Here’s a simple explanation of how the massive SolarWinds hack happened and why it’s such a big deal

SolarWinds
SolarWinds Corp. banner hangs at the New York Stock Exchange (NYSE) on the IPO day of the company in New York.

  • SolarWinds is a major IT firm that provides software for entities ranging from Fortune 500 companies to the US government. 
  • Reuters first reported that SolarWinds was the subject of a massive cybersecurity attack that spread to the company’s clients. 
  • The breach went undetected for months, and could have exposed data in the highest reaches of  government, including the US military and the White House.
  • Here’s a simple explanation of what happened and why it’s important. 

SolarWinds, a major US information technology firm, was the subject of a cyberattack that spread to its clients and went undetected for months, Reuters first reported last week. Foreign hackers, who some top US officials believe are from Russia, were able to use the hack to spy on private companies like the elite cybersecurity firm FireEye and the upper echelons of the US Government, including the Department of Homeland Security and Treasury Department. 

Here’s a simple explanation of how the massive breach happened, and why it matters. 

An unusual hack

Earlier this year, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage IT resources. Solarwinds has 33,000 customers that use Orion, according to SEC documents

Most software providers regularly send out updates to their systems, whether it’s fixing a bug or adding new features. SolarWinds is no exception. Beginning as early as March, SolarWinds unwittingly sent out software updates to its customers that included the hacked code. 

The code created a backdoor to customer’s information technology systems, which hackers then used to install even more malware that helped them spy on companies and organizations. 

Read more: How hackers breached IT company SolarWinds and staged an unprecedented attack that left US government agencies vulnerable for 9 months

The victims

SolarWinds told the SEC that up to 18,000 of its customers installed updates that left them vulnerable to hackers. Since SolarWinds has many high profile clients, including Fortune 500 companies and multiple agencies in the US government, the breach could be massive.

US agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. So were private companies, like Microsoft, Cisco, Intel, and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University, the Wall Street Journal reported

And since the hack was done so stealthily, and went undetected for months, security experts say that some victims may never know if they were hacked or not, the Wall Street Journal reported

At the Treasury Department, hackers broke into dozens of email accounts and networks in the Departmental Offices of the Treasury, “home to the department’s highest-ranking officials,”  Senator Ron Wyden said. The IRS hasn’t found any evidence of being compromised, he added. Treasury Secretary Steven Mnuchin said on CNBC that the hackers have only accessed unclassified information, but the department is still investigating the extent of the breach.  

Read more: Former US cybersecurity chief Chris Krebs says officials are still tracking ‘scope’ of the SolarWinds hack

Who did it?

Federal investigators and cybersecurity experts say that Russia’s Foreign Intelligence Service, known as the SVR, is probably responsible for the attack. Russian intelligence was also credited with breaking into the email servers in the White House, the State Department, and the Joint Chiefs of Staff in 2014 and 2015. Later, the same group attacked the Democratic National Committee and members of the Hilary Clinton presidential campaign.

Russia has denied any involvement with the breach and President Trump has suggested, without evidence, that Chinese hackers may be the culprits.

Why it matters

Now that multiple networks have been penetrated, it’s expensive and very difficult to secure systems. Tom Bossert, President Trump’s former homeland security officer, said that it could be years before the networks are secure again. With access to government networks, hackers could, “destroy or alter data, and impersonate legitimate people,” Bossert wrote in an Op-Ed for the New York Times

Not only is the breach one of the largest in recent memory, but it also comes as a wake-up call for federal cybersecurity efforts. The US Cyber Command, which receives billions of dollars in funding and is tasked with protecting American networks, was “blindsided” by the attack, the New York Times reported.   Instead, a private cybersecurity firm called FireEye was the first to notice the breach when it noticed that its own systems were hacked. 

Finally, the hack could accelerate broad changes in the cybersecurity industry. Companies are turning to a new method of assuming that there are already breaches, rather than merely reacting to attacks after they are found, Business Insider previously reported. And the US government may reorganize its cybersecurity efforts by making the Cyber Command independent from National Security Agency, the Associated Press reported

Read more: Op-Ed: The fallout from the SolarWinds hack that infiltrated the US Treasury and Homeland Security will get worse before it gets better

Read the original article on Business Insider

Dozens of Al Jazeera journalists’ iPhones were hacked using spyware from Israeli security company NSO Group, report claims

iphone 12
  • Sophisticated spyware was used to hack the phones of 36 Al Jazeera journalists, Citizen Lab said in a new report.
  • Citizen Lab said the hack, which it dubbed “Kismet,” could be traced back to software made by Israeli security company NSO Group.
  • NSO Group denied any involvement.
  • Citizen Lab said it believed the hack was ineffective against iPhones with the iOS 14 update, but that the scale of the hack prior to that update could be worryingly large.
  • Visit Business Insider’s homepage for more stories.

Journalists at news organization Al Jazeera were targeted by an iPhone hack that sent iMessages loaded with malware, the University of Toronto’s Citizen Lab reports.

The hacking tool, dubbed “Kismet,” was a zero-click, zero-day hack, meaning Apple had no idea the exploit existed, and the malware didn’t need targets to click on anything for it to take effect.

Citizen Lab said the attack used the “Pegasus” software made by well-known Israeli security company NSO Group. 

Citizen Lab said it had identified four separate entities using Pegasus in the attack. It said it could, with “medium confidence,” link one of the four to Saudi Arabia, and another to the United Arab Emirates.

In a statement to Business Insider, NSO Group denied involvement, saying Citizen Lab’s report was based on “speculation.”

“NSO provides products that enable governmental law enforcement agencies to tackle serious organized crime and counterterrorism only, and as stated in the past we do not operate them,” a spokesperson for NSO Group said.

“However, when we receive credible evidence of misuse with enough information which can enable us to assess such credibility, we take all necessary steps in accordance with our investigation procedure in order to review the allegations,” they added.

This isn’t the first time NSO Group’s Pegasus software has been linked with hacking journalists’ phones.

In June of this year, Amnesty International said Pegasus had been used by the Moroccan government to hack a Moroccan journalist’s phone. NSO Group did not confirm nor deny the claims, and promised to investigate.

In October last year, Facebook filed a lawsuit against the company claiming its software was used to perpetrate a large-scale hack of WhatsApp users, including journalists and human rights activists. NSO is fighting the lawsuit. 

Citizen Lab said it believed the hack was ineffective against iPhones with the iOS 14 update, but that the scale of the hack prior to that update rolling out could be worryingly large.

“Given the global reach of NSO Group’s customer base and the apparent vulnerability of almost all iPhone devices prior to the iOS 14 update, we suspect that the infections that we observed were a minuscule fraction of the total attacks leveraging this exploit,” Citizen Lab said in its report.

While Citizen Lab first detected Kismet in July 2020, it said device logs suggest the hack was being used as far back as October 2019.

An Apple spokesperson told Business Insider that iOS 14, which was launched in September of this year, was more robust.

“At Apple, our teams work tirelessly to strengthen the security of our users’ data and devices. iOS 14 is a major leap forward in security and delivered new protections against these kinds of attacks. The attack described in the research was highly targeted by nation states against specific individuals. We always urge customers to download the latest version of the software to protect themselves and their data,” the spokesperson said.

Read the original article on Business Insider

Former US cybersecurity chief Chris Krebs warned not to ‘conflate’ voting system security with SolarWinds hack despite Trump’s claim

GettyImages 1143764852
Christopher Krebs, former director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, during a Senate Judiciary Committee hearing on May 14, 2019.

  • Former top US cybersecurity official Chris Krebs warned on Twitter Saturday not to “conflate” the security of the US voting system with the massive SolarWinds cyberattack.
  • “The proof is in the paper,” Krebs tweeted, later adding that you “can’t hack paper.”
  • Krebs’ warning came shortly after President Donald Trump tweeted there could also have been “a hit on our ridiculous voting machines during the election.”
  • Trump also suggested that China could be behind the cyber attack and not Russia, which experts and Secretary of State Mike Pompeo have said is likely the culprit.
  • News surfaced earlier this month that the IT firm SolarWinds suffered a hack when bad actors launched malware in the company’s software, which was later distributed to some of its 300,000 clients. Microsft and AT&T are among its customer base.
  • Visit Business Insider’s homepage for more stories.

Ousted US cybersecurity official Chris Krebs warned on Twitter Saturday not to confuse voting system security with the massive SolarWinds hack.

“Do not conflate voting system security and SolarWinds,” tweeted Krebs, who served as US Cybersecurity and Infrastructure Security Agency Director until late November. “The proof is in the paper. You can audit or recount again to confirm the outcome. Like they did in Georgia. And Michigan. And Wisconsin. And Arizona. Can’t hack paper.” 

The tweet was posted shortly after Trump posted on Twitter suggesting that the cyber attack could be behind what he and other Republicans are peddling as election fraud and faulty voting systems.

“There could also have been a hit on our ridiculous voting machines during the election, which is now obvious that I won big, making it an even more corrupted embarrassment for the USA,” Trump tweeted. Twitter placed a warning label on the tweet, which read: “Election officials have certified Joe Biden as the winner of the U.S. Presidential Election.”

Presidential electors in all 50 states confirmed on Monday that Joe Biden indeed earned over 270 Electoral College votes, confirming that he won the 2020 election and will be the next president of the United States.

 

In his tweet, Trump also accused the media of overblowing the cybersecurity hack and questioned if it was China that was behind it instead of Russia. Experts have said the hackers likely were located in Russia, and Secretary of State Mike Pompeo said Friday that officials can “say pretty clearly” that Russians were involved.

Trump fired Krebs in late November after the cybersecurity official said there was “no manipulation of the vote on the machine-count side,” even after states like Georgia recounted votes by hand.

“The proof is in the ballots,” Krebs said on a “60 Minutes” segment. “The recounts are consistent with the initial count.”

News surfaced in early December that IT company SolarWinds suffered an attack that has been confirmed to have infiltrated US government agencies. The hackers were able to spy on companies and federal agencies since March, when they secretly launched malware in software that was handed out to some of the firm’s 300,000 clients. It’s unclear which of the firm’s clients were affected, but its customer base includes big industry names like Microsoft and AT&T.

The Trump administration acknowledged that the hackers gained access to official networks, and the Department of Homeland Security and the State Department are also victims of the attack.

Security researchers are now working to identify weak points in SolarWinds’ security system that could have enabled the hack. One researcher told Reuters that he warned the company in 2019 that its “solarwinds123” password for its server could be accessed by anyone.

“This could have been done by any attacker, easily,” researcher Vinoth Kumar told the outlet.

Read the original article on Business Insider

Members of Congress ‘left with more questions than answers’ after classified briefing about SolarWinds, saying administration ‘unwilling to share the full scope of the breach’

SolarWinds
SolarWinds Corp banner hangs at the New York Stock Exchange (NYSE) on the IPO day of the company in New York, U.S., October 19, 2018

  • Lawmakers heard from the Department of Homeland Security, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence in a classified meeting today regarding the SolarWinds hack.
  • A statement issued afterwards said that, “Administration officials were unwilling to share the full scope of the breach and identities of the victims.”
  • President Trump has largely stayed silent in what is being analyzed as one of the most sophisticated hacks targeting the US government in history.
  • Visit Business Insider’s homepage for more stories.

In a classified meeting on Friday, lawmakers from the House Homeland Security and Oversight Committees received a briefing on the known extent of the mass hacking campaign against the US government.

Lawmakers heard from the Department of Homeland Security, the Federal Bureau of Investigation, and the Office of the Director of National Intelligence.

In a statement issued afterward, the committees’ chairs said that after hearing from the Trump Administration, “we are left with more questions than answers.” The statement added that “Even in the midst of an unprecedented cyberattack with far-reaching implications for our national security, Administration officials were unwilling to share the full scope of the breach and identities of the victims.”

The committees stressed the severity of the hack and called for the administration to give Congress a fuller picture. The statement said that the US government’s network defenses “do not match the constantly evolving capabilities of our adversaries,” adding that the committees need “the Administration to tell Congress what resources and authorities they need to ensure this does not happen again.” 

The committees’ chairs called on the agencies to deliver an in-person briefing on Capitol Hill as soon as possible. 

After leaving the briefing, the House Subcommittee on National Security Chairman Stephen Lynch, told reporters, “this hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in terms of the breadth of the inclusion itself.” Lynch added that “there are as many as 18,000 individual entities, both private and government, that have been compromised,” and that vetting would take time.

A Republican member of the House Oversight and Reform Committee, Rep. Bob Gibbs, told reporters, “I’m not too impressed with the confidence of our cybersecurity people.”

House Committee on Oversight and Reform member Rep. Jamie Raskin, a Democrat, said, “There’s a lot more that we don’t know than what we do know. I’m hopeful the government will learn exactly how this was perpetrated on us and what is the full scope of the damage.”

Others shared their disappointment and mounting concern.

House Homeland Security Committee Chairman Bennie Thompson said, “It was telephonic and it just didn’t give us what we wanted. They offered to come next week. We said next week? Are you serious? We’ll invite them back tomorrow.”

House Oversight Committee Chairwoman Carolyn Maloney told reporters, “I am shocked. National security is the number one challenge and responsibility to protect our people. Every agency is compromised…It is serious. It is deep.” 

The hack took place over the course of months via IT management software SolarWinds, which monitors servers in order to prevent outages. Hackers reportedly entered the system via patch updates made by SolarWinds in March and June. Over the last few weeks, virtually every US agency, including Defense, Treasury, Commerce, State, Energy, and the National Institutes of Health were targeted in the supply chain attack.

President Donald Trump has largely stayed silent in what is being analyzed as one of the most sophisticated hacks targeting the US government in history.

Read the original article on Business Insider

These big firms and US agencies all use software from the company breached in a massive hack being blamed on Russia

hacker person keyboard cyber security
  • Many companies and government agencies are clients of SolarWinds, the software company that suffered a massive, months-long hack made public on Sunday.
  • SolarWinds says it has more than 300,000 clients, including US government agencies and the vast majority of Fortune 500 companies.
  • It is unclear how many of them are using the software that was attacked. SolarWinds did not immediately respond to Business Insider’s request for comment.
  • Scroll down for a list of the most significant SolarWinds clients.
  • Visit Business Insider’s homepage for more stories.

Thousands of international companies and numerous US government agencies, from the Department of Homeland Security to the State Department, are clients of the company whose software was breached in a massive hack.

SolarWinds announced a “highly sophisticated” attack on its Orion software on Sunday. Cybersecurity company FireEye said Sunday it was tracking the attack, saying that it began earlier in 2020 and may have left some systems compromised for months.

The Trump administration admitted that hackers had gained access to a number of key government networks including the Treasury and the Commerce Department, The New York Times reported.

By Monday evening, the State Department, the National Institutes of Health, and the Department of Homeland Security were also confirmed as victims of the hack, according to The Washington Post.

DHS’s Cybersecurity and Infrastructure Security Agency, whose director was recently fired by outgoing President Donald Trump for confirming the integrity of the 2020 election, issued an emergency directive calling on “all federal civilian agencies to review their networks for indicators of compromise.”

“The compromise of SolarWinds’ Orion Network Management Protocols poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said.

According to FireEye – which was itself hacked – the attackers gained access via the update server of a monitoring and management software made by SolarWinds called Orion IT.

The attack was “likely conducted by an outside nation state,” SolarWinds said. People familiar with the matter told Reuters that they believe the hack is Russian in origin.

The Russian Embassy in Washington, DC, denied responsibility.

It is unclear which companies and agencies are using the specific software that was affected, and if so, whether they have been targeted. SolarWinds did not immediately respond to Business Insider’s queries. 

FireEye said Sunday that the hack was “widespread, affecting public and private organizations around the world.”

Here is a list of the biggest agencies and companies that SolarWinds lists on its site as clients:

US agencies

  • The Office of the President of the United States
  • The Secret Service
  • The Department of Defense
  • The US Army, Marine Corps, Navy, Air Force, and Coast Guard
  • The State Department
  • The Federal Reserve
  • NASA
  • The NSA
  • The CDC
  • The Department of Justice
  • The State Department
  • The National Institutes of Health
  • The Department of Homeland Security

Major companies

  • Microsoft
  • Credit Suisse
  • Ford
  • Visa
  • Mastercard
  • AT&T
  • Procter & Gamble
  • PwC
  • Best Western
  • Lockheed Martin
  • Boston Consulting Group
  • CBS
  • Time Warner
  • Cisco
  • McDonald’s
  • Comcast
  • Ernst & Young
  • The Gates Foundation
  • Gillette
  • Blue Cross Blue Shield
  • Harvard
  • Sprint
  • Hertz
  • Volvo
  • Kodak
  • Nestlé
  • The New York Times
  • San Francisco Intl. Airport
  • Yahoo!

(Note: The full list of SolarWinds clients is larger)

Read the original article on Business Insider