Tuesday, December 15, 2020
Corporate and US government hacked
Attackers cracked tens of thousands of networks
By attacking a software company, hackers created a back door into up to 18,000 computer networks worldwide. Those who may be affected include the US military and NATO. The possible damage is not yet foreseeable.
The Solarwinds company was hardly known outside of specialist circles. But the IT company from Austin, Texas, claims that it has more than 300,000 customers worldwide who use its software to manage large computer networks, among other things. Including all branches of the US military, the Secret Service, the central bank, NATO and the majority of all large corporations. In Germany, Solarwinds includes Siemens as a customer in its reference list. Using the software from Solarwinds, hackers could have gained access to 18,000 of these institutions for months, according to a mandatory notification to the stock exchange regulator.
According to US media reports, the hackers had broken into the servers of the US Department of Commerce, the Treasury and Homeland Security. It is still unknown which data was spied on there and which of the other Solarwinds customers are affected. As reported by the "Washington Post" among others, the hacker group APT 29, also known as "Cozy Bear", which is associated with the Russian foreign intelligence service, is said to be behind the attack. Moscow rejected the allegation. The Russian government announced that no cyber attacks were carried out.
It is now clear how the hackers succeeded in what was possibly the most comprehensive cyber attack in recent years – and how they were discovered months later. In a complex operation, they first infiltrated the Solarwinds development team and smuggled a spy code into a software update. This update has been downloaded and installed thousands of times since May 2020. Since it was certified by Solarwinds, the malware was not automatically recognized as such even when the hackers began to read out some of the highly sensitive data.
In some cases, they apparently did so for months. The Solarwinds announcement states that the attackers' possibilities included "running additional programs, transferring files, restarting the computer and switching off services such as virus scanners". In view of the fact that numerous military and security authorities, arms companies and critical infrastructure facilities in many countries are among Solarwinds' customers, the possible damage from the attack can hardly be imagined.
In at least one case, it is known what the hackers stole. They captured attack software from the IT security company FireEye, which the company uses to test its own cyber defense. This theft was discovered more than half a year after the start of the large-scale attack. The experts finally discovered the malware in the Solarwinds update while looking for the security hole in their own network. Solarwinds has meanwhile provided a new update for the affected "Orion" software and urgently recommends that customers install this.
.