It started with the Treasury Department notification of “a sophisticated hacking group backed by a foreign government stole information from the U.S. Treasury Department and a U.S. agency responsible for deciding policy around the internet & telecommunications.”
Within hours the origin of that massive data breach was identified by the federal Cybersecurity Infrastructure and Security Agency (CISA) as a significant risk to government databases and private sector businesses. The breach was attributed to computer intrusion through SolarWinds Orion:
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales. “Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.” (read more)
The Dept of Homeland Security (DHS) also dispatched a warning, and further reporting on the issue pointed out the intrusion itself took place in May of 2020 and the malware was constructed to disguise itself within the SolarWinds’ system.
A cyber security firm, FireEye, found the intrusion door, identified the source code and tracked it to SolarWinds. FireEye then notified law enforcement and federal agencies who then began reviewing the breach:
(Bloomberg) […] While the hack on FireEye was embarrassing for a cybersecurity firm, Carmakal argued that it may prove to be a crucial mistake for the hackers. “If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Carmakal said.
“One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.” Carmakal said there is no evidence FireEye’s stolen hacking tools were used against U.S. government agencies.
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
FireEye’s investigation revealed that the hack on itself was part of a global campaign by a highly sophisticated hacker that also targeted “government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” the company said in a blog post Sunday night. “We anticipate there are additional victims in other countries and verticals.” (more)
SolarWinds’ has a massive client list including all the sensitive government agencies and most of the top Fortune 500 companies. There have been reports that executives at SolarWinds are being reviewed for making stock transactions prior to public notification of the cyber hack.
About that Major SolarWinds CyberSecurity Threat...
— TheSharpEdge (@TheSharpEdge1) December 14, 2020
This is a Must Listen.
SOUND ON:https://t.co/70rd3BGxs5 pic.twitter.com/VpQUCkPrsg
All of that said, let’s stand back and take a look at the relationship between the Dominion vote counting issues, and the cyber intrusion into SolarWinds’ Orion.
A backdoor into SolarWinds’ is essentially a backdoor breach into the U.S. Cybersecurity and Infrastructure Security Agency (CISA). That same agency is in charge of operating all security networks connected to U.S. voting and election security systems, including the Dept. of Homeland Security. In essence, and as a matter of emphatic emphasis, the breach into SolarWinds’ is a breach into the U.S. election security network.
Considering the hack itself, meaning the implant of the malware itself, has identified no actual extraction, or quantification of extracted, data… Then why else would the malware be implanted – except to coordinate some other activity connected to the doorway?
Perhaps this is the apt metaphor….
If you were going to rob a bank (currency = votes), and the robbery was going to include the deployment of electronic lockpicking (Dominion tabulation machines), you would want to see what countermeasures the alarm company (CISA) would/could deploy to identify your effort and/or stop your success.
In that metaphor the hack of SolarWinds is the way into the alarm company.
Is that what this cyber-intrusion was all about?
The Department of Commerce confirmed a breach in one of its bureaus, and Reuters reported that the Department of Homeland Security and the Treasury Department were also attacked. […] the hackers took advanced steps to conceal their actions.
“Their level of operational security is truly exceptional,” he said, adding that the hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.
The hackers were able to breach U.S. government entites by first attacking the SolarWinds IT provider. By compromising the software used by government entities and corporations to monitor their network, hackers were able to gain a foothold into their network and dig deeper all while appearing as legitimate traffic. (link)
Again, notice how no “harm” has been identified. No exfiltration of data has been noted in any report…. ergo it was the bad actors inside the system that has been identified as the compromise and not necessarily any adverse outcome that has been quantified.
In essence, the bank (election) was presumably robbed and now the authorities have identified the open backdoor to the bank but nothing seemingly removed.
Was the hack itself simply a version of controlling the alarm company to conceal the operation within the Dominion network election activity?
There are trillions at stake.
Just a thought….