Solarwinds hack by Russia can’t be understated

While America has been reading news articles about tweets our adversaries have been busy.

Busy since March 2020.

Not my first rodeo, and given hackers are incredibly patient and typically play the “long game”, reported breaches in my experience are frequently off by two years or greater. So I’d guess 2018 ish for the initial entry point.

Regardless, SUNBURST, dug deep with APT into places that shouldn’t even be possible. Like the power grid.

https://theintercept.com/2020/12/24/solarwinds-hack-power-infrastructure/

“to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. But Lee notes that it may not be possible to uncover such activity if the attackers did access them and burrow further into the industrial control networks, because critical infrastructure entities generally don’t do extensive logging and monitoring of their control system networks.“

and

“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach,” says Lee. “So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”

In other words, we don’t know.

The Solarwinds hack is so bad… that in response … the United States will do nothing.

Why?

Because when you own department of homeland security, and the treasury, among 18,000 other organizations are compromised, You have been epically pwned.

it means your adversaries totally own you. They have surely added back doors and more back doors and more back doors into the systems as well as “sleepers” like some subcontractor’s laptop used once a year to service a particular piece of hardware.

Meanwhile we are using AI/ML bots to automate trading on the stock markets. They all have triggers, “if this / then that”, if bond yields hit x percent up or down, if company y changes their guidance up or down by y percent, sell all. Crash.

In other words, those of us in the devops and infosec world, hackers, know if an adversary has infiltrated even half this far, its game over. Yank and replace. “Game over dude.”

We have one option in the short term; capitulate. Concede. Because you can’t “rip and replace” everything simultaneously across an unknown number of compromised networks simultaneously when you can’t even identify them. And with APTs in place possibly down to the Silicon chip level, that are just lying in wait, even rip and replace will just get reinfected.

Stuxnet was the greatest malware/hack ever written. The US wrote it. We created Pandora’s box. We reimagined hell. Then left the lid open. The NSA got hacked and our own code has been “reflected” back on us. Since somewhere between 2012 and 2014 initially by my estimation.

All of the stuxnet code and more is now widely available to download for free on the dark web. You could do it today. Fire up VMWare fusion, kali linux, metasploit and an external wifi adapter and your are good to go. Or just use a raspi.

Officially I think notPETYA is still “the most expensive hack in history.” (get it? “think not”? but I digress….)

Unofficially? The Solarwinds hack is the Anvil dropped on the camel’s back that has broken it and brought it to its knees.

Solarwinds will shatter the geopolitical and monetary policy of the United States and the world.

Get your COVID vaccine. Get some popcorn. Watch your 401k and pension funds knowing that one or two edits and they go to zero. And try to wrap your brain around the fact that our military power is second only to financial power, and we are losing that. Any monetary power we have left is because they allow it.

Maybe buy some Bitcoin?

Take some anti anxiety meds. And pull out your Boy Scout handbook and practice setting up that old tent. (Just be careful where you put it in case the upstream dam and levees gates suddenly open up.

And if there is a “deep state”, maybe look externally instead of internally.

Happy 2020.

UPDATE: Further publicly released details available here:
https://us-cert.cisa.gov/ncas/alerts/aa20-352a