Brief #31 – Technology
By Charles A. Rubin
Damage Assessment Continues One Month After Massive Cyber Attack
In December 2020 Solarwinds, a major provider of computer network monitoring software, revealed that several of its servers that were used to distribute software updates to customers had been compromised. The servers had been routinely delivering altered code to computer networks throughout the US government and corporations that gave nefarious actors unfettered access to communications and internal systems. The malware created multiple “backdoors” that could be exploited in the future. Further, this compromise had gone undetected for several months. One month later the full extent of the intrusion is still not fully understood and the amount of information that has been exposed has not been completely assessed.
Cybersecurity experts are in general agreement that the perpetrator was likely a state actor and most probably the Russian State security agency, the SVR, and specifically the group known as APT29 or more commonly referred to as Cozy Bear. President Trump has been dismissive of this assessment suggesting, without evidence, that China may be the culprit.
There is an adage among cybersecurity professionals that there are two kinds of organizations; those that have been hacked and those that don’t know that they have been hacked. Because of the nature of this attack; hijacking and compromising the software supply chain, all networks that communicate over the internet should be suspicious and wary. It can only be presumed that any email or file has potentially been exposed. It is a frightening thought and a terrifying lapse in our defenses.
The US Cybersecurity & Infrastructure Security Agency (CISA) has highlighted critical infrastructure as an active target in this attack, the Department of Energy is investigating a breach of the National Nuclear Security Administration, which maintains the US nuclear weapons stockpile, according to a report in Politico. Several major software vendors including Microsoft, Cisco and Alphabet (the parent company of Google) have reported breaches and probable theft of their source code raising concerns that further attacks based on information gleaned from that code could be imminent.
CISA, which performed admirably, in protecting the US election system in the November and January elections, was caught completely off guard by the scope of these violations. We can only hope that the cause of this was the Trump administration insistence that Russia was not a threat. A Biden Administration, we trust, will have a more sober and reality based approach to cyber defense.
- SANS Institute – Established in 1989 as a cooperative research and education organization, SANS is a go-to place for security industry professionals for education and analysis of security threats.
- The Cybersecurity and Infrastructure Agency (CISA) is part of the Department of Homeland Security charged with repelling attacks and informings the public.
- AISP – The Association of Information Security Professionalsthe is a leading organization for security professionals worldwide.
- Information Systems Security Association (ISSA) s a not-for-profit, international organization of information security professionals and practitioners.