Connect with us


The great hack attack: SolarWinds breach exposes big gaps in cyber security



Until this week, SolarWinds was a little known IT software group from Texas. Its deserted lobby has a framed magazine article from a few years ago when it was on a list of America’s “Best Small Companies”.

Now the Austin-based company is at the heart of one of the biggest and most startling cyber hacks in recent history, with ramifications that extend into the fields of geopolitics, espionage and national security.

For nine months, sophisticated state-backed hackers have exploited a ubiquitous SolarWinds software product in order to spy on government and business networks around the world, including in the US, UK, Israel and Canada. Wielding innovative tools and tradecraft, the cyber spies lurked in email services, and posed as legitimate staffers to tap confidential information stored in the cloud.

The bombshell revelations have sent 18,000 exposed SolarWinds customers scrambling to assess whether outsiders did indeed enter their systems, what the damage was and how to fix it.

The sprawling operation targeted some of the US government’s most sensitive data. The commerce and energy departments both admitted they had been compromised although the latter said it has no evidence of intrusions into its nuclear weapons management networks “so far”. Numerous other federal agencies have acknowledged that they are inspecting for fallout.

But the true scale of the ongoing campaign and its motivations are not yet — and may never be — known. There are indicators that it may be part of an even broader campaign that extends beyond the SolarWinds software. Experts have been swift to point a finger at Russia, which has wielded similar tactics in past cyber operations, though officials have refused to confirm a suspected culprit.

The massive hack has shone a light on the vulnerability of US government agencies and many of the world’s biggest companies to cyber intrusions via the long tail of vendors they rely on for IT services. SolarWinds is one of hundreds of relatively unknown companies that provide software to governments and business for their networks.

John Hultquist, director of intelligence analysis at FireEye, says the perpetrators ‘compartmentalised’ their actions to stay hidden
John Hultquist, director of intelligence analysis at FireEye, says the perpetrators ‘compartmentalised’ their actions to stay hidden © Brooks Kraft/Corbis/Getty
Dmitri Alperovitch, co-founder of security group CrowdStrike, says ‘this is the most consequential cyber espionage campaign to date’
Dmitri Alperovitch, co-founder of security group CrowdStrike, says ‘this is the most consequential cyber espionage campaign to date’ © Stelios Varias/Reuters

“This is the most consequential cyber espionage campaign to date,” says Dmitri Alperovitch, co-founder of security group CrowdStrike who now runs the Silverado Policy Accelerator think-tank.

“It is going to take months to ascertain the full impact and actually be successful at ejecting the adversaries,” he adds. “And there’s going to be phase 2 which is understanding how we have failed to understand that this intelligence operation was taking place . . . but also [to] figure out how we’re gonna rebuild our cyber security in government.”

A ‘silent cold war’

The adversaries first broke through their victims’ defences by injecting malicious code into the patches of SolarWinds’ Orion product between March and June of this year. This meant that as some 18,000 SolarWinds clients updated their software, they unwittingly introduced a hidden backdoor for attackers to come in.

Once inside, the hackers were able to move around at will, undetected, going to great lengths to cover their tracks and identity.

John Hultquist, director of intelligence analysis at FireEye, the cyber security company which was itself a casualty of the attack, says the perpetrators painstakingly “compartmentalised” their actions, making it harder to connect one intrusion to another. The hackers did not want to exploit every opportunity for fear of raising suspicion. “This is about quality over quantity. Every organisation they access endangers their access — which risks the entire operation,” he says.

One western security official says there is already evidence that the hackers conducted detailed reconnaissance on the organisations they had breached, and depending on what they found, would then decide which victims to prioritise. Microsoft, also a victim of the hackers, said on Thursday that it had identified 40 customers that had been “targeted more precisely and compromised through additional and sophisticated measures”, largely IT and security companies as well as government agencies. 

Michael Chertoff, chairman of the Chertoff Group, a security and risk management consultancy, who served as secretary of homeland security in the Bush administration, says that “our adversaries’ hacking skills have also gotten better and they have become more aggressive.” He adds: “There is a bit of a silent cold war in the cyber space domain.”

Theresa Payton, head of security consultancy Fortalice Solutions, said the hackers would have been able to create their ‘own credentials that look like normal employees’
Theresa Payton, head of security consultancy Fortalice Solutions, said the hackers would have been able to create their ‘own credentials that look like normal employees’ © Steve Zak/FilmMagic/Getty
Communications at the US Treasury were reportedly compromised and numerous other federal agencies are inspecting for fallout
Communications at the US Treasury were reportedly compromised and numerous other federal agencies are inspecting for fallout © Olivier Douliery/AFP/Getty

The hackers leveraged other novel techniques to impersonate trusted users and access highly sensitive information, according to a rare advisory published by the US National Security Agency on Thursday.

“If you have unfettered access, you can create your own administrator’s [control], user IDs and passwords and credentials that look like normal employees’,” says Theresa Payton, former White House chief information officer and chief executive of cyber security consultancy Fortalice Solutions, who dubs this level of access the “God’s door”.

“You can hijack dormant accounts, you can inject documents, you can change things.”

The Cybersecurity and Infrastructure Security Agency warned that the hackers also used other undisclosed “vectors” as part of their campaign, and that it will be “highly complex and challenging” for victims to actually eject the perpetrators from their systems.

“Can you imagine if you found out that six months ago somebody was in your house and now you’re trying to figure that out?” says Ms Payton. “The forensic evidence gets damaged and destroyed.”

“If it is [Russian foreign intelligence], they will not run away once detected,” says Suzanne Spaulding, security expert at the Center for Strategic and International Studies. “If you think they’re out of your system, they may have just gone deeper into hiding. They have in the past been combative — we may have a battle on our hands.”

Senator Richard Blumenthal is the only US official to have publicly singled out Russia as the main culprit
Senator Richard Blumenthal is the only US official to have publicly singled out Russia as the main culprit © Tom Williams/CQ-Roll Call/Getty
The SolarWinds hack is the latest in a series of cyber attacks on Washington over a period of more than a decade
The SolarWinds hack is the latest in a series of cyber attacks on Washington over a period of more than a decade © Saul Loeb/AFP/Getty

US officials have been evasive when it comes to attributing the attacks. Only Richard Blumenthal, Democratic senator from Connecticut, has publicly singled out Russia as the main culprit, after he and other members of Congress received a classified briefing from intelligence officials.

“Today’s classified briefing on Russia’s cyber attack left me deeply alarmed, in fact downright scared,” Mr Blumenthal wrote on Twitter on Wednesday.

Many cyber experts believe the attack bears the hallmarks of a Russia-backed campaign.

One person who had been briefed on the investigation says there were clues buried in the hackers’ language and coding that pointed to Russian perpetrators.

Some have pointed specifically at APT29, a prolific hacker group backed by the SVR, Russia’s Foreign Intelligence Service, which has previously been linked to the theft of emails from the Democratic National Committee ahead of the 2016 US election. One person with knowledge of the hack suggested it could also be a sister unit to APT29.

Supply chain risk

The SolarWinds hack is the latest in a long line of increasingly advanced cyber attacks over a period of more than a decade since China first penetrated Pentagon and White House networks. Washington received a big wake-up call in 2015 after it discovered that China had obtained sensitive data on several million government employees by hacking the Office of Personnel Management.

But the severity of the SolarWinds attack and the wide net of victims have prompted soul-searching among the cyber security community, US government and corporations.

“The main implication for me is to underline the weakness of much of the west’s cyber defences and in that respect it’s a bit discouraging, morale-sapping, it’s frankly a bit embarrassing,” says Ciaran Martin, who stepped down earlier this year as head of the UK’s National Cyber Security Centre, the defensive arm of signals intelligence agency GCHQ, and now a professor at the University of Oxford’s Blavatnik School.

One key lesson from this attack, say cyber experts, is that defences among the majority of western institutions are simply not strong enough. In particular, organisations have not paid enough attention to the security of software suppliers — such as SolarWinds — in their supply chain.

Ciaran Martin, former National Cyber Security Agency head, said the hack underlined ‘the weakness of much of the west’s cyber defences’
Ciaran Martin, former National Cyber Security Agency head, said the hack underlined ‘the weakness of much of the west’s cyber defences’ © Tolga Akmen/FT
The NCSA is the defensive arm of the UK’s signals intelligence agency GCHQ
The NCSA is the defensive arm of the UK’s signals intelligence agency GCHQ © David Goddard/Getty

Prof Martin says securing the supply chain is the “hardest nut to crack” because there is neither a globally-recognised set of software security standards, nor any form of enforcement if these are not met.

“If you’re the chief information security officer in a company or US government and you need to buy software how do you know what’s good?” asks Prof Martin. “We have to accelerate on the long hard road to fixing [our supply chain defences] and if this doesn’t prompt us to, I don’t know what will.”

Others apportion the blame in part on inaction from the government and weakness in their own systems. “I don’t think the security measures taken after the OPM hack were at all sufficient, or at all helpful,” says Mr Alperovitch. “We had spent literally hundreds of millions of dollars on systems that did nothing to protect us here.”

Thomas Bossert, former homeland security adviser to President Donald Trump and president of Trinity Cyber, a security consultancy, says the government needs better tools to carry out “deep inspection of network traffic” to detect suspicious activity.

Disarmament framework

Many questions remain unanswered. For example, there is no clarity on how SolarWinds, whose shares have fallen by more than 25 per cent since last Friday, was hacked in the first instance.

Dick Durbin, Democratic senator for Illinois, described the hack as “virtually a declaration of war by Russia on the United States” — a suggestion which has been widely shot down by cyber experts, who argue that hacking for espionage purposes is entirely different from an offensive cyber campaign which is intended to cause harm, for instance by targeting critical infrastructure.

US officials and cyber experts also privately admit that American spy agencies — most notably the NSA — are constantly engaged in exactly the same kind of hacking of overseas governments that they publicly rail against back in Washington.

SolarWinds, which listed on the NYSE in 2018, provided software to 18,000 business and government customers for their networks
SolarWinds, which listed on the NYSE in 2018, provided software to 18,000 business and government customers for their networks © Brendann McDermid/Reuters
Digital disruption: cyber spies tapped confidential information stored in the cloud
Digital disruption: cyber spies tapped confidential information stored in the cloud © Alessandro Bianchi/Reuters

James Lewis, a cyber security expert at the Center for Strategic and International Studies think-tank, argues that hacks have become inevitable and that it is critical for the US government to think more about how it could change the risk calculation in a way that makes Russia and China less likely to conduct attacks on the US. This should be a priority for the incoming Biden administration, he adds.

“We have to stop thinking of cyber as somehow unique. This is part of a larger conflict with Russia and China. We have two giant espionage campaigns aimed at the US. One [Russia] is looking for political effect, and the other [China] is looking to steal technology.”

He adds: “[But] we have no strategy or leadership. Every president has failed to deal with this.”

Many experts call for international accords around responses to global cyber attacks, as a preventive measure.

Google chief executive Sundar Pichai argues that governments need to draw up a cyber framework that is “the equivalent of internet disarmament”. He adds: “I’m not saying it’s going to be easy, but it has to be on the agenda of the G20, given how important digital infrastructure is becoming.”

Additional reporting by Miles Kruppa in Texas and Richard Waters in San Francisco

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *


Gastronomes look beyond pandemic to a revolution in French fine-dining




Chef Yannick Alléno used to serve a €395 menu featuring langoustines and foie gras at his three-starred Michelin restaurant near the Champs-Elysées.

But as France prepares to allow restaurants to reopen for outdoor service next week after six months of closure, he will instead be serving up burgers at his wine bar for a fraction of the price. 

That a superstar chef such as Alléno, whose stable of high-end restaurants from Courchevel to Marrakesh hold more than a dozen Michelin stars, is changing strategy underscores the difficulties facing France’s grands restaurants as they seek to recover from the ravages of the coronavirus pandemic

“We have to inspire people to come here by sparking their curiosity,” he said of the Pavillon Ledoyen, the neoclassical building that houses several of his restaurants, including the three-starred Alléno Paris.

Such temples to French gastronomy have long catered to wealthy foreign tourists, who will happily pay more than €1,000 for a meal for two as long as they experience l’art de vivre à la française. But with international travel severely curtailed by the pandemic, such customers are not expected back for some time. 

Chef Yannick Alléno
Yannick Alléno operates high-end restaurants from Paris to Courchevel and Marrakesh that hold a dozen Michelin stars combined © Francois Durand/Getty

Attracting locals is the new challenge, as well as retaining employees, many of whom have left the sector and its notoriously challenging working conditions. Many restaurants are also saddled with large debts after taking state-guaranteed loans to ride out the crisis.

“I have three years of struggle ahead,” said Alléno, adding that half the group’s €4m in cash reserves had been spent. “For three-star restaurants, there will be many casualties.” 

His flagship restaurant used to generate more than three-quarters of revenue from foreign diners, mostly from Asia and the US. As there is little point reopening without them, the doors will remain shut until September. Alléno will for now experiment in the less-formal location as he plots an overhaul that seeks to drag fine-dining into the 21st century.

“Everything must change,” he said, quoting the title of the book he co-wrote during lockdown. In it, he called for a revamp of everything from the style of service (warmer, more personalised) to staffing (more flexible and family-friendly).

French haute gastronomie traces its roots back to visionary 19th-century chefs such as Auguste Escoffier and Marie-Antoine Carême, who created a cuisine based on rich sauces and meticulous — often theatrical — service. For decades it was considered the world’s best and became a key part of French identity.

But its popularity has faded in recent decades thanks to competition first from the flashiness of molecular gastronomy and then the pared-back Nordic style. As French haute cuisine lost ground, it became much more expensive, putting it out of the reach of many.

“The pandemic has exposed that the business model of high-end restaurants in France simply doesn’t function without tourists,” said Joerg Zipprick, co-founder of La Liste group, which ranks the world’s best restaurants.

“This is a relatively new development. It used to be that . . . a local doctor or manager would come to these places to celebrate a special occasion. No longer.”

Zipprick said that for the top chefs, many of whom had spent the past year experimenting with takeouts and meal kits, success depended on their willingness to adapt.

A customer picks up his order from Baieta in Paris
Baieta restaurant in Paris. Many top chefs have experimented with takeouts and meal kits during the past year © Franck Fife/Getty

Diners would not want fussy and experimental dishes on their return, he predicted, but would instead want to eat good food at a nice restaurant in the company of friends and family.

“No more technical stuff or food that requires a long explanation from the waiter about the fermentation process. People don’t want their meal to be a work of art,” Zipprick said.

The last time French cuisine reinvented itself was in the 1970s when chefs such as Paul Bocuse and the Troisgros brothers created nouvelle cuisine. The movement, less opulent and calorific than the fine-dining that preceded it, put fresh and high-quality ingredients to the fore and service became less formal. 

Alléno believes top restaurants must aim to tailor experiences by talking to clients beforehand about the occasion for their dinner, the guests and their tastes.

This “concierge service” approach would allow menus to be better planned, improving the customer experience and the economics for the restaurant.

“If I know I only have three people who’ll eat langoustine on a given night then I don’t need to order six kilos just in case,” he said. “It really changes things for the kitchen.” 

Others are being even more radical. Daniel Humm’s three-starred Eleven Madison Park in New York will no longer serve meat and seafood when it reopens next month, as the Swiss chef seeks to show that sustainable and environmentally conscious eating can be compatible with luxury.

However, Éric Fréchon, the three-Michelin-starred chef behind restaurant Epicure at the five-star Le Bristol Paris hotel, played down expectations of radical change.

“Things will return much as they were before,” Fréchon said, noting that the hotel’s restaurants had a significant local client base. “People have missed the experience of haute gastronomie for so long they’ll be eager to come back.”

Fréchon said he would retain some coronavirus-era innovations, including the €1,390 “gastronomy and to bed” package that is marketed as a one-night staycation for locals that includes dinner in their suite or hotel room.

“For New Year’s Eve we had 60 servers running back and forth to rooms, it was really difficult,” he said. “But it allowed us to reach new clients who perhaps would not have dared to come to a three-star restaurant. Now we have to keep them.”

Additional reporting by Domitille Alain in Paris

Source link

Continue Reading


Ireland’s healthcare system taken down by cyber attack




Ireland has shut down most of the major IT systems running its national healthcare service, leaving doctors unable to access patient records and people unsure of whether they should show up for appointments, following a “very sophisticated” cyber attack.

Paul Reid, chief executive of Ireland’s Health Service Executive, told a morning radio show that the decision to shut down the systems was a “precautionary” measure after a cyber attack that impacted national and local systems “involved in all of our core services”.

Some elements of the Irish health service remain operational, such as clinical systems and its Covid-19 vaccination programme, which is powered by separate infrastructure. Covid tests already booked are also going ahead.

However the system for processing referrals from GPs and of close contacts is down, the HSE tweeted, adding that those in need of testing should go to walk-in centres which would prioritise symptomatic cases.

“This is having a severe impact on our health and social care services today, but individual services and hospital groups are impacted in different ways. Emergency services continue, as does the @AmbulanceNAS [National Ambulance Service],” health minister Stephen Donnelly wrote on Twitter.

No group has yet claimed responsibility for the attack. Speaking on Friday morning, Reid said the HSE had also not yet been served with a ransom demand. “We are at the very early stages of fully understanding the threat, the impact and trying to contain it,” he said, adding that it was receiving assistance from the Irish police force, defence forces and third-party cyber support teams.

The master of Dublin’s Rotunda Maternity Hospital said it was advising patients who were less than 36 weeks pregnant not to present for appointments on Friday. In a statement, Cork University Hospital said patients should present for outpatient appointments, chemotherapy and surgery “unless you are contacted to cancel”, but that X-ray and radiotherapy appointments for Friday were cancelled.

Professor Donal O’Shea, consultant endocrinologist at St Vincent’s Hospital in Dublin, told RTE radio that there could be implications for patient care. “Clinical systems haven’t been targeted, but if you can’t access your computer, then getting results is impossible . . . so before long, there are going to be clinical implications,” he said. In its statement, Cork University Hospital said “only emergency bloods” would be processed at this time.

Reid said that patients nationally “should still come forward until they hear something different” and that an update should be available later on Friday. A spokeswoman for the HSE was unable to provide a further update on patient care by mid-morning. “We apologise for the inconvenience to the public and will give further information as it becomes available,” she added.

Healthcare workers told the FT they were told to turn off their laptops, leaving staff at home offline and those working in hospitals reverting to pen and paper to manage patients’ information.

In a statement on its website, Ireland’s child and family agency Tusla said that its emails, internal systems and portal for child protection referrals was also offline because it was hosted by the HSE’s network.

The attack comes as actions by cyber criminals to disrupt public services have increased during the pandemic. Earlier this month, hackers believed to be from eastern Europe breached the IT systems of the Colonial Pipeline, a major fuel conduit that supplies much of the eastern US.

“Opportunistic cyber attackers targeting flooded healthcare organisations has been a common theme throughout the course of the pandemic,” said Charlie Smith, consulting solutions engineer at Barracuda Networks. “These scammers are aware of the huge significance of health services’ IT systems at this time, and so will stop at nothing to disrupt said systems or steal valuable data in exchange for ransom.”

Source link

Continue Reading


Watchdog turns on Polish government over coronavirus election




Poland’s supreme audit office has accused prime minister Mateusz Morawiecki of exceeding his powers, as it unveiled a highly critical report into the government’s attempt to hold last year’s presidential election by post because of the pandemic.

The salvo by the supreme audit office (NIK) is the latest in a series of disputes over last year’s election, which was meant to be held in May, but was eventually postponed until June as coronavirus swept through Europe.

It is also the latest in a series of clashes between the ruling Law and Justice party and Marian Banaś, a former finance minister who was put in charge of the NIK in 2019 thanks to the support of politicians from the ruling camp, but has since become a thorn in the government’s side.

Representatives of NIK, which is responsible for auditing government spending, on Thursday said the attempt to hold the presidential election by post in May — which was ultimately abandoned after disagreements in the ruling camp — had cost at least 76m zloty ($20.2m).

They also said that there had been no legal basis for the prime minister to give any orders to two state-controlled entities, the Polish Post and the Polish Security Printing Works (PWPW), in relation to holding the election, such as the printing of voting cards.

“The only body entitled to organise elections was the State Election Commission,” Banaś said during a press conference. “Organising the elections on the basis of an administrative decision should not have happened and was without legal basis.”

He said the NIK had informed prosecutors of possible crimes committed by the boards of the Polish Post and PWPW, which were involved in the preparations for the postal ballot.

The Polish Post said “categorically” that “all its actions taken to implement the prime minister’s decision of April 16 2020 were founded on legal provisions”. PWPW said it considered NIK’s move “unjustified” and “baseless”.

Banaś added that the NIK was analysing whether to notify prosecutors of concerns relating to the actions of other parties involved in the preparations for the election.

The government said that “all decisions on beginning technical preparations for postal voting in the presidential elections were in accordance with the law”.

“All the actions [of the prime minister and the head of the chancellery of the prime minister] were aimed at holding elections by the constitutional deadline,” the government’s information office said in a statement.

“The prime minister never called for presidential elections or for postal voting. The goal of the actions taken was to allow the participation in the elections of those who were entitled to vote, but whose life and health were at risk as a result of the pandemic.”

Jacek Sasin, minister for state assets, took a similar line, and told Polish state radio that the NIK report was “a certain element in the fight between the government and . . . Marian Banaś”.

Banaś has been under pressure to step down from his post since media reports emerged alleging that a building he owns was used as a brothel. In an interview with Politico, he dismissed the allegations as a “smear campaign” aimed at ousting him.

He concluded his press conference by drawing attention to the fact that the NIK was one of a series of institutions targeted by fake bomb threats earlier this week, and to an email sent to the NIK this morning falsely claiming that Banaś’s son was going to commit suicide.

“I ask you yourselves for a comment on this,” he said to the assembled journalists.

Source link

Continue Reading