Biggest Cyber attack ever

[hobbsyoyo]

Can someone explain what happened here, and its implications, like I'm 12?
Everything in this thread is going right over my head.

A foreign intelligence agency was able to break into secured US Government sites and databases. Multiple agencies were impacted, as well as a lot of private organizations. The intrusion has been going on since at least March and it's likely that the attacker has had access to huge amounts of sensitive information. This is likely much bigger than that time the Soviets had a spy high up in the US Navy that passed them everything for years because of how wide-scope it is.

Multiple sources/agencies have said with fairly high confidence that Russia was behind the hack. The hack was also so deep and widespread that it's still ongoing as it will take weeks or months to extricate all of the intrusions.

This is likely the largest security failing since WWII, if not of all time.

The hackers got in due to crappy passwords (password123 was one used to protect some sensitive stuff) and probably other vectors. It seems to me that the attack was mostly based on human failings like bad passwords rather than taking advantage of software flaws (things like zero-day vulnerabilities which are previously unknown bugs that allow intrusions).

 

[innonimatu]

The hackers got in due to crappy passwords (password123 was one used to protect some sensitive stuff) and probably other vectors. It seems to me that the attack was mostly based on human failings like bad passwords rather than taking advantage of software flaws (things like zero-day vulnerabilities which are previously unknown bugs that allow intrusions).

No, not bad passwords, that's an excuse. The hackers got in due to software security not being taken seriously, neither on the side of the corporation that did this software nor on the user side. And remained undetected for months due to network isolation and management not being taken seriously. Ironically, taking advantage of using a network monitoring "security" software.

 

[r16]

hackers got in because they were at least as smart as those who wrote that software up .

 

[Moriarte]

It's interesting, also, that I don't have any idea on what an appropriate response is. Like, personally or even geo-politically.

The appropriate response is to stop writing down and sharing things you don’t want the whole world to know. Stop keeping sensitive information online. I also don’t think the most sensitive strategic info ever was kept online and as such isn’t compromised. DoD stopped using 5 and 8 inch floppy disks just last year. https://www.nytimes.com/2019/10/24/us/nuclear-weapons-floppy-disks.html

If anything worthwhile was stolen, it’s not the fault of Microsoft, it’s the unprofessional behaviour of officials who were using technology in a wholly unacceptable way.

 

[Thorgalaeg]

And that is because i hate email. i prefer errand boys to issue orders to my soldati subordinates.

 

[r16]

oh-kay , time for r16 silliness . From the illustrious illustration ı understand the old wanna help the young with transferring their hard won experience and the like , but face indifference and mocking and a notion that the past does not count like because everything is new , Pentagon supposedly calling its space types as Guardians !!! and more !!! , you know soldiers , sailors and marines and aviators and what not . lt would have been much better to be angry right from the start .

the early famous Microsoft backdoor is supposedly the one they installed into the specific DOS version that was ordered by Texas lnstruments .

 

[sendos]

Seriously? How hard is it to make a proper password? The hackers weren't simply "good". they used the most simple hacking technique to get in by bruteforcing their way through, all because someone didn't bother to make a more complex password.

 

[The_J]

And it's not really existential. The most critical stuff is still isolated. No one is going to launch the nukes this way. Electric grids are unlikely to be easily crashed. Though that, as well as plants in several industries, etc, is getting sloppy. Smart meters for what really? Convenience, robustness, profit: choose one.

They'll still be able to do something with the gathered data. Probably not obvious to us, but you can't hack a bunch of government agencies and other criticial things, siphon a lot of data, and get nothing out of it. They had a goal. They probably reached a good part.

 

[IglooDame]

Seriously? How hard is it to make a proper password? The hackers weren't simply "good". they used the most simple hacking technique to get in by bruteforcing their way through, all because someone didn't bother to make a more complex password.

No, the "good" part was with how they were able to leverage Fireeye's tools and then Solarwinds' patches to establish access into all these other networks.

https://www.fireeye.com/blog/threat...chain-compromises-with-sunburst-backdoor.html

 

[r16]

the release is doctored , there would be no password of 123 calibre , it was obviously an ever ongoing , ever careful , ever detailed recording type of thing and there must be something happened as the hackers let America know stuff about it . WW lll by the end of the year should be really good . Accordingly , the hacking might probably have not involved the companies or the tools named ...

 

[Zelig]

Nothing much. A supposed security software for network monitoring that gets installed with elevated privileges and of which government services in many countries were particularly fond, as well as large corporations, was compromised by some group of attackers. The company that produced it was distributing the compromised version and took months to even notice. The supposed "security experts" who were deploying and using this network monitoring software failed to notice the suspicions data in their network borders and in the systems where the software was installed that would flag the fact that it was establishing connections to come foreign command&control server. Probably because software is currently so rotten through with calling home, calling advertisement servers, calling all kings of extra resources from the internet. The whole "ecosystem" is rotten.

No one who really was serious about security got compromised in this one. The people who did security as a performance act are very shocked, so very shocked and offended that they were exposed as incapable.

At most corporations, actual security is given a lower priority than “cover your ass” security where nobody has to take responsibility for neglecting to do whatever was on the “cover your ass” checklist.

 

[innonimatu]

I'm actually happy with this. The whole edifice tends to crumble as complexity increases and maintenance becomes harder and harder. It's our built-in defense against tech dystopias

 

[Gorbles]

The russians are the universal excuse in Oceania. And if it wasn't them it would be DR evil or some other designated villain.

Wondered if this would be your go-to retort, surprised at how unsurprised I am that it was

 

[IglooDame]

And as part of Trump's response he has stopped the PDBs to Biden.

I've searched for other evidence of this and not found any. Linky? I have seen that DoD has pushed off further turnover briefings etc to after Christmas/New Year's holidays, though.

 

[innonimatu]

Wondered if this would be your go-to retort, surprised at how unsurprised I am that it was

Consider this:

In one previously unreported issue, multiple criminals have offered to sell access to SolarWinds’ computers through underground forums, according to two researchers who separately had access to those forums.
One of those offering claimed access over the Exploit forum in 2017 was known as “fxmsp” and is wanted by the FBI “for involvement in several high-profile incidents,” said Mark Arena, chief executive of cybercrime intelligence firm Intel471. Arena informed his company’s clients, which include U.S. law enforcement agencies.
Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”
“This could have been done by any attacker, easily,” Kumar said.

To then claim that this isn't believed to be the way the company was compromised is a daring statement. It doesn't take a Dr Evil to pull this off. It doesn't take a state.

Where some Dr Evil or Axis of Evil comes in handy is as an excuse for the incompetent: it was a really really big hack you see, a big state attracting us, nor really out fault, we're victims! (sarcasm alert)

The origin for the stories that "it was the russians" were "anonymous sources" quoted by the The Washington Post and the New York Times. The usual water carriers for the "intelligence community" industrial complex of which this corporation is part.
Pompeo then carried it officially. And then Trump claimed it was the other bête noir, China. And the a new piece of news claimed that there were two attackers hacking the same product. So I guess tomorrow it can officially be both Russia and China!
And perhaps a third trojan will be found in this "security product". Apparently someone from the company also exposed the password in a public github repository. Perhaps there is room to claim it was an iranian and add that one to the list?

It's getting very hard not to be skeptic of official pronouncements.

 

[FriendlyFire]

Consider this:
It's getting very hard not to be skeptic of official pronouncements.

Funny how the very NEXT sentence that you should have included
States that the current breach isnt the result of the stolen password, why didnt you include that ?

Neither the password nor the stolen access is considered the most likely source of the current intrusion, researchers said.
Others - including Kyle Hanslovan, the cofounder of Maryland-based cybersecurity company Huntress - noticed that, days after SolarWinds realized their software had been compromised, the malicious updates were still available for download.

 

[IglooDame]

The origin for the stories that "it was the russians" were "anonymous sources" quoted by the The Washington Post and the New York Times. The usual water carriers for the "intelligence community" industrial complex of which this corporation is part.

If Solarwinds is part of the "intelligence community industrial complex", then that description fits so many companies (including the one I work for) as to make it a useless label. No, Solarwinds is a software company that has no real connection to the intelligence commuity. Their monitoring software isn't even directly security-related.

 

[Kyriakos]

I am not seeing any reason why China, which has (iirc) almost an order of magnitude larger GDP than Russia, wouldn't have better hackers.
Russia is another major power a la France, not a real superpower, of which imo there are only two (nukes keep the balance for the time being, though).

 

[IglooDame]

I am not seeing any reason why China, which has (iirc) almost an order of magnitude larger GDP than Russia, wouldn't have better hackers.
Russia is another major power a la France, not a real superpower, of which imo there are only two (nukes keep the balance for the time being, though).

This is overly simplistic at best. Replace "hackers" with any state-driven element, like navy, space program, espionage capabilities, nuclear weapon program, etc etc, and it becomes more obvious, and "having better hackers" is less reliant on heavy GDP spending than any of those.

This may be of some help to you: https://www.zdnet.com/article/hacki...oing-to-emerge-as-major-threats-in-the-2020s/

"Over the last five years there have been tactical evolutions along with new malware and new techniques, but they haven't taken a jump up to compete with the volume of Chinese attacks or the sophistication of the Russian groups," says Benjamin Read, senior manager of cyber-espionage analysis at FireEye.

 

[innonimatu]

If Solarwinds is part of the "intelligence community industrial complex", then that description fits so many companies (including the one I work for) as to make it a useless label. No, Solarwinds is a software company that has no real connection to the intelligence commuity. Their monitoring software isn't even directly security-related.

My impression is that there isn't much distinction between what is contracted to companies and what is done in house. It's a big world but at the same time a small one.

Going back to the leaks Snowden (himself working for a contractor) released, there's a lot of cooperation going on.