SolarWinds security adviser Ian Thornton-Trump warned company executives in 2017 of cybersecurity risks
A SolarWinds security adviser had warned of cybersecurity risks three years prior to the suspected Russian hack that infiltrated US government agencies – as it emerged that hackers had also gained access to major tech and accounting companies, the California hospital system and an Ohio university.
The adviser, Ian Thornton-Trump, gave a PowerPoint presentation to three SolarWinds executives back in 2017 urging them to install a cybersecurity senior director because he thought a major breach was inevitable, Bloomberg reports.
Thornton-Trump, who now works at threat intelligence firm Cyjax, said he resigned from SolarWinds a month after his presentation because he claimed the company wasn’t interested in making the changes he had suggested to improve cybersecurity.
‘My belief is that from a security perspective, SolarWinds was an incredibly easy target to hack,’ Thornton-Trump said in an interview published Monday.
‘There was a lack of security at the technical product level, and there was minimal security leadership at the top.’
SolarWinds is now at the center of a major global data breach that has infiltrated US government agencies after suspected Russian hackers gained access to the Texas-based company’s common software product.
Attorney General Bill Barr on Monday became the latest to Trump administration official to blame the Russians for the attack. President Trump downplayed Russia’s involvement over the weekend and suggested that China could be to blame.
The hack began as early as March this year when hackers snuck malicious code into recent versions of SolarWinds’ premier software product, Orion.
SolarWinds is now at the center of a major global data breach that has infiltrated US government agencies after suspected Russian hackers gained access to the Texas-based company’s common software product
GOVT AGENCIES KNOWN TO HAVE BEEN TARGETED BY HACKERS SO FAR
Department of State
Department of Homeland Security
National Institutes of Health
Department of Energy
National Nuclear Security Administration
Los Alamos National Laboratory
Federal Energy Regulatory Commission
Office of Secure Transportation
SolarWinds have since revealed they have traced the hackers back to October 2019, which is five months before they executed the main breach. The hackers are believed to have tested their ability to insert malicious code into the company’s network management software on October 10, 2019.
At least 24 organizations across the US installed the software that had been exploited by hackers, a Wall Street Journal analysis of internet records has found.
Among those infected include: Tech companies Cisco Systems Inc., Intel Corp and Nvidia Corp; accounting firm Deloitte; software company VMware Inc; electronics maker Belkin International Inc; the California Department of State Hospitals; and Kent State University.
This is in addition to the government agencies, including the State, Homeland Security, Commerce and Energy departments that were revealed last week to have been hacked.
The list of victims from the devastating and long-undetected hack continues to grow as security teams scramble to investigate the scope of the sprawling cyber-espionage campaign and contain the damage.
The hack involved a common software product made by Texas-based SolarWinds Corp, which is used by hundreds of thousands of organizations, ranging from government agencies to Microsoft and the majority of Fortune 500 companies.
The 24 organizations identified in the WSJ analysis offer a glimpse at the potential scope of the hack.
As many as 18,000 SolarWinds customers – including the federal agencies and major companies – downloaded the infected software, the company said last week.
It is not yet clear if the hackers even accessed many of the companies or what they did inside the ones they did get inside.
The list of victims from the devastating and long-undetected hack on US government agencies and companies continues to grow ever since the sprawling cyber-espionage campaign was disclosed earlier this week. This heat map of infections created by Microsoft shows that those infiltrated by the hackers are spread out across the US
At least 24 organizations across the US installed the software that had been exploited by hackers, including accounting firm Deloitte
Kent State University in Ohio also downloaded the infected software, according to a Wall Street analysis of online records
Tech company Cisco Systems Inc. and the California Department of State Hospitals was also hacked
SolarWinds timeline: Company stocks and when they discovered attack
March: Updated versions of SolarWinds premier product, Orion, are infiltrated by an ‘outside nation state’
SolarWinds customers who installed updates to their Orion software were unknowingly welcoming hidden malicious code that could give intruders the same view of their corporate network that in-house IT crews have
November 18 and 19: Outgoing CEO Kevin Thompson sells $15m in shares
December 7: Leading investors Silver Lake and Thoma Bravo sell $280m shares from SolarWinds
December 7: CEO Kevin Thompson resigns. His transition had already been announced but no set date given
December 8: FireEye announces hackers broke into its servers
December 9: New CEO Sudhakar Ramakrishna announced to take over from Thompson in 2021
December 11: FireEye claims it became aware that SolarWinds updates had been corrupted and contacted the company
December 13: The infiltration of Orion becomes public
The US issues an emergency warning, ordering government users to disconnect SolarWinds software which it said had been compromised by ‘malicious actors’
The Pentagon, the State Department and the National Institutes of Health, as well as the Treasury, Commerce and Homeland Security departments reveal they were targeted
Much remains unknown, including the motive or ultimate target.
Several government officials have told Reuters they are largely in the dark about what information might have been stolen or manipulated – or what it will take to undo the damage.
Secretary of State Mike Pompeo said on Friday that Russia was behind the attack, calling it ‘a grave risk’ to the United States. Russia has denied involvement.
President Donald Trump on Saturday, however, downplayed the hack and Russia’s involvement, maintaining it was ‘under control’ and that China could be responsible.
AG Barr said on Monday: ‘From the information that I have, I agree with Secretary Pompeo’s assessment. It certainly appears to be the Russians, but I’m not going to discuss it beyond that.’
The incoming White House chief of staff said on Sunday that President-elect Joe Biden’s response to the massive hacking campaign uncovered last week would go beyond sanctions.
Ron Klain said Biden was mapping out ways to push back against the suspected Russian hackers who have penetrated half a dozen U.S. government agencies and left thousands of American companies exposed.
‘It’s not just sanctions. It’s steps and things we could do to degrade the capacity of foreign actors to engage in this sort of attack,’ Klain said on CBS’ ‘Face the Nation.’
The hack first came into view last week, when US cybersecurity firm FireEye Inc disclosed that it had itself been a victim of the very kind of cyberattack that clients pay it to prevent.
Publicly, the incident initially seemed mostly like an embarrassment for FireEye but hacks of security firms are especially dangerous because their tools often reach deeply into the computer systems of their clients.
Days before the hack was revealed, FireEye researchers knew something troubling was afoot and contacted Microsoft Corp and the FBI, three people involved in those communications told Reuters.
Microsoft and the FBI declined to comment.
Their message: FireEye has been hit by an extraordinarily sophisticated cyber-espionage campaign carried out by a nation-state, and its own problems were likely just the tip of the iceberg.
About half a dozen researchers from FireEye and Microsoft, set about investigating, said two sources familiar with the response effort.
At the root of the problem, they found, was something that strikes dread in cybersecurity professionals: so-called supply-chain compromises, which in this case involved using software updates to install malware that can spy on systems, exfiltrate information and potentially wreak other types of havoc.
This Microsoft graphic shows how the SUNBURST attack unfolded in networks that were compromised
President Donald Trump on Saturday downplayed the hack and Russia’s involvement, maintaining it was ‘under control’ and that China could be responsible
In 2017, Russian operatives used the technique to knock out private and government computer systems across Ukraine, after hiding a piece of malware known as NotPetya in a widely used accountancy program.
The latest U.S. hack employed a similar technique: SolarWinds said its software updates had been compromised and used to surreptitiously install malicious code in nearly 18,000 customer systems. Its Orion network management software is used by hundreds of thousands of organizations.
Once downloaded, the program signaled back to its operators where it had landed. In some cases where access was especially valuable, the hackers used it to deploy more active malicious software to spread across its host.
In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft’s Azure cloud platform – which stores customers’ data online – to forge authentication ‘tokens.’ Those gave them far longer and wider access to emails and documents than many organizations thought was possible.
Hackers could then steal documents through Microsoft’s Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.
A separate advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency on December 17 said that the SolarWinds software was not the only vehicle being used in the attacks and that the same group had likely used other methods to implant malware.
‘This is powerful tradecraft, and needs to be understood to defend important networks,’ Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.
It is unknown how or when SolarWinds was first compromised.
According to researchers at Microsoft and other firms that have investigated the hack, intruders first began tampering with SolarWinds’ code as early as October 2019, a few months before it was in a position to launch an attack.
Microsoft discovers SECOND hacking team dubbed ‘Supernova’ installed backdoor in SolarWinds software in March
Microsoft researchers say a second unidentified hacking team installed a backdoor in the same SolarWinds network software that facilitated a massive cyber espionage campaign, as the number of victims in the attack rose to 200.
The second backdoor, dubbed SUPERNOVA by security experts, appears distinct from the SUNBURST attack that has been attributed to Russia, raising the possibility that multiple adversaries were attempting parallel attacks, perhaps unbeknownst to each other.
‘The investigation of the whole SolarWinds compromise led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor,’ Microsoft said in a security blog on Friday.
The second backdoor is a piece of malware that imitates SolarWinds’ Orion product but it is not ‘digitally signed’ like the other attack, suggesting this second group of hackers did not share the same access to the network management company’s internal systems.
It is unclear whether SUPERNOVA has been deployed against any targets, such as customers of SolarWinds. The malware appears to have been created in late March, based on a review of the file’s compile times.
The SUNBURST backdoor was first deployed in March, though the same group behind it appears to have tampered with SolarWinds products as early as October 2019.
In past breaches, security researchers have found evidence that more than one suspected Russian hacking group penetrated the same system, duplicating their efforts in a way that suggested each did not know what the other was doing.
One such case was the breach of the Democratic National Committee’s servers in 2016, when CrowdStrike researchers found evidence that Russian hacking groups dubbed Fancy Bear and Cozy Bear had both broken into the system.
It’s also possible that the SUPERNOVA and SUNBURST attacks represent the actions of separate nations attempting to use SolarWinds products to penetrate other high-value U.S. targets.
In a statement, a SolarWinds spokesman did not address SUPERNOVA, but said the company ‘remains focused on collaborating with customers and experts to share information and work to better understand this issue.’
‘It remains early days of the investigation,’ the spokesman said.