciding policy around the internet and telecommunications."

The Washington Post has since attributed the breach to "Russian government hackers," and discovered it's "part of a global espionage campaign that stretches back months, according to people familiar with the matter." Officials were scrambling over the weekend to assess the extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said. The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation's foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration... [The Washington Post has also reported this is the group responsible for the FireEye breach. -Ed]

All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter. The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized with in a "highly-sophisticated, targeted...attack by a nation state." The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. "This is looking very, very bad," said one person. SolarWinds products are used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world's top electronic spy agency, according to the firm's website. SolarWinds is also used by the top 10 U.S. telecommunications companies...

APT29 compromised the SolarWinds server that sends updates so that any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim's system, according to a person familiar with the matter. "Monday may be a bad day for lots of security teams," tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.

Reuters described the breach as "so serious it led to a National Security Council meeting at the White House."
This discussion has been archived. No new comments can be posted.

Russia Breached Update Server Used by 300,000 Organizations, Including the NSA

Comments Filter:
  • Cry me a river (Score:4, Interesting)

    by Rosco P. Coltrane ( 209368 ) on Monday December 14, 2020 @12:14AM (#60828044)

    They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency

    That's called poetic justice.

    • They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency

      That's called poetic justice.

      We have 6 branches now. Space Force will save us all.

    • by kot-begemot-uk ( 6104030 ) on Monday December 14, 2020 @02:45AM (#60828274) Homepage
      It is poetic justice on more than one level.

      Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

      So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

      • Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

        So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

        Even worse, some of that functionality comes with the server version of Windows, so they're not just using a toy OS, they're using a toy version of a toy OS in most cases. You didn't get tftp or bootp with windows last I checked, but you did get DHCP and FTP.

        • Does WSUS have an easy way to add 3rd party software updates?? and not just updates but self service installs?
          SolarWinds and others do stuff that WSUS is not really build for.

      • So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

        What a short memory this forum has. Very short.

        https://news.slashdot.org/stor... [slashdot.org]

        • You're completely missing the point here. It's not that open-source SW is more secure, it's that it can be audited. Hell, if I'm using a piece of SW in a critical place, I'll audit the compiler that builds it. And even then... http://cm.bell-labs.com/who/ke... [bell-labs.com]
          • If the point is that people don't want to do security because it's not "cool" then no I haven't missed the point. Saying it can be "audited" when no one wants to do the work is a meaningless point of pride. The OP wants to claim the problem is that people aren't running a "proper OS" and I'm saying it's a position of arrogance.

        • Governments can benefit greatly from FOSS by investing in it instead of leeching, but leeching is free, easy and lazy.

          Imagine what a trifling billion dollar investment in secure Linux development could produce then make available to the world.

      • by jafac ( 1449 )

        TBF; my previous employer used Solarwinds, and the product we used had nothing to do with TFTP, DHCP etc. we used it for database monitoring and performance analytics. And it wasn't really about incompetence, it was about being a small operation, and not wanting to hire the expertise (part of the reason I left), and frankly, living in a job market where that kind of expertise is fairly difficult to find (at any price - but I'll be first to admit they were just cheap).

    • Third party software that has 1) Admin ++ access 2) Backdoor (obscured or otherwise 3) High untraceable behavior 4) Deployed because of 'savings' over security. 5) Weakest link with admin was found - and slow cooked The big picture is this software surely has no EAL security rating. Or if it did , done by a conflicted interest. Dimwit bosses bought the spiel hook line and sinker, and if anyone did have a IDS, they were not looking at a competent level AND/OR tell others. Basically downsizing has gone too f
      • 'savings' over security???

        Like it's more secure to manually patch software on 20K workstations. WSUS needs an lot of needs care and feeding and it's shirty MS software that does not work to well with most NON MS software.

    • by k6mfw ( 1182893 )
      Add to that a POTUS that has high respect for Putin while slamming our NATO allies, and probably some high level officials in these departments with business connections in Russia so they look the other way when mischief occurs. I'm sure there are those dedicated to safeguarding govt data, but must be frustrating working for the current hostile upper management.
  • We looked at it but took a pass. Not because we ever considered it security risk but because it was too expensive for what it does as we already had similar tools in place just not as slick.

    This should make everyone think about all the other public and third party servers and repos and updaters, etc they pull data from....

    • by t4eXanadu ( 143668 ) on Monday December 14, 2020 @03:29AM (#60828342)

      I used it extensively, when I worked for a company that provided support to insurance agencies. Like you said, it provides the same features as many competing products. I wonder if they still use it. We had access to a lot of file servers and workstations with policy info for all kinds of companies and individuals. Obviously not as crucial as government agencies, but still. That update evidently went undetected at SolarWinds for a while. It makes you wonder what else they missed.

    • by chill ( 34294 )

      What did you decide on the deploy third-party patches across your environment? How large of an environment?

  • I have my Pixel set to auto-update all my installed apps - I don't have time to review them all every day. If one of them is compromised, I'm screwed, I understand. So I limit the number of apps installed. But is the NSA doing the same thing? I mean, are the updates from SolarWinds simply applied sight-unseen? Or was this malware package difficult to identify?
    • Re:auro-update? (Score:4, Informative)

      by kot-begemot-uk ( 6104030 ) on Monday December 14, 2020 @02:53AM (#60828284) Homepage
      Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

      So the targets were both systems that are critical - used in network infrastructure and run by dumbf*cks which were too mindbogglingly dumb to use a proper OS where a proper OS was needed. As far as damage footprint, you could not have made a bigger hit.

      Some of Solarwinds code is also used in "Windows for Warships" and other similar military abominations for similar reasons - idiot using idiotic OS choice in the first place and than using software packages to deliver what is "built-in" in a proper OS. Those thankfully do not auto-update. That, however, does not mean that particular code versions did not get compromised. Now here is where the real fun begins - everything from the F35 mission control system to the entire new British aircraft carrier software starting from the rudder and thrust control and ending up with the radar and AA.

      Popcorn, where is that f*cking BeLaz full of popcorn I ordered!?!

      • by EvilSS ( 557649 )
        You're knowledge of Solar Winds products feels like it's a little out of date. Their main product these days, Orion, is a management and monitoring platform. It goes way beyond TFTP, DHCP, BootP, etc. It covers network monitoring, server monitoring, configuration monitoring, hypervisor monitoring, VOIP and call quality monitoring, DB performance monitoring, patch management, endpoint monitoring and configuration, log analysis, etc. It ties into basically every major vendor out there, and it's not just for
    • Complete write up at FireEye from vector through monitoring and patch.

  • by Krishnoid ( 984597 ) on Monday December 14, 2020 @12:53AM (#60828138) Journal

    If you've ever filed taxes, I wouldn't be surprised if these guys now have your Social Security number and tax records, direct deposit information, etc. -- as if the union of all the Blue Shield, Experian, etc. breaches hasn't already made everyone's SSN available to anyone who wants it.

    If they actually did get tax records and could coordinate it with data from breaches of individual companies, I bet they could *really* extort businesses by threatening to release their actual profit/loss information to the IRS if it doesn't match their tax returns.

    I've been wondering if the IRS shouldn't allow *everyone* to get an individual taxpayer identification number, and keep that separate from their social security number.

    • by sound+vision ( 884283 ) on Monday December 14, 2020 @02:51AM (#60828280) Journal

      I've considered my SSN to be public information since the Equifax breach. That one hit basically every adult US citizen. It's large DBs of "corroborating" details leaking that I worry about now. For example, my state DPS recently leaked their database of driver's license numbers and corresponding address/name/DOB information (and more I'm sure). Cross-checking all this leaked data together would seem to let you create a fake photo ID under a real DL#, with all the other information people use to identify, matching.
      The only reason I'm not completely flipping shit and hiring lawyers is that I haven't had a tax return in years, won't for 2020, and my credit sucks anyway. There are probably other ways to take advantage of this data, but I figure I'm in the bottom quarter of targets. Physical assets close to me have their own protection plan.

      • I thought all that shit and then I got nailed by identity theft anyway. A whole car showed up on my credit report — someone had written my SSN on a check cashing card (in pen) and then used that to prove their identity to a crooked car dealer, who then got an injunction against me in a crooked court (Nevada City, CA) on that basis...

      • I locked my accounts at the credit agencies and figured if someone wanted to use it to pay into my social security they could have at it.

    • SSN? That number that everyone asks for when filling out paperwork. That secret number?

    • I've been wondering if the IRS shouldn't allow *everyone* to get an individual taxpayer identification number, and keep that separate from their social security number.

      They at least allow everyone to get a PIN [irs.gov], which is a step in the right direction.

  • by couchslug ( 175151 ) on Monday December 14, 2020 @12:56AM (#60828140)

    "Gentlemen do not read each other's mail" was naive when SecState Henry Stimson said it and it's bullshit today. It's a matter of national survival to spy on everyone be they friend, foe and neutral. No government dare neglect it and the US certainly doesn't. Security requires complete distrust, comprehensive monitoring, and perpetual expansion to keep up with opponents and competitors. The world is a very, very bad place and will only get worse as dystopias become necessary to compete with enemy dystopias.

    The guilty are the lazy bureaucretins who chose convenience over security. Unfortunately the admins they hired will probably take the fall because non-techy PHBs run the show.

  • by Revek ( 133289 ) on Monday December 14, 2020 @01:12AM (#60828162)
    Those guys are valued added crap. They wanted a insane amount of money for their netflow product. I put together a open source alternative and all it cost was the price a ten core server. Their product would have needed two servers on top of their crazy price. Solarwinds exist because companies don't want to pay someone to do it in house.
    • by geekmux ( 1040042 ) on Monday December 14, 2020 @01:30AM (#60828192)

      Those guys are valued added crap. They wanted a insane amount of money for their netflow product. I put together a open source alternative and all it cost was the price a ten core server. Their product would have needed two servers on top of their crazy price. Solarwinds exist because companies don't want to pay someone to do it in house.

      A LEM/SIEM is expensive because companies cannot hire enough humans to process that amount of information. And companies don't often hire or pay people to build one from scratch. (Your company might also find legal challenges with a "homemade" solution if a situation arises where you are forced to prove the integrity of your product.)

      Yeah, I get your point here, but if you think the price tag is unjustified, then compare it. Hire the dozen admins who will go insane within a month processing that amount of data manually and let me know what the actual cost is.

      No, I'm not some shill for Solarwinds. Don't care what people use for a LEM/SIEM. I only care that companies find value in them, no matter the cost.

      • by Pinky's Brain ( 1158667 ) on Monday December 14, 2020 @03:28AM (#60828340)

        I can prove to you the Solarwind solution wasn't secure.

        • I can prove to you the Solarwind solution wasn't secure.

          Right now it appears there is evidence that a product within a catalog of offerings from Solarwinds, wasn't secure.

          Again, I'm not some shill for Solarwinds, but if we're going to speak on this, then speak accurately. If we find a vulnerability in MS Excel, that doesn't mean the entirety of Microsoft "wasn't secure". It means a product, has a problem that needs to be addressed.

    • by raymorris ( 2726007 ) on Monday December 14, 2020 @01:35AM (#60828198) Journal

      If your system is good, you should put together a repo and some documentation. Got anything we can see?

      Well actually even if your system sucks, you should have a repo and some documentation for the poor person who has to maintain it when you leave.

      I'd be curious to see what you came up.

    • Not every company wants to be in the business of software development, nor do they have the managerial experience required to efficiently lead a team of developers. They also probably have immediate needs for fully developed solutions, and starting one from scratch, in addition to training the users (as opposed to hiring those already trained) on something entirely new, isn't going to be anything near "immediate".

  • ... when is the usa going to strike back at them in cyberspace? Because it seems they aren't capable of that at all. Only failing in the defense.

    • The context for this is that the USA has engineered the collapse of the oil market. OPEC + Russia are on a timeline to oblivion because on present trends the oil price will never go back to levels that cover their costs. The gas fields in the USA have a lot of technical disadvantages, they only briefly became viable because interest rates were so low post 2007, and the fuel quality of the gas they produce is very low, which is why no one ever bothered with it for the last 120 years. However they have a huge
    • You don't hear about it. You wouldn't have heard about stuxnet except some dumbass US general leaked it. In fact, not hearing about it is a measure of the success of US cyber warfare effectiveness.
  • by Anonymous Coward on Monday December 14, 2020 @02:23AM (#60828254)
    Kevin B. Thompson is our President and Chief Executive Officer. He has served as our President since January 2009 and our Chief Executive Officer since March 2010. He previously served as our Chief Financial Officer and Treasurer from July 2006 to March 2010 and our Chief Operating Officer from July 2007 to March 2010. Prior to joining the Company, Mr. Thompson was Chief Financial Officer of Surgient, Inc., a privately held software company, from November 2005 until March 2006 and was Senior Vice President and Chief Financial Officer at SAS Institute, a privately held business intelligence software company, from August 2004 until November 2005. From October 2000 until August 2004, Mr. Thompson served as Executive Vice President and Chief Financial Officer of Red Hat, Inc. (NYSE: RHT), an enterprise software company. Mr. Thompson holds a B.B.A. from the University of Oklahoma. Mr. Thompson has served on the board of directors of BlackLine, Inc. (Nasdaq: BL) since September 2017. He previously served on the board of directors of Instructure, Inc. (NYSE: INST) prior to its take private transaction, the board of directors of NetSuite, Inc. (NYSE: N) prior to its acquisition by Oracle Corporation and the board of directors of Barracuda Networks, Inc. (NYSE: CUDA). https://investors.solarwinds.c... [solarwinds.com]
  • by Anonymous Coward
    "If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary." https://www.solarwinds.com/sec... [solarwinds.com]
  • by Alain Williams ( 2972 ) <addw@phcomp.co.uk> on Monday December 14, 2020 @04:16AM (#60828426) Homepage

    Government has been telling us that it is safe for them to have hidden keys, etc, into the encryption systems that they want us to use. These very same organisations have been compromised, who knows what data stolen by who knows who. Are we to believe that hidden keys and similar back-doors are magically immune to exfiltration ?

    Next time we are told that the back-doors are necessary to protect our kids from paedophiles they will promise us that they will keep them safe.

  • The con artist picked up the phone, called his Russian handler and asked if they were behind this. He was told no and ended the call. Looking to everyone in the room he said, "Putin told they were not behind this, and I believe him. End of discussion. It must have been Antifa.

  • 'A update server of Russia was breached, and then used by 300,000 organizations, including the NSA.' :D

    It just felt closer to what you usually expect, statistically.

    Dear English: Fix your ambiguities. We Germans invented compound words for a reason. ;)

    But now I wonder what, probably weekly, news of CIA hackings of their stuff Russians, Chinese, etc get.
    And what we in the EU would get, it the media wasn't deliberately twisting things. (The most recent is from last week, two Swiss firms that sold security sol

  • by sphealey ( 2855 ) on Monday December 14, 2020 @07:29AM (#60828718)

    The US three-letter agencies started out with an advantage in computer and network penetration because the fundamental research was being done in Western countries and most of the design and, initially, manufacturing of the hardware as well. And then the core of the Internet backbone was routed through the US and the Five Eyes nations so they also had a major advantage there.

    But besides the historic advantage of the attack over the defense, the Western world in general and the US specifically is now facing a possibly insurmountable disadvantage pointed out by the fictional Soviet chess champion Borgorov in _The Queen's Gambit_: "She's an orphan. A survivor. She's like us - losing is not an option for her". People in the Western nations are using their wealth and resources to live comfortable lives, which was the point of building that wealth. Even the most dedicated NSA cracker or counter-cracker is going to knock off at 9 or 10 PM and go home to his nice townhouse in Northern Virginia However the attackers are coming from much less wealthy, much tougher, much less forgiving environments where there are huge incentives to work as long and as hard as it takes to break the opponent's system - because the alternative is starvation in the streets (or just plain accidentally falling out a window, or perhaps watching your child fall out a window). That is a force multiplier for the attackers that the West's defense systems are not going to be able to overcome.

    • That is a force multiplier for the attackers that the West's defense systems are not going to be able to overcome.

      You're describing the soviet cyber threat's strength as being brute force in nature and claiming it is indefensible. Well-conceived and audited security architecture always defeats brute force regardless of scale.

      At this point, any platform software company needs to assume at least on engineer with access to source code is compromised whether by blackmail or a straight-up spy who applied fo

    • Losing was not an option for Russians during the Cold War because if they won, they got bonuses, nicer housing for their families, use of vacation resorts, right to keep boom boxes and jeans bought abroad, while failure meant movement in the opposite direction.

      Ironically, they aped the rewards of capitalism to make dear leader and communism look good on the world stage, to help convert useful idiots in the west.

  • I'm no big city security analyst, but hacking a FireEye service is a noteworthy achievement!

    https://www.fireeye.com/blog/t... [fireeye.com]

    Also, FireEye looks to sell hacking tools

  • Analysis of the hack (Score:4, Informative)

    by vagaries of naptime ( 4831051 ) on Monday December 14, 2020 @08:24AM (#60828840)

    Apologies if this is a duplicate, it hereâ(TM)s some links to info on how the hack worked.

    If you trust FireEye:
    https://www.fireeye.com/blog/t... [fireeye.com]

    If you want a higher level description with adverts from The Register or ZDNet:

    https://www.theregister.com/20... [theregister.com]

    https://www.zdnet.com/article/... [zdnet.com]

  • I use SolarWinds for spam filtering, they bought some other outfit I used previously. Russia can have my spam, heck they already send a lot of it.

  • Trump's says his friend Putin is a very powerful man.
    • Dominion was using it. So if we find out that is how the vote numbers were changed that would mean they are not that tight. More than likely it was the Chinese and our dumbass bureaucrats are still stuck on the Anti Trump blame Russians for everything message.

  • by AndyKron ( 937105 ) on Monday December 14, 2020 @12:45PM (#60829866)
    These are all acts of war. When do we start?

Computer programmers do it byte by byte.

Working...