back to article US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor

America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday. The Windows giant uses SolarWinds' network management suite Orion, …

Page:

  1. Tom Paine

    "full rebuild"

    Perhaps they had enough canned lateral movement tools that, although they only had bandwidth to properly turn over (say) a dozen of the 18,000 and exfiltrate crown jewels, they were able to implant stealthy persistence agents elsewhere in those victims' networks. So, does "total rebuild" refer to every server in every customer org? Or "all the things"? (How about switches and routers? How about printers? How about bootkits -- shouldn't they chuck all hardware into skips the day after cutting over to the perfect replica of the entire network to known-good replacements?

    And even that won't give assurance; supposing the restore data from backup step includes another downloader stage that's missed from AV?

    Sometimes I'm very grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed if I want, and second when I remember what hell I'd be going thru rn of I was still at anywhere I worked on the last 8 years.

    1. Ken Moorhouse Silver badge

      Re: I can have another 4h in bed if I want

      So long as you haven't got SolarWind's Wake On LAN utility on your system.

      It may start beeping at you incessantly.

    2. Peter 26

      Re: "full rebuild"

      You've hit the nail on the head. The scale of this hack cannot be understated and it's going to be practically impossible to confirm you've eliminated all the backdoors into your network they have planted.

      From now on you will just have to assume they have access and be constantly trying to find it. Probably not a bad approach to security anyway and a lot like our COVID safety protocols, just assume you have the virus and take precautions.

      1. Mike 125

        Re: "full rebuild"

        >The scale of this hack cannot be understated

        The scale of this hack can only be understated.

        FTFY.

        But yea, agree with all the shock and awe.

        1. John Brown (no body) Silver badge
          Thumb Up

          Re: "full rebuild"

          Agreed, but I think he meant to say "Cannot be overstated", which is the same meaning as your correction, just more correct IMHO :-)

          1. teknopaul Silver badge

            Re: "full rebuild"

            Is the article not implying that the product that uses saml needs a rebuild? I did not read that as everything you have needs a rebuild.

    3. Danny 2 Silver badge

      Re: "full rebuild"

      "grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed"

      Ah, I remember that, the early weeks when rest was a boon! Later you get used to just getting up when you wake up. First I lived alone on an isolated peninsula on the Western Isles, and I'd wake up early to hear the Radio Scotland traffic forecast for the M8 just to remind myself how bad my life there had been - also to hear a human voice.

      I guess that's partly why I read here, one downmanship. IT staff today are paid less than I was, and yet they have to deal with so much more stressful crap than I did. In my day if there had been a hack then I knew it had either been someone I knew messing with me, or me when I was drunk.

    4. Anonymous Coward
      Anonymous Coward

      Re: "full rebuild"

      The question is for the avg bod on the street is that now Azure is compromised and “no trace found of customers being hit” do we trust our stuff in Azure. Perhaps not... to be sure you need to rebuild everything, don’t think that’s going to happen

      1. Anonymous Coward
        Anonymous Coward

        Re: "full rebuild"

        Exacly. So when your regulator comes knocking and says why is your stuff compromised and you say it not us gov, it’s azure. I can see how that’s going to go down. Hint, not well.

        1. YetAnotherLocksmith

          Re: "full rebuild"

          If they've compromised your compiler, then you'll be adding new backdoors to your clean code every time you do anything, so start with cleansing that.

    5. StargateSg7

      Re: "full rebuild"

      Just in case anyone is wondering about ONE of the reasons why FyreEye codenamed the trojan as SUNBURST. This is due to internal malware clues relating to the NATO codename SUNBURN which is the reference to a Moskvet Hypersonic Aircraft Carrier Killer Missile System. Don't know WHY the original programmer put a reference to a Moskvet missile system in his/her code BUT it's there!

      Ergo, this was DEFINITELY a Russian GRU special operations directorate job!

      Time to hit them BACK HARD! Kinda gonna need the help of the Israelis on this because of there SUPREME expertise in low-level microcode malware!

      Time to hit the PIC chips embedded into all the Russian aircraft altimeter and ordnance proximity systems with some randomized loop-around code so the avionics and terrain following software goes all crazy!!!

      Can YOU DO IT BABEEEEEEEEEE ????? !!!!!!

      V

      1. Kabukiwookie
        Paris Hilton

        Re: "full rebuild"

        Yes, must be russian if there's a NATO desgnation for a russian weqpons system is in the code.

        That's why Dutch hackers always put 'Edam' in their code so you know it's the dutch and the French always sign their code with 'Surrender Monkeys', so you know it must be the French.

      2. Anonymous Coward
        Anonymous Coward

        Re: "full rebuild"

        in some of the sources, pulling a rather more lyric string, is described an opportunity to drive any AC onboard decision-making "system" (-: crazy without implementing any radio emission or other interference but visual

        55 73

  2. aregross
    Mushroom

    Stupefying

    Wow...... just, Wow

  3. amanfromMars 1 Silver badge

    MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....

    ..... but if ever there was a convenient prime time opportunity for distressed status quo players to initiate a Global Reset Utility, it is now whilst y'all are still able to assist and contribute generously to the task.

    "Our investigations, which are ongoing, have found absolutely no indicators that our systems [commandeerable Microsoft's platforms] were used to attack others." ..... Frank Shaw, Microsoft's comms veep

    That's practically in the same vein as the Federal Reserve saying .... "Our investigations, which are ongoing, have found absolutely no indicators that our massively pumped and dumped paper dollars are used and responsible for the facilitation of money laundering, sex and people trafficking and the wholesale weaponisation of ragged and rogue and retarded states forces and volatile non-state paramilitarised unstable sources. There be no evidence at all. It is a figment of your imagination" ....... which would also be similarly ridiculous and overwhelmingly unassuring/underwhelmingly assuring.

    But I suppose whenever exclusive elite executive administration jobs and livelihoods and lifestyles depends on such fictions being pimped and pumped and dumped, one is programmed to say practically everything leaderships want and you think it also necessary to share in order to survive and prosper relatively unscathed and virtually intact and immune to both any general or specific fallout from a catastrophic systems fail and colossal core source code containment breach ...... akin to an Unprecedented COSMIC Explosion.

    Please feel free to deny yourself those facts and wallow ignorantly in the cold comfort of a delusionally secure environment. But be prepared for, after such major breaches which you can be sure in the future are to be many and varied, sudden violent unexpected aftershocks that trillions can't fix ...... for such is inevitable and just normal whenever trapped by and imprisoned in a petrified status quo state of stagnating inertia.

    1. Jonathon Green

      Re: MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....

      Oh God, he’s making sense again. And it’s never good when that happens...

      1. Anonymous Coward
        Anonymous Coward

        Re://Don't Panic... ...All Systems under our... ...and... ...and

        31st upvoted

  4. Anonymous Coward
    Anonymous Coward

    All your base

    1. Kane Silver badge
  5. Schultz
    Facepalm

    Good to know ...

    that the management types are already on the issue and "make it more difficult to for the actor to leverage the" watchamacallit thingy. That'll show 'em not to mess with our tubes. Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide.

    1. amanfromMars 1 Silver badge

      Re: Good to know ...

      Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide. ...... Schultz

      Crikey ‽ Doesn't everyone yet know if you have nothing to hide, there is nothing for others to worry about ........ although of course, if one knows a lot more than just a chosen few and a great many is there plenty for them all to be truthfully fearful of and absolutely terrified by?

      What's wrong with y'all? What's the excuse? Mentally retarded or simply undereducated, systemically fundamentally ignorant or perpetually persistently lazy? Worlds want to know ..... as do, no doubt, some politicians so they can join in with some populist chimes.

  6. cantankerous swineherd Silver badge
    Trollface

    fun hearing govt orgs complaining about backdoors.

  7. tfewster Silver badge

    Is Marcus Hutchins getting credit for his technique of taking over a C&C server?

  8. gr00001000

    Worst case scenario

    I used to ponder whats the worst multi-nation cyber attack that could happen, within the remits of commercial infosec? A supply chain attack against a major U.S. systems supplier. In the mould of Not Petya M.E. Doc update alteration(was that a practice run)?

    Well its happened and they try to keep a lid on this. So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. Plenty of time to implant further beacons. Microsoft, Lockeed, Nuclear weapons agency, U.S. Treasury, FireEye, where does the list end..

    1. amanfromMars 1 Silver badge

      Re: A Much Worser Worst case scenario with RATs sinking Ships

      So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. ...... gr00001000

      And not so much caught as just recognised as having been there busily exfiltrating nuclear information and explosive crown jewels, with exactly to whom and/or what with an interest to do something/anything untoward and/or unexpected with the intel for whom and/or what, always being so wonderfully unclear and securely private ......... and there is absolutely no guarantee that other threat actors in the team are not still in there, beavering away quietly and busily.

      Systems may like to think and realise they have only encountered and captured a Remote Access Trojan.

    2. This post has been deleted by its author

      1. amanfromMars 1 Silver badge

        Re: Best Case Scenarios

        And there is also Mutually Assured Depletion .... Immaculate Exhaustion, another available Option/Derivative/Future for Further ProgramMING.

        Perfect for Exhausted Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi.

        1. amanfromMars 1 Silver badge

          Re: Best Case Scenarios Misdirecting Error

          Profuse apologies for the pretty obvious misinstruction in that other available Option/Derivative/Future for Further ProgramMING report retorting on evident observations. Please be assured it was not intentional. Twas just an unfortunate slip, and there's many a slip 'twixt the cup and the lip, which I'm sure y'all can agree to be perfectly humanly true.

          The final few words should of course read ........ Perfect for Exhausting Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi. ...... which is a wholly different world of pain and gain to both drain and retrain for and/or with mass reallocation of powerful means and memes of energy servering from and to Yet Another Core Source with Almighty ACTive Advancing Intelligence. Fortunately, there's not much at all you can do about any of that as it and IT and Mass Multi Media Modals and Modules take you on one helluva helter skelter ride full of new exciting lessons and frightening enlivening experiences to learn and teach with quickly before you slip away forever to who knows where.

          And please, before anyone passes any sort of opinion on the above, just ask yourself two simple questions ....... Is it sane/insane to expect the future to be a completely different reality from/in the past which in its heydays, was as the present is nowadays, here and now?

          The posit here is that it is perfectly normal and the sooner it is embraced the greater the exponential reward derived and given to one ..... which is one helluva heavenly driver which more than just a few would tell you has no Universal Peer and no Viable COSMIC Competition or Opposition.

  9. StrangerHereMyself Bronze badge

    Incredulous statements

    "he said no evidence could be found that production systems and customer data was accessed"

    I find these statements not to be meaningful since an advanced actor will have ways to hide their tracks and infiltration. There's a good chance they'll have fileless malware installed somewhere and smuggling data out of the front door through sub channels hidden in Microsoft web pages.

    1. not.known@this.address Silver badge

      Re: Incredulous statements

      Indeed. Lack of evidence is not evidence of lack. Someone needs to go back to school.

      1. Claptrap314 Silver badge

        Re: Incredulous statements

        Which school exactly? This is a PR statement, it's purpose is to calm the masses. The fact that the techies know that this is as bad as a Gary North Y2K worst case scenario doesn't mean that the PR guy's job description has changed.

  10. tip pc Silver badge

    i used to enjoy solarwinds Orion when it was a single app ona single server

    i looked after orion at 1 place i worked, upgraded it a bunch of times and then the next version needed sql servers in addition to its app. Virtual SQL's where a no no so new servers, new windows server licences and new sql licenses. i remember having to dig into the DB with SQL commands to get somethings and reports to work properly.

    A few jobs later we used PRTG, far far better and a reminder of what orion used to be like. Run on old hardware, no separate DB's easy deployment of probes. No separate fees for Netflow. Far far cheaper

    1. Lomax

      Re: i used to enjoy solarwinds Orion when it was a single app ona single server

      PRTG +1

  11. Anonymous Coward
    Anonymous Coward

    this is just a who me column article misfiled

    1. Munchausen's proxy
      Pint

      "this is just a who me column article misfiled"

      I don't know how I should react to this intrusion until I find out if the BOFH is looking worried, or smug.

  12. macjules Silver badge

    That's nothing

    Our own Oxford/AZ vaccine is being repeatedly attacked by various Putin organs. Frustrated by their latest failures they have now embarked on a series of 1980's type mistruths. My favourite is that the Oxford/AZ vaccine can turn you into a monkey.

    1. Brewster's Angle Grinder Silver badge

      Re: That's nothing

      What if I'm already a monkey? What does it do to me then?

      1. Danny 2 Silver badge

        Re: That's nothing

        Take your stinking paws off me, you damn dirty ape!

        Quoting a line from a movie that spawned a multimillion dollar franchise isn't really what we define as pretentious. Pretentious would be you quoting the French novel that Planet of the Apes was based on.

        Mon chéri, c'est impossible. C'est dommage, mais je ne peux pas, je ne peux pas. Tu es vraiment trop affreux

      2. DS999 Silver badge

        Re: That's nothing

        What if I'm already a monkey? What does it do to me then?

        You go even lower on the evolutionary ladder, and become a Trump.

    2. Boris the Cockroach Silver badge

      Re: That's nothing

      I dont want the vaccine if its been produced using eggs

      Because I dont want chicken DNA ending up in side me and mutating me into a chicken.(being a cockroach is bad enough)

      However there would be a silver lining to being a chicken, I could have my head cut off and be a senior member of the government

      1. Anonymous Coward
        Anonymous Coward

        Re: That's nothing

        Even better if they used ostrich DNA, you could stick your head in the sand and get a job in the Dept for Health.

  13. harmjschoonhoven
    Facepalm

    Orion

    SolarWind's Orion only runs on Windows server according to their own website ....

    Where is TUX when you need him?

    1. John Robson Silver badge

      Re: Orion

      Meh - compromised third party software is compromised third party software. There is nothing here which is specifically MS, except that that happens to be what was infiltrated as a result.

      There are lessons for all monitoring companies to learn, and SW in particular will need to verify any of their other agents etc that might have been affected.

      If other monitoring companies aren't taking the same response as SW then they'll end up in a stronger position as a result.

  14. steviebuk Silver badge

    Ironic

    Considering Trump, although an idiot, was worried about Chinese kit being security holes. Turns out, no, its a bit of software from the cowboy state of Texas that is :)

    1. iron Silver badge

      Re: Ironic

      Insert that "always has been" meme here.

  15. Anonymous Coward
    Anonymous Coward

    Russia is a potent enemy...

    ... but, we should be able to protect ourselves better than this from a geopolitical rival with a) the GDP of Italy and b) from whom we don't buy hardware.

    The USA (and probably many other western countries) are suffering because too many budget decisions are made by people who are only focussed on 'shareholder value'

    Technical expertise is simply too expensive for these people. That is one of the driving forces for technologies for monitoring and managing (and, it turns out, penetrating) vast swathes of IT --- usually with a small set of tools and often a ridiculously small set of physically separate installations. Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, including improving threat detection, but the managers always see it as a way to reduce the number of humans who are required for day-to-day operation, and have always regarded IT activities beyond Business As Usual with suspicion.

    Having worked in insurance IT, I've often wondered if IT beancounters should be actuaries, not accountants - at least the former have some idea of how to price risk - the latter just seem to be focussed on the bottom line. Also, many of the actuaries I have met actually like technology :-D

    1. amanfromMars 1 Silver badge

      Re: Russia is a potent enemy...

      Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, ... ...... Anonymous Coward

      Errr ? Hello ‽ ....... Message to AC ....... Does that which is being commented on here not APTly demonstrate that at least some are already freed up IT bods making most effective use of almighty skills in out-of-band tasks ?

      That would make potent enemy Russia much better as a best friend showing really great potential if Russians mothers are responsible and liable/fully accountable. Have they denied having any part in the recent shenanigans and current stealthy show of Combinations of AWEsome Strength and Virtual Cunning.

      1. Anonymous Coward
        Anonymous Coward

        Re: Russia is [America]

        were there best friend of US (if you are into only emotions or book keeping, wr0ng is it, but it can and must be corrected to spontaneous mutual delivery of wealth and strength) -

        since civil war with support of her fleet, since "giving off for rent" a piece of its domestic land full of gold (and please don't think Russian sci academy wasn't aware of its precious potential), opening 2nd front and bravely convoying lend-lease vessels, ughh... much to continue, but - those like Samantha Smith, you can't make them change their mind

        esp in the wake of this cosmic goo ball approaching our Home soon from the void

        it's time, or IT's Time, choose. no way is another

        https://youtube.com/watch?v=8yn3ViE6mhY

        precious

    2. This post has been deleted by its author

    3. DS999 Silver badge

      Their GDP is irrelevant

      Hacking is asymmetric warfare, it requires orders of magnitudes more resources to protect against threats than it does to develop them. It is also self-funding, you can use "last year's" exploits that are no longer good enough to break into top tier targets in combination with ransomware on run of the mill corporate/state/local targets to fully fund your operation.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021