The Untold Story of the Boldest Supply-Chain Hack Ever

Disappointing, the article doesn&#x27;t say anything new or untold beyond some minor personal details about the people involved and the fact that people repeatedly missed major clues because they weren&#x27;t talking to each other.<p>Also, the article repeatedly insinuates that the attack was traced to the Russian government, in fact it says it so often a casual reader could be forgiven for thinking they had proof. But a careful reading shows that they have absolutely no idea who did the SolarWinds hack. The link to the SVR is simply that Kevin Mandia has a &quot;hunch&quot; based on &quot;pattern recognition&quot; from his work in the 1990s. Not only is no proof presented, they don&#x27;t even have anything that could be called evidence.<p>Writeups of hacks are always like this nowadays. It&#x27;s the Russians. How do we know it&#x27;s not the Chinese, or the Americans, or the British? We don&#x27;t but if we say it&#x27;s the Russians everyone will be on our side, so let&#x27;s roll with that.<p>I really wish journalists would not try to manipulate readers like that. It&#x27;d be more honest to say they don&#x27;t know. Trying to slip a completely made up SVR connection past the readers like that implies the rest of the article might just be spin too.

It&#x27;s amusing how these stories always include the breathless account of the genius hackers. It boiled down to a few thousand lines of code in a dll. There&#x27;s only so much genius you can get into a few thousand lines of code. In reality, SolarWinds did something stupid, then some of their customers connected it to the internet and didn&#x27;t even firewall it. Hackers will always have success not because they&#x27;re brilliant, but because there will always be some marks who didn&#x27;t cross their i&#x27;s and dot their t&#x27;s.

I’m holding out hope for an NTSB-style investigation report by CISA that is a giant website with 1000s of pages of analyst notes and digital forensic evidence and shows exactly how they found out what they did as it happened.<p>For all the the $100mil’s that have been spent over the course of this cyber Pearl Harbor event, there should be something monumental added to the public record that every comp sci and cybersecurity student or pro can learn from for the next 50 years.<p>Data from these big attacks shouldn’t be limited the rarefied few folks who are lucky enough to take a $9000 SANS SEC541 course or work on a CIRT team for a Fortune-100 company whose sausage is among those roasted by the the fire.

Do I understand correctly, that the hackers improved the dll&#x27;s code deliberately, so that Orion wouldn&#x27;t manifest bugs which might invite debugging scrutiny that also revealed the backdoor?

&gt; The practice of placing legal teams in charge of breach investigations is a controversial one. It puts cases under attorney-client privilege in a manner that can help companies fend off regulatory inquiries and fight discovery requests in lawsuits.<p>I wonder if the new DoJ agrees with this approach.

This article also misses the part where JetBrains got accused of being a Russian asset by tech media.

why ppl call this a supply chain attack???<p>the simplest abuse of an all-powerful application coded by illiterate criminals who even sold company stock when things were to become public.<p>the real attack is how they managed to sell this to so many high profile targets. that is conveniently left out of every report, including this lame one from wired.<p>my guess, since they sold to fireeye, is that it&#x27;s the same circle of people who can get these type of contracts. a shadow elite of formet NSA consultants helping each other.

<a href="https:&#x2F;&#x2F;archive.ph&#x2F;X9fqZ" rel="nofollow">https:&#x2F;&#x2F;archive.ph&#x2F;X9fqZ</a>

This story reads as merely attempting to cover for Mandiant&#x27;s reputation. They are &quot;the ones on speed dial&quot; for customers and seem to be trying to salvage. Definitely a rare glimpse into the deep state, how many other companies have contacts at the NSA?

Here&#x27;s the sketch of a defense against such attacks. Is there anyone out there who&#x27;d buy it, if it existed?<p>Imagine a tool that given a simple description of a server (e.g. pointed at your build system or a downloadable artifact like a container image) creates a VM that starts the app on boot, uploads that VM image to the cloud, starts it up and then performs a remote attestation protocol to verify that the remote VM is running what you think it&#x27;s running, down to the last byte. Remote attestation allows you to &quot;measure&quot; a VM or enclave to determine a cryptographic hash of everything running on the machine in an auditable way. Sometimes the VM has encrypted RAM so you can prove that the cloud provider can&#x27;t break into that machine.<p>It could potentially have helped in this case where the attackers compromised a build system. Remote attestations can be chained together and used as signatures, so for example SolarWinds could have come with a proof that it was compiled correctly from a particular git commit hash, and then third party auditors could have been hired to monitor that the code doesn&#x27;t have backdoors. Customers could then run it and get from this imaginary tool a complete audit chain all the way back to a certificate issued by a third party that says &quot;we reviewed the code at commit &lt;hash&gt; and this program was compiled from that code via a build system audited via remote attestation&quot;.<p>Now, RA isn&#x27;t a silver bullet. It&#x27;s still possible to transiently hack a machine such that the hack remains in memory. But if you regularly reboot and re-attest your VMs, you can wipe these hacks out on a regular basis because the entire thing is being booted from a known good image, and that image is created from known good code, etc.<p>The pieces already exist. AMD SEV, Intel TDX, Amazon Nitro and others support RA protocols for virtual machines, Linux has support for propagation of attestations through the service stack. But there seems to be a lack of orchestration tools to bring all the parts together. If there&#x27;s any interest in signing a letter of intent for such a tool please get in touch (email address in profile).

I stopped reading in paragraph 9, at:<p>&gt; When investigators finally cracked it, they were blown away by the hack’s complexity and extreme premeditation.<p>&quot;Extreme premeditation?&quot; Please. The old USSR had quite a few spies who stayed active for decades inside America&#x27;s Top Secret Tent. A century ago, if a navy wanted a new battleship, it could easily be 7 years between &quot;start spending money&quot; and &quot;battleship is completed and ready to use&quot;.

I&#x27;m not sure I agree with the title... surely Crypto AG would be bigger&#x2F;more influential?

For SolarWinds hack, there also remains the question whether there was any insider job.

This incident and the Colonial Pipeline attack were the main drivers behind the Biden cybersecurity executive order &quot;Executive Order on Improving the Nation’s Cybersecurity&quot; [1] which has driven changes to policy at NIST, FDA, OMB and others [2].<p>My opinion is that while these policies are fuzzy and lack specifics, it&#x27;s just the first round of pushing industry in the correct direction without mandating specific tools or methods.<p>In the EU, the proposed Cyber Resilience Act has maybe cast too wide of a net, snagging any open source contributor as a software &quot;manufacturer&quot;.<p>1: <a href="https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;briefing-room&#x2F;presidential-actions&#x2F;2021&#x2F;05&#x2F;12&#x2F;executive-order-on-improving-the-nations-cybersecurity&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.whitehouse.gov&#x2F;briefing-room&#x2F;presidential-action...</a> 2: <a href="https:&#x2F;&#x2F;edgebit.io&#x2F;regulations&#x2F;">https:&#x2F;&#x2F;edgebit.io&#x2F;regulations&#x2F;</a>

I really enjoyed that article. I do love a good conspiracy theory and I found this piece particularly interesting:<p>&quot;The US Cybersecurity and Infrastructure Security Agency wanted to know whether any research labs developing Covid vaccines had been hit.&quot;<p>Why were the Covid research labs of most concern to CISA as opposed to something like the presidential office?

See, that&#x27;s a long article I would have just skipped a year ago. Now, we get to play with its content and it&#x27;s fun :<p>Joe: So, it was late 2019 when we stumbled upon the breach at the think tank.<p>Donald: And what did you find, Joe?<p>Joe: Another digital security breach, nothing special. But then we found a second group of hackers, more skilled, going after specific executives, policy wonks, and IT staff.<p>Donald: Damn, that&#x27;s some precision targeting right there.<p>Joe: Yeah, we kicked them out, but they kept coming back. We found out they had planted a backdoor three years earlier, and we never even knew.<p>Donald: Three years?! They were playing the long game, huh?<p>Joe: You could say that. And in June 2020, they came back. We spent days trying to figure out how they slipped in.<p>Donald: And how did they do it?<p>Joe: They zeroed in on a server running SolarWinds software. And that&#x27;s when the Department of Justice called us.<p>Donald: Those hackers were clever.<p>Joe: You&#x27;re damn right they were. They had gained access to the firm’s multifactor authentication system and were conducting counterintelligence against one of their biggest foes.<p>Donald: Who was that?<p>Joe: Mandiant.<p>Donald: And did Mandiant catch them?<p>Joe: Yeah, they did. But here&#x27;s the thing, Don. Mandiant had investigated an intrusion on a server running the same SolarWinds software months earlier.<p>Donald: No way.<p>Joe: Yeah, way. And they didn&#x27;t recognize the similarity between the two cases.<p>Donald: Why not?<p>Joe: Internal secrecy, man. And SolarWinds was the source of the hack.<p>Donald: That&#x27;s what caused all the anger, huh?<p>Joe: You got it. And the US government won&#x27;t say what the hackers did inside its networks. People are saying they don&#x27;t want to admit their failures.