artee
15th Dec 2020, 01:12
https://www.theregister.com/2020/12/14/solarwinds_public_sector/
Concern is gathering over the effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector – as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies.
As reported (https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear/) in the small hours of this morning by The Register, it appears the downloads page for SolarWinds' Orion Windows monitoring platform was altered by Kremlin hackers – known as APT29, aka Cozy Bear – so that victims fetched and installed a tampered-with version that included a remote-control backdoor.
This malicious code was detailed (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) by FireEye, which itself said it was earlier hacked (https://www.theregister.com/2020/12/09/fireeye_tools_hacked/) by state-level miscreants. Said victims of the Orion job are said to include the Treasury and the Dept of Commerce at the US government. It's not clear at this stage whether FireEye was also hacked via a dodgy Orion install.
Research by The Register has shown that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils.
A job advert for the MoD's Corsham tech bunker lists (https://contracts.contractspy.co.uk/job/50136/level-3-wintel-engineer-dv-ceared-at-ministry-of-defence-corsham-12-months-contract-rate/) SolarWinds as one of the tools used by a third-line software support engineer; similarly, a network design engineer job (https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/12341) with the MoD's Defence Equipment and Support agency posted in May also listed SolarWinds proficiency as a "nice-to-have" skill.
SolarWinds' products are in regular use in the Royal Navy and Royal Air Force, with the agency also counting GCHQ, the Cabinet Office, and the Ministry of Justice among its customers. Most concerningly, a company brochure (https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/uk-nhs/sw-federal-nhs-one-pager-0818.ashx?la=en&rev=b40ec51a2a404f93b47176676b10823f&hash=2A947F10D8478271AC64610E435DB96BE822CFDA) [PDF] also stated that the MoD's Defence Equipment and Support agency was a SolarWinds customer. DE&S is the agency that maintains Britain's high-tech fighter jets, submarines, and warships.
Analysis:
https://www.theregister.com/2020/12/15/solar_winds_update/As the debris from the explosive SolarWinds hack continues to fly, it has been a busy 48 hours as everyone scrambles to find out if, like various US government bodies, they're been caught in the blast. So, where are we at?
In terms of the news flow, it started in the middle of last week with FireEye. The specialist IT security firm brought in by multinationals when they suffer high-profile hacks found itself admitting (https://www.theregister.com/2020/12/09/fireeye_tools_hacked/) last week it had itself been hacked.
Not only that but miscreants, strongly suspected to be Kremlin-backed Russian hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected.
Anticipating the stolen tools leaking into the wrong hands, FireEye put out a range of materials to help others detect if its testing software is being used in the wild. It then investigated how its network defenses were breached.
Fast forward to the weekend, and various US government organizations discovered (https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/) they too had been hacked, with Russia's APT29 aka Cozy Bear team suspected. The Department of Commerce, Treasury, and Homeland Security said their systems, including email, have been compromised in what may well be the most massive and consequential publicly known hack of American government data networks in history...
Concern is gathering over the effects of the backdoor inserted into SolarWinds' network monitoring software on Britain's public sector – as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies.
As reported (https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear/) in the small hours of this morning by The Register, it appears the downloads page for SolarWinds' Orion Windows monitoring platform was altered by Kremlin hackers – known as APT29, aka Cozy Bear – so that victims fetched and installed a tampered-with version that included a remote-control backdoor.
This malicious code was detailed (https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html) by FireEye, which itself said it was earlier hacked (https://www.theregister.com/2020/12/09/fireeye_tools_hacked/) by state-level miscreants. Said victims of the Orion job are said to include the Treasury and the Dept of Commerce at the US government. It's not clear at this stage whether FireEye was also hacked via a dodgy Orion install.
Research by The Register has shown that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils.
A job advert for the MoD's Corsham tech bunker lists (https://contracts.contractspy.co.uk/job/50136/level-3-wintel-engineer-dv-ceared-at-ministry-of-defence-corsham-12-months-contract-rate/) SolarWinds as one of the tools used by a third-line software support engineer; similarly, a network design engineer job (https://www.digitalmarketplace.service.gov.uk/digital-outcomes-and-specialists/opportunities/12341) with the MoD's Defence Equipment and Support agency posted in May also listed SolarWinds proficiency as a "nice-to-have" skill.
SolarWinds' products are in regular use in the Royal Navy and Royal Air Force, with the agency also counting GCHQ, the Cabinet Office, and the Ministry of Justice among its customers. Most concerningly, a company brochure (https://www.solarwinds.com/-/media/solarwinds/swdcv2/landing-pages/uk-nhs/sw-federal-nhs-one-pager-0818.ashx?la=en&rev=b40ec51a2a404f93b47176676b10823f&hash=2A947F10D8478271AC64610E435DB96BE822CFDA) [PDF] also stated that the MoD's Defence Equipment and Support agency was a SolarWinds customer. DE&S is the agency that maintains Britain's high-tech fighter jets, submarines, and warships.
Analysis:
https://www.theregister.com/2020/12/15/solar_winds_update/As the debris from the explosive SolarWinds hack continues to fly, it has been a busy 48 hours as everyone scrambles to find out if, like various US government bodies, they're been caught in the blast. So, where are we at?
In terms of the news flow, it started in the middle of last week with FireEye. The specialist IT security firm brought in by multinationals when they suffer high-profile hacks found itself admitting (https://www.theregister.com/2020/12/09/fireeye_tools_hacked/) last week it had itself been hacked.
Not only that but miscreants, strongly suspected to be Kremlin-backed Russian hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected.
Anticipating the stolen tools leaking into the wrong hands, FireEye put out a range of materials to help others detect if its testing software is being used in the wild. It then investigated how its network defenses were breached.
Fast forward to the weekend, and various US government organizations discovered (https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/) they too had been hacked, with Russia's APT29 aka Cozy Bear team suspected. The Department of Commerce, Treasury, and Homeland Security said their systems, including email, have been compromised in what may well be the most massive and consequential publicly known hack of American government data networks in history...