Russia Breached Update Server Used by 300,000 Organizations, Including the NSA

Sunday Reuters reported that "a sophisticated hacking group" backed by "a foreign government" has stolen information from America's Treasury Department, and also from "a U.S. agency responsible for deciding policy around the internet and telecommunications."

The Washington Post has since attributed the breach to "Russian government hackers," and discovered it's "part of a global espionage campaign that stretches back months, according to people familiar with the matter." Officials were scrambling over the weekend to assess the extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said. The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation's foreign intelligence service and breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration... [The Washington Post has also reported this is the group responsible for the FireEye breach. -Ed]

All of the organizations were breached through the update server of a network management system called SolarWinds, according to four people familiar with the matter. The company said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized with in a "highly-sophisticated, targeted...attack by a nation state." The scale of the Russian espionage operation is potentially vast and appears to be large, said several individuals familiar with the matter. "This is looking very, very bad," said one person. SolarWinds products are used by more than 300,000 organizations across the world. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world's top electronic spy agency, according to the firm's website. SolarWinds is also used by the top 10 U.S. telecommunications companies...

APT29 compromised the SolarWinds server that sends updates so that any time a customer checks in to request an update, the Russians could hitch a ride on that update to get into a victim's system, according to a person familiar with the matter. "Monday may be a bad day for lots of security teams," tweeted Dmitri Alperovitch, a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
Reuters described the breach as "so serious it led to a National Security Council meeting at the White House."

Cry me a river

[Rosco P. Coltrane]

They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency

That's called poetic justice.

Re:

[CaptainStumpy]

They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency

That's called poetic justice.

We have 6 branches now. Space Force will save us all.

Re:Cry me a river

[kot-begemot-uk]

It is poetic justice on more than one level.

Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

Re:

[drinkypoo]

Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

Even worse, some of that functionality comes with the server version of Windows, so they're not just using a toy OS, they're using a toy version of a toy OS in most cases. You didn't get tftp or bootp with windows last I checked, but you did get DHCP and FTP.

Re:

[Joe_Dragon]

Does WSUS have an easy way to add 3rd party software updates?? and not just updates but self service installs?
SolarWinds and others do stuff that WSUS is not really build for.

Cry me some security.

[Ostracus]

So the primary victims here are people who were too incompetent and dump to use a proper OS and used "an extra software package" for a Typewriter with Solitaire feature pretending to be an OS. Totally f*cking deserved.

What a short memory this forum has. Very short.

https://news.slashdot.org/stor... [slashdot.org]

Re:

[dumb_jedi]

You're completely missing the point here. It's not that open-source SW is more secure, it's that it can be audited. Hell, if I'm using a piece of SW in a critical place, I'll audit the compiler that builds it. And even then... http://cm.bell-labs.com/who/ke... [bell-labs.com]

Re:

[Ostracus]

If the point is that people don't want to do security because it's not "cool" then no I haven't missed the point. Saying it can be "audited" when no one wants to do the work is a meaningless point of pride. The OP wants to claim the problem is that people aren't running a "proper OS" and I'm saying it's a position of arrogance.

Governments want free, easy and lazy options.

[couchslug]

Governments can benefit greatly from FOSS by investing in it instead of leeching, but leeching is free, easy and lazy.

Imagine what a trifling billion dollar investment in secure Linux development could produce then make available to the world.

Re:

[jafac]

TBF; my previous employer used Solarwinds, and the product we used had nothing to do with TFTP, DHCP etc. we used it for database monitoring and performance analytics. And it wasn't really about incompetence, it was about being a small operation, and not wanting to hire the expertise (part of the reason I left), and frankly, living in a job market where that kind of expertise is fairly difficult to find (at any price - but I'll be first to admit they were just cheap).

The BIG picture was and still is, missed.

[Canberra1]

Third party software that has 1) Admin ++ access 2) Backdoor (obscured or otherwise 3) High untraceable behavior 4) Deployed because of 'savings' over security. 5) Weakest link with admin was found - and slow cooked The big picture is this software surely has no EAL security rating. Or if it did , done by a conflicted interest. Dimwit bosses bought the spiel hook line and sinker, and if anyone did have a IDS, they were not looking at a competent level AND/OR tell others. Basically downsizing has gone too f

Re:

[Joe_Dragon]

'savings' over security???

Like it's more secure to manually patch software on 20K workstations. WSUS needs an lot of needs care and feeding and it's shirty MS software that does not work to well with most NON MS software.

Re:

[Canberra1]

Whatever happened to Norton GHOST? It worked well, before MS decided to shoot the competition.

Re:

[k6mfw]

Add to that a POTUS that has high respect for Putin while slamming our NATO allies, and probably some high level officials in these departments with business connections in Russia so they look the other way when mischief occurs. I'm sure there are those dedicated to safeguarding govt data, but must be frustrating working for the current hostile upper management.

How many of you use SolarWinds?

[Orange Man Bad]

We looked at it but took a pass. Not because we ever considered it security risk but because it was too expensive for what it does as we already had similar tools in place just not as slick.

This should make everyone think about all the other public and third party servers and repos and updaters, etc they pull data from....

Re: How many of you use SolarWinds?

[t4eXanadu]

I used it extensively, when I worked for a company that provided support to insurance agencies. Like you said, it provides the same features as many competing products. I wonder if they still use it. We had access to a lot of file servers and workstations with policy info for all kinds of companies and individuals. Obviously not as crucial as government agencies, but still. That update evidently went undetected at SolarWinds for a while. It makes you wonder what else they missed.

Re:

[chill]

What did you decide on the deploy third-party patches across your environment? How large of an environment?

auro-update?

[eric777]

I have my Pixel set to auto-update all my installed apps - I don't have time to review them all every day. If one of them is compromised, I'm screwed, I understand. So I limit the number of apps installed. But is the NSA doing the same thing? I mean, are the updates from SolarWinds simply applied sight-unseen? Or was this malware package difficult to identify?

Re:auro-update?

[kot-begemot-uk]

Solar Winds primary line of products has always been the Windows equivalent of Unix/Linux built-ins: TFTP, DHCP, BOOTP, FTP, etc.

So the targets were both systems that are critical - used in network infrastructure and run by dumbf*cks which were too mindbogglingly dumb to use a proper OS where a proper OS was needed. As far as damage footprint, you could not have made a bigger hit.

Some of Solarwinds code is also used in "Windows for Warships" and other similar military abominations for similar reasons - idiot using idiotic OS choice in the first place and than using software packages to deliver what is "built-in" in a proper OS. Those thankfully do not auto-update. That, however, does not mean that particular code versions did not get compromised. Now here is where the real fun begins - everything from the F35 mission control system to the entire new British aircraft carrier software starting from the rudder and thrust control and ending up with the radar and AA.

Popcorn, where is that f*cking BeLaz full of popcorn I ordered!?!

Re:

[EvilSS]

You're knowledge of Solar Winds products feels like it's a little out of date. Their main product these days, Orion, is a management and monitoring platform. It goes way beyond TFTP, DHCP, BootP, etc. It covers network monitoring, server monitoring, configuration monitoring, hypervisor monitoring, VOIP and call quality monitoring, DB performance monitoring, patch management, endpoint monitoring and configuration, log analysis, etc. It ties into basically every major vendor out there, and it's not just for

Re: auro-update?

[simstick]

Complete write up at FireEye from vector through monitoring and patch.

Re:

[kot-begemot-uk]

As I commented elsewhere, SolarWinds primary line of products is supplying Windows Sh*te which is equivalent for standard packages on Unix/Linux to people who are too dumbf*cking thick to use a proper OS.

They have been embedded (literally) in stupidities like Windows for Warships since the early 2000s. While I can sort of understand the idea of using Winhoze on a civilian network, using it for military purposes is mindboggling. In the military, Solitaire is not a requirement. Every system is supposed to d

Re:

[link-error]

"The Type 45 destroyers now being launched will run Windows for Warships: and that’s not all. The attack submarine Torbay has been retrofitted with Microsoft-based command systems, and as time goes by the rest of the British submarine fleet will get the same treatment, including the Vanguard class (V class). The V boats carry the UK’s nuclear weapons and are armed with Trident ICBMs, tipped with multiple H-bomb warheads." https://www.schneier.com/blog/... [schneier.com] I've read some of the US military shi

Re:

[Shag]

... security council that Trump didn't attend meetings with for months?

Hard to say. There may be more than one kind of security council, and I suspect his attendance is the same across all of them.

"America's Treasury Department"?

[Krishnoid]

If you've ever filed taxes, I wouldn't be surprised if these guys now have your Social Security number and tax records, direct deposit information, etc. -- as if the union of all the Blue Shield, Experian, etc. breaches hasn't already made everyone's SSN available to anyone who wants it.

If they actually did get tax records and could coordinate it with data from breaches of individual companies, I bet they could *really* extort businesses by threatening to release their actual profit/loss information to the IRS if it doesn't match their tax returns.

I've been wondering if the IRS shouldn't allow *everyone* to get an individual taxpayer identification number, and keep that separate from their social security number.

Re:"America's Treasury Department"?

[sound+vision]

I've considered my SSN to be public information since the Equifax breach. That one hit basically every adult US citizen. It's large DBs of "corroborating" details leaking that I worry about now. For example, my state DPS recently leaked their database of driver's license numbers and corresponding address/name/DOB information (and more I'm sure). Cross-checking all this leaked data together would seem to let you create a fake photo ID under a real DL#, with all the other information people use to identify, matching.
The only reason I'm not completely flipping shit and hiring lawyers is that I haven't had a tax return in years, won't for 2020, and my credit sucks anyway. There are probably other ways to take advantage of this data, but I figure I'm in the bottom quarter of targets. Physical assets close to me have their own protection plan.

Re:

[drinkypoo]

I thought all that shit and then I got nailed by identity theft anyway. A whole car showed up on my credit report — someone had written my SSN on a check cashing card (in pen) and then used that to prove their identity to a crooked car dealer, who then got an injunction against me in a crooked court (Nevada City, CA) on that basis...

Re: "America's Treasury Department"?

[simstick]

I locked my accounts at the credit agencies and figured if someone wanted to use it to pay into my social security they could have at it.

Re:

[Ostracus]

SSN? That number that everyone asks for when filling out paperwork. That secret number?

IRS PIN

[virtig01]

I've been wondering if the IRS shouldn't allow *everyone* to get an individual taxpayer identification number, and keep that separate from their social security number.

They at least allow everyone to get a PIN [irs.gov], which is a step in the right direction.

Which admins will be sacrificed?

[couchslug]

"Gentlemen do not read each other's mail" was naive when SecState Henry Stimson said it and it's bullshit today. It's a matter of national survival to spy on everyone be they friend, foe and neutral. No government dare neglect it and the US certainly doesn't. Security requires complete distrust, comprehensive monitoring, and perpetual expansion to keep up with opponents and competitors. The world is a very, very bad place and will only get worse as dystopias become necessary to compete with enemy dystopias.

The guilty are the lazy bureaucretins who chose convenience over security. Unfortunately the admins they hired will probably take the fall because non-techy PHBs run the show.

Re:

[drinkypoo]

Gentlemen do not read each other's mail. They have underlings for that.

Re:

[account_deleted]

Comment removed based on user account deletion

solarwinds for the lose

[Revek]

Those guys are valued added crap. They wanted a insane amount of money for their netflow product. I put together a open source alternative and all it cost was the price a ten core server. Their product would have needed two servers on top of their crazy price. Solarwinds exist because companies don't want to pay someone to do it in house.

Re:solarwinds for the lose

[geekmux]

Those guys are valued added crap. They wanted a insane amount of money for their netflow product. I put together a open source alternative and all it cost was the price a ten core server. Their product would have needed two servers on top of their crazy price. Solarwinds exist because companies don't want to pay someone to do it in house.

A LEM/SIEM is expensive because companies cannot hire enough humans to process that amount of information. And companies don't often hire or pay people to build one from scratch. (Your company might also find legal challenges with a "homemade" solution if a situation arises where you are forced to prove the integrity of your product.)

Yeah, I get your point here, but if you think the price tag is unjustified, then compare it. Hire the dozen admins who will go insane within a month processing that amount of data manually and let me know what the actual cost is.

No, I'm not some shill for Solarwinds. Don't care what people use for a LEM/SIEM. I only care that companies find value in them, no matter the cost.

Re: solarwinds for the lose

[Pinky's Brain]

I can prove to you the Solarwind solution wasn't secure.

Re:

[geekmux]

I can prove to you the Solarwind solution wasn't secure.

Right now it appears there is evidence that a product within a catalog of offerings from Solarwinds, wasn't secure.

Again, I'm not some shill for Solarwinds, but if we're going to speak on this, then speak accurately. If we find a vulnerability in MS Excel, that doesn't mean the entirety of Microsoft "wasn't secure". It means a product, has a problem that needs to be addressed.

Re:

[Bigjeff5]

But WinDoze Bad! Linux Good!

Re:solarwinds for the lose

[raymorris]

If your system is good, you should put together a repo and some documentation. Got anything we can see?

Well actually even if your system sucks, you should have a repo and some documentation for the poor person who has to maintain it when you leave.

I'd be curious to see what you came up.

Re: solarwinds for the lose

[ArmoredDragon]

Not every company wants to be in the business of software development, nor do they have the managerial experience required to efficiently lead a team of developers. They also probably have immediate needs for fully developed solutions, and starting one from scratch, in addition to training the users (as opposed to hiring those already trained) on something entirely new, isn't going to be anything near "immediate".

Re:

[h33t l4x0r]

This can happen on anyone's watch. And FTR, we're also hacking Russia, you just don't hear about it.

Re:

[quonset]

You forgot to mention the con artist fired the very people who were in charge of protecting our secrets and replaced them with pillow salesmen and other stooges. Because they say yes to whatever he wants.

Anyone who believes the con artist is a good (not great) businessman should be barred from voting due to mental incompetency. It's quite clear they have no grasp on reality.

Re: Trump is responsible.

[zkiwi34]

Of course he is responsible. He even created Covid. Heâ(TM)s also the secret leader of antifa and BLM as well as such as the KKK, Aryan Nation and the like.

So it's russia again, no surprise but ...

[MxMatrix]

... when is the usa going to strike back at them in cyberspace? Because it seems they aren't capable of that at all. Only failing in the defense.

Re:

[inthegreenwoods]

The context for this is that the USA has engineered the collapse of the oil market. OPEC + Russia are on a timeline to oblivion because on present trends the oil price will never go back to levels that cover their costs. The gas fields in the USA have a lot of technical disadvantages, they only briefly became viable because interest rates were so low post 2007, and the fuel quality of the gas they produce is very low, which is why no one ever bothered with it for the last 120 years. However they have a huge

Re:

[h33t l4x0r]

You don't hear about it. You wouldn't have heard about stuxnet except some dumbass US general leaked it. In fact, not hearing about it is a measure of the success of US cyber warfare effectiveness.

SOlarWinds is run by finance people

[Anonymous Coward]

Kevin B. Thompson is our President and Chief Executive Officer. He has served as our President since January 2009 and our Chief Executive Officer since March 2010. He previously served as our Chief Financial Officer and Treasurer from July 2006 to March 2010 and our Chief Operating Officer from July 2007 to March 2010. Prior to joining the Company, Mr. Thompson was Chief Financial Officer of Surgient, Inc., a privately held software company, from November 2005 until March 2006 and was Senior Vice President and Chief Financial Officer at SAS Institute, a privately held business intelligence software company, from August 2004 until November 2005. From October 2000 until August 2004, Mr. Thompson served as Executive Vice President and Chief Financial Officer of Red Hat, Inc. (NYSE: RHT), an enterprise software company. Mr. Thompson holds a B.B.A. from the University of Oklahoma. Mr. Thompson has served on the board of directors of BlackLine, Inc. (Nasdaq: BL) since September 2017. He previously served on the board of directors of Instructure, Inc. (NYSE: INST) prior to its take private transaction, the board of directors of NetSuite, Inc. (NYSE: N) prior to its acquisition by Oracle Corporation and the board of directors of Barracuda Networks, Inc. (NYSE: CUDA). https://investors.solarwinds.c... [solarwinds.com]

Re:SOlarWinds is run by finance people

[LostMyAccount]

So like most other technology businesses, these are just cash machines, run by MBAs looking to work the subscription model and price increases for whatever length of time is left for on-premise IT environments which are chronically short-staffed and underfunded.

Shouldn't their customers been doing this anyhow?

[Anonymous Coward]

"If you cannot upgrade immediately, please follow the guidelines available here for securing your Orion Platform instance. The primary mitigation steps include having your Orion Platform installed behind firewalls, disabling internet access for the Orion Platform, and limiting the ports and connections to only what is necessary." https://www.solarwinds.com/sec... [solarwinds.com]

Shouldn't their customers been doing security too?

[Ostracus]

Update servers has always been a chain worth exploring. We've certainly had some for open-source. And now it's proprietary's turn.

Re:

[gtall]

The R's have been actively screwing up the government ever since Reagan. After a natural disaster, they then turn around an accuse the government of being incompetent for not being able to deal with it effectively.

Safe encryption back-doors ?

[Alain Williams]

Government has been telling us that it is safe for them to have hidden keys, etc, into the encryption systems that they want us to use. These very same organisations have been compromised, who knows what data stolen by who knows who. Are we to believe that hidden keys and similar back-doors are magically immune to exfiltration ?

Next time we are told that the back-doors are necessary to protect our kids from paedophiles they will promise us that they will keep them safe.

No worries

[quonset]

The con artist picked up the phone, called his Russian handler and asked if they were behind this. He was told no and ended the call. Looking to everyone in the room he said, "Putin told they were not behind this, and I believe him. End of discussion. It must have been Antifa.

I read it the other way around:

[BAReFO0t]

'A update server of Russia was breached, and then used by 300,000 organizations, including the NSA.' :D

It just felt closer to what you usually expect, statistically.

Dear English: Fix your ambiguities. We Germans invented compound words for a reason. ;)

But now I wonder what, probably weekly, news of CIA hackings of their stuff Russians, Chinese, etc get.
And what we in the EU would get, it the media wasn't deliberately twisting things. (The most recent is from last week, two Swiss firms that sold security sol

Re:

[chill]

Pffft... get back to us when you finally get around to stop using gendered nouns. At least you could work on some consistency in them.

Re: I read it the other way around:

[crobarcro]

Dear German, if you have a good word for something, just let us know and we'll use that. English will absorb anything.

Incentives are not symmetrical

[sphealey]

The US three-letter agencies started out with an advantage in computer and network penetration because the fundamental research was being done in Western countries and most of the design and, initially, manufacturing of the hardware as well. And then the core of the Internet backbone was routed through the US and the Five Eyes nations so they also had a major advantage there.

But besides the historic advantage of the attack over the defense, the Western world in general and the US specifically is now facing a possibly insurmountable disadvantage pointed out by the fictional Soviet chess champion Borgorov in _The Queen's Gambit_: "She's an orphan. A survivor. She's like us - losing is not an option for her". People in the Western nations are using their wealth and resources to live comfortable lives, which was the point of building that wealth. Even the most dedicated NSA cracker or counter-cracker is going to knock off at 9 or 10 PM and go home to his nice townhouse in Northern Virginia However the attackers are coming from much less wealthy, much tougher, much less forgiving environments where there are huge incentives to work as long and as hard as it takes to break the opponent's system - because the alternative is starvation in the streets (or just plain accidentally falling out a window, or perhaps watching your child fall out a window). That is a force multiplier for the attackers that the West's defense systems are not going to be able to overcome.

Re:

[SethJohnson]

That is a force multiplier for the attackers that the West's defense systems are not going to be able to overcome.

You're describing the soviet cyber threat's strength as being brute force in nature and claiming it is indefensible. Well-conceived and audited security architecture always defeats brute force regardless of scale.

At this point, any platform software company needs to assume at least on engineer with access to source code is compromised whether by blackmail or a straight-up spy who applied fo

Re:

[Impy the Impiuos Imp]

Losing was not an option for Russians during the Cold War because if they won, they got bonuses, nicer housing for their families, use of vacation resorts, right to keep boom boxes and jeans bought abroad, while failure meant movement in the opposite direction.

Ironically, they aped the rewards of capitalism to make dear leader and communism look good on the world stage, to help convert useful idiots in the west.

Looks like FireEye got done

[kaptink]

I'm no big city security analyst, but hacking a FireEye service is a noteworthy achievement!

https://www.fireeye.com/blog/t... [fireeye.com]

Also, FireEye looks to sell hacking tools

Analysis of the hack

[vagaries of naptime]

Apologies if this is a duplicate, it hereâ(TM)s some links to info on how the hack worked.

If you trust FireEye:
https://www.fireeye.com/blog/t... [fireeye.com]

If you want a higher level description with adverts from The Register or ZDNet:

https://www.theregister.com/20... [theregister.com]

https://www.zdnet.com/article/... [zdnet.com]

Re:

[omfglearntoplay]

Somebody mod this up, good info, on topic.

Re:

[Shag]

Microsoft's security researchers have also weighed in:

https://msrc-blog.microsoft.co... [microsoft.com]

spam filtering

[awwshit]

I use SolarWinds for spam filtering, they bought some other outfit I used previously. Russia can have my spam, heck they already send a lot of it.

Trump's Allies Strike Again

[BrendaEM]

Trump's says his friend Putin is a very powerful man.

Re: Trump's Allies Strike Again

[simstick]

Dominion was using it. So if we find out that is how the vote numbers were changed that would mean they are not that tight. More than likely it was the Chinese and our dumbass bureaucrats are still stuck on the Anti Trump blame Russians for everything message.

When do we start?

[AndyKron]

These are all acts of war. When do we start?

Re:

[Krishnoid]

"Gee, Bullwinkle, I think Boris and Natasha got into our food and put extra beans in it."
"Yup, Rocky, sure seems like it. We'd better keep the ventilation going until it all passes through."

Re:

[phantomfive]

If it's a nation state that attacked, people will say, "oh, that must have been so hard to defend against."

It's much better than the alternative of having to announce to the world that you forgot to change the default password. Hey, but I'll bet their security audit reports were up to date.

Re:

[Anonymous Coward]

If it's a nation state that attacked, people will say, "oh, that must have been so hard to defend against."

It's much better than the alternative of having to announce to the world that you forgot to change the default password. Hey, but I'll bet their security audit reports were up to date.

Be realistic here. They don't call National Security Councils together because an individual or even a handful of idiots didn't change the default password.

Re:

[phantomfive]

Be realistic here. They don't call National Security Councils together because an individual or even a handful of idiots didn't change the default password.

They do if it gives the attacker access to 300,000 military computers.

Re: stop crying about the Russian Wolf ffs

[klipclop]

I like the post from the previous article. Any breach should underscore the people to blame were the keepers of the keys to the kingdom.

Why are they using an insecure OS

[flyingfsck]

Why are these 3 letter agencies using Windows, when even Microsoft is using Linux and BSD?

Re:

[Dr_Terminus]

Probably extensive lobbying by Microsoft for the contract to provide the servers to the government.

Re:stop crying about the Russian Wolf ffs

[raymorris]

Well let's take a look at this.

In general, what can we determine about attackers even from the outside, without knowing more than what's in a Slashdot summary. Can we tell the difference between a ransomware gang, Russia (Cozy Bear) and a teenager having some lulz, based on just what's in the popular press, without any details?

Consider the first days of the Russian invasion of Crimea. A couple thousand troops in debadged uniforms, with full military gear, took over important positions in Crimea. They cut off Crimea from the rest of Ukraine and occupying key buildings. The Russians denied that the military troops in unmarked uniforms were Russian troops.

At that point, you couldn't prove they were Russian troops; you could plainly see they are an army. Whose Army was a question at first, the fact that it's an army was not in question.

It's similar for this kind of long-lived attack by a number of highly trained and well-equipped professionals. When the attacking group includes expertise to compromise many different kinds of systems and establish broad persistence without being detected, that's not a 16yo doing it for lulz. That's a team of professionals.

Once you recognize a team of professionals, then you look at what they did and who they targeted to figure out more about who they are. Is it a sophisticated criminal gang, maybe DoppelPaymer or REvil? Nope, those groups attack companies through fairly unsophisticated methods, unleash ransomware and do all of their damage within a few hours at most. They don't hang around for months, and they aren't trying to stay undetected beyond those few hours.

Here the attackers stayed a long time. Why? What were they doing for a long time? We're they deploying ransomware? No. Were try sending spam from the compromised computers for months? No. They were doing surveillance, espionage.

So the question is:
Which group of well-trained and well-equipped professionals spends months on espionage of the US government? That's a short list.

From the short list, the professionals then want to figure out exactly who it is. There are, of course, individuals whose job it is to watch Cozy Bear, to figure out what Cozy Bear is up to this week. They know the difference between Cozy Bear and APT 41 (a group from China).

Re:

[ShanghaiBill]

a number of highly trained and well-equipped professionals.

You don't know that there was "a number" greater than one. Nor do you know that they were "highly trained" or "well-equipped" or "professional". That is all just conjecture.

expertise to compromise many different kinds of systems

According to the summary, all the penetrations came through a single portal.

that's not a 16yo doing it for lulz. That's a team of professionals.

A "16 yo" and "a team of professionals" are not the only possibilities. Fallacy of the excluded middle [wikipedia.org].

This was a big penetration and is a huge embarrassment to many people that now have an incentive to make it look like the perps were organized and sophisticat

Re:stop crying about the Russian Wolf ffs

[chill]

The description is that Solar Winds Patch Manager was compromised. It was either a zero-day in the tool, or the tool build chain itself at SW was compromised.

The compromise allowed contol over PM, which is a tool that can package patches for third-party applications and deploy them. The compromise sounds like it allowed malicious actors to corrupt that process and bundle malware with the signed deployment package -- and push it out widely in an organization.

This isn't a Windows (or Adobe or Oracle) flaw or default password. It is something that would require specific knowledge and access, especially if it impacts only the SW suite that was released between March and June of this year, as the SW advisory states. That means someone found it quickly and moved right away at a very high level target.

Uncommon software, fast moving, very high value targets, persistance. That all points to "highly trained" and "well equipped". "Professional" just means doing it for money, so that's a meaningless term. We're also talking skills to zero day SWPM plus then bundle in malware that isn't immediately picked up by local agency and gov't-wide monitoring systems (Einstein -- glorified Snort/SourceFire/whatever Cisco calls it now).

The likelihood of this being some random kid doing it for the lulz is vanishingly small.

The summary may imply the penetrations came thru a single portal, but that's sloppy writing. Treasury and Commerce NTIA do NOT use the same update systems. Software, yes. Systems? That's laughable. They aren't even on the same network.

Re:stop crying about the Russian Wolf ffs

[DarkOx]

Any APT advanced enough to pull off an effort on this scale. By the way as someone who works at a company that does red-teams; there is no way one kid in the basement pulled off an attack of this scale. Its to big a research effort, and I don't mean the hacking tools I mean identifying the target personnel and systems once you are in. This was the work of disciplined funded team, and I can say that with confidence even with so little information being out.

I am also super skeptical whenever anyone says "Russia" they seem to be a handy bogeyman and frankly I don't see them as having the motive. I know Putin wants to be a big deal on the world stage, i know he'd like to bring back the old USSR if he could but its unclear to me how attacking the US at home furthers those goals.

The US is not a paper tiger. We spend a lot of money on the spear and use it all over the world quite a bit. We are probably unique in both our absolute capable and proclivity for attacking Russia interests. So short of some grand scale attack that actually would be crippling for us, why would Putin risk provocation likely to trigger a direct response. Does not make sense.

He can more easily mess with our "missions" nearer to his back yard. He still scores domestic strong man points for fouling up US military operations; but runs little risk we'd target Moscow in response for something he did in Syria or even Ukraine for that matter. There is much more economic and strategic benefits to his deploying limited resources to secure his interests in the former second world and middle east; so he can hold Western Europe hostage to whatever he wants to charge for fossil hydrocarbons among other things. It really does not make a ton of sense for him to lob bombs literal or cyber at us over oceans; beyond maintaining some capability in terms of readiness. We don't even have the trade relations for him to extract much economic advantage.

Which leaves us with CHINA most obviously but plenty of others even 'friends' who might have motive. They all have much clearer economic interest in getting into the Washington apparatus beyond the pentagon. Anyone advanced enough to do this is also advanced enough to make it look Russian if they wanted to. Why they could even quite easily go as far as hiring a bunch of native Russian speakers to make tooling and build CC plumbing to make it look all the more authentic it terms of cultural tells etc.

 

The US can, but doesn't

[raymorris]

You may be 100% correct in your assessment of what the ideal strategy for Putin would be. It's true that the US *could* respond to cyber attacks as if ... well, as if they were attacks In fact the US doesn't.

I think that in Putin's mind, he wants Russia to be a superpower again. In his mind, if not in reality, what stands in the way of Russian dominance is China and the United States. So anything he can do to erode US power, especially if it also directly benefits Russia, is something he wants to do. He has

Re:

[inthegreenwoods]

Russia, China, N Korea, and even Vietnam are breaking cover to do it, all at once. It has a Pearl Harbour flavor to it. The complacency of the USA and the death toll from Covid. They are not bothering to disguise themselves any more. It would suggest that they have figured that they can’t wait any longer. The interesting coincidence of Russia losing their puppet in the White House, and then this, means they are raising the stakes. They want the world to know they are not bluffing. The last time some o

Re:

[carton]

Which leaves us with CHINA most obviously but plenty of others even 'friends' who might have motive. They all have much clearer economic interest in getting into the Washington apparatus beyond the pentagon. Anyone advanced enough to do this is also advanced enough to make it look Russian if they wanted to.

I'm also suspicious of the attribution.

I think it's at least as likely our media are working with China to execute a false flag operation as the main goal here, and exfiltration the secondary goal, as it is the story can be read straight. The media may be infiltrated and bought off by China, as so many companies are, or they may just have aligned interests with China (covering the ruling class's connection to China with Russian misdirection) without conspiracy or direct compromise.

I would expect an air-tig

Re:

[Impy the Impiuos Imp]

I am also super skeptical whenever anyone says "Russia" they seem to be a handy bogeyman

True

and frankly I don't see them as having the motive.

False

Re:

[DarkOx]

Alright, the Russians have motive but not as clear or urgent a motive as some others.

The trouble is our intelligence people spent 60 years fighting a cold war. Most of the higher ups are people who spent their early careers dealing with the cold war. The younger folks went to university and the professorial staff was again a bunch of ex-cold war intelligence and state department folks.

These people can't look at a floor length drapery and not imagine a Russian agent standing behind it. I don't for a moment

Re:

[ph1ll]

Interesting story on the day of John Le Carre's passing [slashdot.org]. So, being a bit of a Le Carre fan, let's just consider one possibility:

1. let's suppose this hack was the work of a highly competent, nation state actor
2. we note the Intelligence Agency who was the victim discarded their usual discretion and went public
3. that same Intelligence Agency has a history of being, shall we say, economical with the truth [theguardian.com]

Could it be, could it just be, an inside job to increase spending on, oh I don't know, a three letter agency wh

Re:

[whitroth]

Um, no. 300,000 organizations, not 300,000 servers? Nope. That requires a large team and a *lot* of resources.

Plus, a lot of the US gov't still runs on WinDoze, and most desktops have it.

I just retired last year after 10 years for a federal contractor at one large agency (civilian). In those 10 years, there was, count them, 1 major incursion. It came in, of course, through Windows. Our division heavily ran on Linux (sr. Linux sysadmin here), and we had, count them, one website affected, and nothing else (an

Re:

[Anonymous Coward]

> At that point, you couldn't prove they were Russian troops; you could plainly see they are an army.

Google and Apple knew. the wifi access points they installed, and the cell phones, were formerly at Russian military installations. Do you *really* think that data is anonymized before it goes to Apple or Google? When the NSA and agencies like them can log the web requests identifying the devices and their locally detected MAC addresses or cell phone towers directly from man-in-the-middle tracking the req

Re:

[jafac]

The minute they took off their identifying patches, they became a criminal gang.

And that's what the Russian government, their military, and APT 29 are. A huge, organized crime gang, with the resources, and none of the legitimacy of a nation state.

Re:

[Antique Geekmeister]

Russia annexed Crimea in 2014, by masked Russian troops without uniform insignia taking over government centers. Rusia was condemned by the UN for it, and has been sanctioned for it.

Re:

[stabiesoft]

CNN is running a story detailing the poisoning of Putin nemesis. Quite detailed. Turns out FSA was a little sloppy not using burner phones etc. Russia apparently is quite bribable and they managed to pull all sorts of logs with payoffs. Interesting read. The story mentions the crimea invasion and how just as you say, no insignia's to keep russia officially out of the battle.

Re:

[inthegreenwoods]

Link?

Re:

[stabiesoft]

Here you go. https://www.cnn.com/2020/12/14... [cnn.com]