quote:

---

Russia's SVR spy agency made off with information about US counterintelligence investigations in the wake of the SolarWinds hack, according to people familiar with the American government cleanup operation. The alarming snippet was reported by financial newswire Reuters. The SVR was named and shamed in April by Britain and the US as the organisation that compromised the build systems of SolarWinds' network monitoring software Orion, used by 18,000 customers across the world. Those customers included the UK and US governments, among many, many others. The attack is said to have led to the Russian foreign intelligence service making off with "information about counterintelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19," according to people involved in the US government's investigation who spoke to Reuters. It was also reported that the SVR stole software signing certificates so their software could be run on them. The attackers compromised SolarWinds' build servers, inserting a backdoor into the next version of the software that was distributed through trusted channels as part of a scheduled, routine update. They spent months covering their tracks and lying low to see if they'd been detected; it took even US infosec behemoth FireEye months to realise what had happened on its own networks. Russia attempted to deny involvement in the compromise of SolarWinds' Orion network management 'n' monitoring product, though there was little room for doubt in the emphatic statements issued by the UK and US in April – along with their expulsion of known Russian spies from their territories as a mark of disapproval.

---

quote:

---

SAN FRANCISCO, Oct 7 (Reuters) - The suspected Russian hackers who used SolarWinds and Microsoft software to burrow into U.S. federal agencies emerged with information about counter-intelligence investigations, policy on sanctioning Russian individuals and the country’s response to COVID-19, people involved in the investigation told Reuters. The hacks were widely publicized after their discovery late last year, and American officials have blamed Russia’s SVR foreign intelligence service, which denies the activity. But little has been disclosed about the spies' aims and successes. The reluctance of some publicly traded companies to explain their exposure has prompted a broad Securities and Exchange Commission inquiry. The campaign alarmed officials with its stealth and careful staging. The hackers burrowed into the code production process at SolarWinds (SWI.N), which makes widely used software for managing networks.

---

quote:

---

Autodesk, makers of computer-aided design (CAD) software for manufacturing, has told the US stock market it was targeted as part of the the supply chain attack on SolarWinds' Orion software. In a filing with the American Stock Exchange Commission, Autodesk said it had identified a compromised server in the wake of public reporting of the SolarWinds breach. While Autodesk went on to say that it found no further disruption on its systems, its mention of the breach in its latest quarterly results reminds the world just how far-reaching the SolarWinds supply chain compromise was. Around 18,000 of its customers were affected, though the malware gang only infiltrated the most important users of Orion – including FireEye. In its Form 10-Q for Q2 2021, for the quarter ended 31 July, Autodesk said:

quote:

---

We identified a compromised SolarWinds server and promptly took steps to contain and remediate the incidents. While we believe that no customer operations or Autodesk products were disrupted as a result of this attack, other, similar attacks could have a significant negative impact on our systems and operations.

---

We have asked Autodesk for further comment.

---

quote:

---

SolarWinds is urging a US federal judge to throw out a lawsuit brought against it by aggrieved shareholders who say they were misled about its security posture in advance of the infamous Russian attack on the business. Insisting that it was "the victim of the most sophisticated cyberattack in history" in a court filing, SolarWinds described a lawsuit from some of its smaller shareholders as an attempt to "convert this sophisticated cyber-crime" into an unrelated securities fraud court case. "The Court should dismiss the Complaint because it fails to satisfy the heightened standards for pleading a Section 10(b) claim imposed by the Private Securities Litigation Reform Act," it said [PDF]. Financial newswire Reuters reported that the suit was originally filed over allegations that former SolarWinds chief exec Kevin Thompson cut cybersecurity efforts in the hope of driving greater dividends into the pockets of major investors, Silver Lake and Thoma Bravo, who each reportedly held around 40 per cent of SolarWinds' stocks at the time. In the wake of the attack, SolarWinds' share price crashed from $24.83 to $14.95. It has rallied over the past few months back to $22.64 at the time of writing.

---

quote:

---

The Russian hackers behind the massive SolarWinds cyberespionage campaign broke into the email accounts of some of the most prominent federal prosecutors’ offices around the country last year, the Justice Department said Friday. The department said 80% of Microsoft email accounts used by employees in the four U.S. attorney offices in New York were breached. All told, the Justice Department said 27 U.S. Attorney offices had at least one employee’s email account compromised during the hacking campaign. The Justice Department said in a statement that it believes the accounts were compromised from May 7 to Dec. 27, 2020. Such a timeframe is notable because the SolarWinds campaign, which infiltrated dozens of private-sector companies and think tanks as well as at least nine U.S. government agencies, was first discovered and publicized in mid-December. The Administrative Office of U.S. Courts confirmed in January that it was also breached, giving the SolarWinds hackers another entry point to steal confidential information like trade secrets, espionage targets, whistleblower reports and arrest warrants. The Justice Department did not provide additional detail about what kind of information was taken and what impact such a hack may have on ongoing cases. Members of Congress have expressed frustration with the Biden administration for not sharing more information about the impact of the SolarWinds campaign.

---

quote:

---

US markets watchdog the Securities and Exchanges Commission (SEC) has begun a probe into last year's SolarWinds cyberattack, in a bid to find out who else might have been compromised. Unnamed sources familiar with the investigation have told Reuters the US financial regulator recently sent out letters to businesses seeking clarification, amid concerns that not everyone has come clean. The news agency also said the SEC is keen to know whether "public companies that had been victims had experienced a lapse of internal controls, and related information on insider trading", which could also involve issues around data protection. No one from the SEC was available for comment at the time of writing, although El Reg was interested to read that the market and securities watchdog recently paid out $5.3m to whistleblowers in two separate cases for providing "information and assistance in separate enforcement proceedings."

---

quote:

---

A Russian spymaster has denied that his agency carried out the infamous SolarWinds supply chain attack in a public relations move worthy of the Internet Research Agency. Sergei Naryshkin, head of the SVR spy agency, made his denial in a BBC interview broadcast on Tuesday. "I'd be flattered to hear such an assessment of the work of the Foreign Intelligence service which I run. Such a high evaluation," said the spymaster in remarks translated by the BBC. The SolarWinds supply chain attack saw US and UK government institutions probed by Russian spies, as well as FireEye – itself a major US cybersecurity contractor. "But I don't have the right to claim the creative achievements of others as my own," continued the SVR chief. As for whodunnit, he was less equivocal. When asked who carried out the SolarWinds attack, Naryshkin had an answer: the US and Britain. After all, what proof was there that he and his spy agency were to blame? "There is none at least, none that has been made public. Have you seen proof?" he asked his BBC interviewer, who maintained a poker face. "No, neither have I," said the spymaster. "At the same time we looked into who might be behind all of this." Naryshkin then read aloud from a typed document, prepared with a noticeably large font size, and claimed that the Snowden revelations "proved" the US and UK were to blame because American spies deliberately weakened a default random number generation algorithm used in RSA products about a decade ago. Nonetheless, the SVR chief's move is not without precedent. Before the fall of the Berlin Wall, Soviet Russia was well practised in two disciplines of military thought known as dezinformatsiya and maskirovka. Neither term translates well into English but one was about spreading false information among its enemies for political or socially disruptive gains and the other focused on battlefield deception.

---

quote:

---

CyberUK 21 SolarWinds’ chief exec has described the 18,000 customers who downloaded backdoored versions of its Orion software as a “very small” number while giving a speech to an infosec event. Sudhakar Ramakrishna, who joined the biz in January, made the comparison while giving the opening keynote at the CyberUK conference, organised by Britain’s National Cyber Security Centre (NCSC). He'll also be giving a talk on the topic at this month's RSA Conference in the US, presumably part of an extended apology tour. “Although the number of affected customers is very small, that we eventually discovered, it is still a very important thing to discover, because this is a unique and very novel attack on the supply chain of a company,” said Ramakrishna in his opening remarks – adding that “none of our source code control systems were tampered with.” SolarWinds’ chief exec had been invited to set the tone for the two-day conference, which is being held as a series of YouTube lectures this year. The “very small” number of 18,000 affected customers was disclosed in a company filing with the US Stock Exchange Commission, as previously reported. Of more interest to technically minded readers was the revelation that SolarWinds has rearchitected its build processes, now having “three different environments” running in parallel with their outputs being cross-matched against each other to ensure there are no unexpected differences before being integrated into the final product.

---

quote:

---

Due to the vastly increased patching and reduction in victims, we are standing down the current UCG surge efforts and will be handling further responses through standard incident management procedures. The innovations from the Exchange UCG and the lessons learned from these responses will be used to improve future unified, whole of Government responses to significant cyber incidents, including:

Integrating private sector partners at the executive and tactical levels. The active private sector involvement resulted in an expedited Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, and direct sharing of relevant information. This type of partnership sets precedent for future engagements on significant cyber incidents.

CISA created and utilized a methodology to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident.

Through industry relationships and leveraging legal authorities, the FBI and DOJ quickly identified the scale of the incidents – in the SolarWinds UCG, for example, scoping from a worst case of 16,800 to fewer than 100 targeted exploited nongovernment entities. This enabled focused victim engagement and improved understanding of what the perpetrators targeted from the larger set of exposed entities.

NSA and CISA released cybersecurity advisories that detailed adversary techniques and provided mitigation for system owners. NSA also provided guidance to other U.S. military and intelligence organizations, as well as contractors in the defense industrial base.

---

quote:

---

The Russian Intelligence Services — specifically the Federal Security Service (FSB), Russia’s Main Intelligence Directorate (GRU), and the Foreign Intelligence Service (SVR) — have executed some of the most dangerous and disruptive cyber attacks in recent history, including the SolarWinds cyber attack. The FSB and GRU were previously sanctioned in 2016, and again in 2018, for malicious cyber activity, and most recently on March 2, 2021 for activities related to the proliferation of weapons of mass destruction (WMD). ... In addition, the Russian Intelligence Services’ third arm, the SVR, is responsible for the 2020 exploit of the SolarWinds Orion platform and other information technology infrastructures. This intrusion compromised thousands of U.S. government and private sector networks. The scope and scale of this compromise combined with Russia’s history of carrying out reckless and disruptive cyber operations makes it a national security concern. The SVR has put at risk the global technology supply chain by allowing malware to be installed on the machines of tens of thousands of SolarWinds’ customers. Victims of the compromise include the financial sector, critical infrastructure, government networks, and many others. Further, this incident will cost businesses and consumers in the United States and worldwide millions of dollars to fully address.

---

quote:

---

Formal attribution of the SolarWind hacks, echoing tentative findings made by Kaspersky Lab, came in a US Treasury Department statement issued this afternoon. The American attribution was echoed by the British government with Foreign Secretary Dominic Raab saying in a statement: “We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action.” The NCSC also said in a public statement that “the overall impact on the UK of the SVR’s exploitation of this software is low.” Government departments have refused to even talk about the impact of the Orion compromise despite it being in widespread use around Whitehall and further afield, lending credibility to the notion that UK.gov was more widely hit by the breach than it wants to admit. Paul Prudhomme, head of Threat Intelligence Advisory at threat intel biz IntSights told The Register: “The attribution of the SolarWinds supply chain attack campaign to a state-sponsored Russian cyber espionage group is credible, as the high levels of sophistication, tradecraft, and stealth in that campaign were consistent with that of such Russian groups. It nonetheless remains unclear what specific data points enabled the attribution to the Russian APT29 in particular with such a high level of confidence."

---

quote:

---

Although the SolarWinds hack has been labelled a cyber ‘attack’, initial analysis indicates that it was intended not to damage, disrupt or destroy networks, but rather to gain intelligence. -- Marcus Willett

---

quote:

---

“The SolarWinds hack was a victory for our foreign adversaries, and a failure for DHS,” said Sen. Rob Portman of Ohio, top Republican on the Senate’s Homeland Security and Governmental Affairs Committee. “We are talking about DHS’s crown jewels.”

---

quote:

---

Email security biz Mimecast has dumped SolarWinds' network monitoring tool in favour of Cisco's Netflow product after falling victim to the infamous December supply chain attack. In an incident report detailing its experiences of the SolarWinds compromise, Mimecast said it had "decommissioned SolarWinds Orion and replaced it with an alternative NetFlow monitoring system". On top of that, the email security firm also junked a number of "compromised" servers, while admitting that the potentially Russian attackers had "accessed a subset of email addresses and other contact information", "customer server connection information", and "encrypted and/or hashed and salted credentials" as well as viewing source code repositories and Mimecast-issued certificates. The incident report laid out how much hassle the SolarWinds attackers caused. In addition, the loss of Mimecast as a customer won't have helped SolarWinds' cause. As the first major enterprise to confirm that it has junked SolarWinds in the wake of the supply chain attack, Mimecast could potentially lead the way for others to migrate from the beleaguered infrastructure monitoring 'n' management company. Among SolarWinds' 18,000 Orion customers were various governments around the world, including the United Kingdom.

---

quote:

---

Executive Summary

In August 2020, a U.S.-based entity uploaded a new backdoor that we have named SUNSHUTTLE to a public malware repository.

SUNSHUTTLE is a second-stage backdoor written in GoLang that features some detection evasion capabilities.

Mandiant observed SUNSHUTTLE at a victim compromised by UNC2452, and have indications that it is linked to UNC2452, but we have not fully verified this connection.

Please see the Technical Annex for relevant MITRE ATT&CK techniques (T1027, T1027.002, T1059.003, T1071.001, T1105, T1140, T1573.001).

The activity discussed in this blog post is also detailed in a Microsoft blog post. We thank the team at Microsoft and other partners for their great collaboration in tracking this actor.

---

quote:

---

Fully recovering from the SolarWinds hack will take the US government from a year to as long as 18 months, according to the head of the agency that is leading Washington’s recovery. The hacking campaign against American government agencies and major companies was first discovered in November 2020. At least nine federal agencies were targeted, including the Department of Homeland Security and the State Department. The attackers, who US officials believe to be Russian, exploited a product made by the US software firm SolarWinds in order to hack government and corporate targets. Brandon Wales, the acting director of CISA, the US Cybersecurity and Infrastructure Agency, says that it will be well into 2022 before officials have fully secured the compromised government networks . Even fully understanding the extent of the damage will take months.

---

I'd love to know which merchant got breached.

quote:

---

The private sector should be legally obliged to disclose any major hacks of their systems, says Microsoft’s president and top lawyer Brad Smith. Speaking at a Senate Intelligence Committee hearing on Tuesday regarding the SolarWinds backdoor, through which suspected Russian agents infiltrated the computers of US government departments and Fortune 500 companies, Smith argued it was “time not only to talk about but to find a way to take action to impose in an appropriate manner some kind of notification obligation on entities in the private sector.” He noted it was “not a typical step” for a company to ask the United States Congress to “place a new law on ourselves and on our customers, but I think it’s the only way we’re going to protect our country and I think it’s the only way we’re going to protect the world.” The invitation was certainly unusual but it was notably not challenged by the other panelists at the hearing: the CEO of SolarWinds, and of security experts FireEye – which first spotted and blew the lid off the tampered-with network monitoring software – and CrowdStrike. All of them agreed that there needed to be more information sharing across business and government, although only Smith proposed an actual legal obligation. The experts were also agreed on a number of other aspects of the hack: that it was carried out by a “very, very sophisticated” team that was undoubtedly state-sponsored. CrowdStrike’s CEO George Kurtz noted the hackers’ “superb tradecraft,” and “very unique” approach. And while only Smith was willing to say categorically that it was Russia, FireEye’s CEO Kevin Mandia noted that following an intensive investigation by his team, which included looking for clues in reams of decompiled code, they had concluded that the hack was “not consistent with China, North Korea or Iran, and was most consistent with Russia.” All of this inevitably led to a discussion about what to do to prevent such future invasions. Everyone agreed that sharing information was essential, and that too much information was currently being held in “silos,” either in government or the private sector. There’s nothing new in this, or in calls for everybody to share more intelligence. But the reason why businesses don’t like that idea was apparent in the form of SolarWinds’ Ramakrishna who read from a script and offered only bland generalizations, almost certainly because his company faces potential ruin from lawsuits heading his way and the lawyers locked down anything he would say in a public hearing. That’s why Smith suggested a compulsory disclosure law.

---

»msrc-blog.microsoft.com/ ··· -update/ -- Microsoft posts final update to Solorigate investigation

quote:

---

We have confirmed that the repositories complied and did not contain any live, production credentials.

---

quote:

---

There was no case where all repositories related to any single product or service was accessed. There was no access to the vast majority of source code. For nearly all of code repositories accessed, only a few individual files were viewed as a result of a repository search.

For a small number of repositories, there was additional access, including in some cases, downloading component source code. These repositories contained code for:

a small subset of Azure components (subsets of service, security, identity)
a small subset of Intune components
a small subset of Exchange components

The search terms used by the actor indicate the expected focus on attempting to find secrets. Our development policy prohibits secrets in code and we run automated tools to verify compliance. Because of the detected activity, we immediately initiated a verification process for current and historical branches of the repositories. We have confirmed that the repositories complied and did not contain any live, production credentials.

---

What hasn't been infiltrated :huh:

quote:

---

ANSSI on Monday revealed it is aware of two backdoors in Centreon the software, and said several French IT services providers have been infiltrated for up to three years. In a detailed report [PDF] that The Register navigated with rusty high school French and online translation services, ANSSI said the attack used the PAS web shell and the Exaramel backdoor trojan. Neither backdoor is new. The PAS web shell has been on security vendors’ radars since 2017 and mentions of Exaramel can be found in 2018. PAS does nasty things including brute force attacks on databases, to gain access to their contents. Exaramel is a remote-control tool. ANSSI said the attack was possible because some Centreon users didn’t keep their systems patched. The agency did not describe the consequences of the attack but said the combination of the two backdoors allowed complete compromise of Centreon, the software, and therefore lateral movement across networks. As the attack targeted service providers, and such organisations are likely to offer multi-tenanted infrastructure, it’s possible many entities have been compromised.

---

I have to say that if the project team was that large then I'm impressed.

quote:

---

(Reuters) — Hackers have spent up to three years breaking into organizations by targeting monitoring software made by the French company Centreon, France’s cybersecurity watchdog said on Monday.

The watchdog, known by its French acronym ANSSI, stopped short of identifying the hackers but said they had a similar modus operandi as the Russian cyberespionage group often nicknamed “Sandworm.”

ANSSI, Centreon, and the Russian embassy in Paris did not immediately return messages seeking comment.

The targeting of Centreon, a Paris-based company which specializes in information technology monitoring, further highlights how attractive such firms are to digital spies.

U.S. cybersecurity officials are still trying to get their hands around an ambitious espionage campaign that hijacked IT monitoring software made by the Austin, Texas-based firm SolarWinds. American officials, who have blamed Moscow for the hacking, have hinted that other firms have also been hit in similar ways.

Earlier this month Reuters reported that suspected Chinese hackers also targeted SolarWinds customers, using a different and less serious bug to help spread it across their victims’ networks.

The initial vector for the campaign of intrusions that targeted Centreon software was not known, ANSSI said in a 40-page report posted on its website. It said it had discovered intrusions dating back to late 2017 and stretching into 2020.

The watchdog did not identify the names or number of victims involved but said they were mainly IT services firms such as internet hosting providers.

Centreon’s website says it has more than 600 enterprise clients across the world, including the French Ministry of Justice

---

I'd like to know what criteria they used to determine 1,000 programmers were involved.

quote:

---

Most US cyber defences look at activity beyond the nation’s borders and assume the private sector in the USA takes care of itself.

---

If anyone understands the havoc 1,000 developers can create, it’s Microsoft.

quote:

---

Microsoft president Brad Smith said the software giant’s analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers. Speaking on US news magazine program 60 Minutes, Smith labelled the attack “the largest and most sophisticated attack the world has ever seen.” If anyone understands the havoc 1,000 developers can create, it’s Microsoft. Smith didn’t say who those 1,000 developers worked for, but compared the SolarWinds hack to attacks on Ukraine that had been widely attributed to Russia (which denies involvement). The 60 Minutes segment also featured FireEye CEO Kevin Mandia. FireEye also fell foul of the SolarWinds attack and Mandia revealed how his firm spotted the attack when an attempt at two-factor authentication raised suspicion. 60 Minutes also dropped a little nugget of insight by revealing that 4,032 lines of code were at the core of the crack. Others featured in the segment opined that it exploited a blind spot in US defences by running on servers hosted in America itself. Most US cyber defences look at activity beyond the nation’s borders and assume the private sector in the USA takes care of itself.

---

quote:

---

Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor.

---

quote:

---

US government formally blames Russia for SolarWinds hack

Joint statement from the FBI, CISA, ODNI, and NSA says SolarWinds hack was "likely Russian in origin."

---

quote:

---

As we previously shared, when Microsoft informed us about the compromise of a Mimecast-issued certificate used to authenticate a subset of Mimecast’s products, we advised affected customers to break and re-establish their connections with newly issued keys. The vast majority of these customers have taken this action, and Microsoft has now disabled use of the former connection keys for all affected Mimecast customers. We also launched an internal investigation, supported by leading third-party forensics experts, and we are coordinating our activities with law enforcement. Our investigation has now confirmed that this incident is related to the SolarWinds Orion software compromise and was perpetrated by the same sophisticated threat actor. Our investigation also showed that the threat actor accessed, and potentially exfiltrated, certain encrypted service account credentials created by customers hosted in the United States and the United Kingdom. These credentials establish connections from Mimecast tenants to on-premise and cloud services, which include LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes. Although we are not aware that any of the encrypted credentials have been decrypted or misused, we are advising customers hosted in the United States and United Kingdom to take precautionary steps to reset their credentials.

---

quote:

---

As if that supply chain attack wasn't bad enough, SolarWinds has had to patch its Orion software again after eagle-eyed researchers discovered fresh vulnerabilities – including one that can be exploited to achieve remote code execution. Ziv Mador, security research veep at Trustwave, the firm that found the flaws, told The Register: "It's very severe, not only because of the ability to run unauthorized code on the Orion platform, but also because anyone on the network, not even someone that has [no] access to that server, can do that." Detailed in a blog post today, Trustwave discovered that SolarWinds' Orion network management product contained a remote code execution (RCE) flaw (CVE-2021-25274) that hinged on SolarWinds' use of the Microsoft Message Queue technology. The vulns are not known to have been abused by miscreants who used Orion to infiltrate FireEye and the US government, among others, last year.

---

quote:

---

SolarWinds said it was aware of a single customer that was compromised by the second set of hackers but that it had “not found anything conclusive” to show who was responsible.

---