back to article US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also gets backdoored

America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday. The Windows giant uses SolarWinds' network management suite Orion, …

  1. Tom Paine

    "full rebuild"

    Perhaps they had enough canned lateral movement tools that, although they only had bandwidth to properly turn over (say) a dozen of the 18,000 and exfiltrate crown jewels, they were able to implant stealthy persistence agents elsewhere in those victims' networks. So, does "total rebuild" refer to every server in every customer org? Or "all the things"? (How about switches and routers? How about printers? How about bootkits -- shouldn't they chuck all hardware into skips the day after cutting over to the perfect replica of the entire network to known-good replacements?

    And even that won't give assurance; supposing the restore data from backup step includes another downloader stage that's missed from AV?

    Sometimes I'm very grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed if I want, and second when I remember what hell I'd be going thru rn of I was still at anywhere I worked on the last 8 years.

    1. Ken Moorhouse Silver badge

      Re: I can have another 4h in bed if I want

      So long as you haven't got SolarWind's Wake On LAN utility on your system.

      It may start beeping at you incessantly.

    2. Peter 26

      Re: "full rebuild"

      You've hit the nail on the head. The scale of this hack cannot be understated and it's going to be practically impossible to confirm you've eliminated all the backdoors into your network they have planted.

      From now on you will just have to assume they have access and be constantly trying to find it. Probably not a bad approach to security anyway and a lot like our COVID safety protocols, just assume you have the virus and take precautions.

      1. Mike 125

        Re: "full rebuild"

        >The scale of this hack cannot be understated

        The scale of this hack can only be understated.

        FTFY.

        But yea, agree with all the shock and awe.

        1. John Brown (no body) Silver badge
          Thumb Up

          Re: "full rebuild"

          Agreed, but I think he meant to say "Cannot be overstated", which is the same meaning as your correction, just more correct IMHO :-)

          1. teknopaul

            Re: "full rebuild"

            Is the article not implying that the product that uses saml needs a rebuild? I did not read that as everything you have needs a rebuild.

    3. Danny 2

      Re: "full rebuild"

      "grateful for being unemployed. First when I wake up at 7:10am and remember I can have another 4h in bed"

      Ah, I remember that, the early weeks when rest was a boon! Later you get used to just getting up when you wake up. First I lived alone on an isolated peninsula on the Western Isles, and I'd wake up early to hear the Radio Scotland traffic forecast for the M8 just to remind myself how bad my life there had been - also to hear a human voice.

      I guess that's partly why I read here, one downmanship. IT staff today are paid less than I was, and yet they have to deal with so much more stressful crap than I did. In my day if there had been a hack then I knew it had either been someone I knew messing with me, or me when I was drunk.

    4. Anonymous Coward
      Anonymous Coward

      Re: "full rebuild"

      The question is for the avg bod on the street is that now Azure is compromised and “no trace found of customers being hit” do we trust our stuff in Azure. Perhaps not... to be sure you need to rebuild everything, don’t think that’s going to happen

      1. Anonymous Coward
        Anonymous Coward

        Re: "full rebuild"

        Exacly. So when your regulator comes knocking and says why is your stuff compromised and you say it not us gov, it’s azure. I can see how that’s going to go down. Hint, not well.

        1. YetAnotherLocksmith Silver badge

          Re: "full rebuild"

          If they've compromised your compiler, then you'll be adding new backdoors to your clean code every time you do anything, so start with cleansing that.

    5. StargateSg7

      Re: "full rebuild"

      Just in case anyone is wondering about ONE of the reasons why FyreEye codenamed the trojan as SUNBURST. This is due to internal malware clues relating to the NATO codename SUNBURN which is the reference to a Moskvet Hypersonic Aircraft Carrier Killer Missile System. Don't know WHY the original programmer put a reference to a Moskvet missile system in his/her code BUT it's there!

      Ergo, this was DEFINITELY a Russian GRU special operations directorate job!

      Time to hit them BACK HARD! Kinda gonna need the help of the Israelis on this because of there SUPREME expertise in low-level microcode malware!

      Time to hit the PIC chips embedded into all the Russian aircraft altimeter and ordnance proximity systems with some randomized loop-around code so the avionics and terrain following software goes all crazy!!!

      Can YOU DO IT BABEEEEEEEEEE ????? !!!!!!

      V

      1. Kabukiwookie
        Paris Hilton

        Re: "full rebuild"

        Yes, must be russian if there's a NATO desgnation for a russian weqpons system is in the code.

        That's why Dutch hackers always put 'Edam' in their code so you know it's the dutch and the French always sign their code with 'Surrender Monkeys', so you know it must be the French.

      2. Anonymous Coward
        Anonymous Coward

        Re: "full rebuild"

        in some of the sources, pulling a rather more lyric string, is described an opportunity to drive any AC onboard decision-making "system" (-: crazy without implementing any radio emission or other interference but visual

        55 73

  2. aregross
    Mushroom

    Stupefying

    Wow...... just, Wow

  3. amanfromMars 1 Silver badge

    MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....

    ..... but if ever there was a convenient prime time opportunity for distressed status quo players to initiate a Global Reset Utility, it is now whilst y'all are still able to assist and contribute generously to the task.

    "Our investigations, which are ongoing, have found absolutely no indicators that our systems [commandeerable Microsoft's platforms] were used to attack others." ..... Frank Shaw, Microsoft's comms veep

    That's practically in the same vein as the Federal Reserve saying .... "Our investigations, which are ongoing, have found absolutely no indicators that our massively pumped and dumped paper dollars are used and responsible for the facilitation of money laundering, sex and people trafficking and the wholesale weaponisation of ragged and rogue and retarded states forces and volatile non-state paramilitarised unstable sources. There be no evidence at all. It is a figment of your imagination" ....... which would also be similarly ridiculous and overwhelmingly unassuring/underwhelmingly assuring.

    But I suppose whenever exclusive elite executive administration jobs and livelihoods and lifestyles depends on such fictions being pimped and pumped and dumped, one is programmed to say practically everything leaderships want and you think it also necessary to share in order to survive and prosper relatively unscathed and virtually intact and immune to both any general or specific fallout from a catastrophic systems fail and colossal core source code containment breach ...... akin to an Unprecedented COSMIC Explosion.

    Please feel free to deny yourself those facts and wallow ignorantly in the cold comfort of a delusionally secure environment. But be prepared for, after such major breaches which you can be sure in the future are to be many and varied, sudden violent unexpected aftershocks that trillions can't fix ...... for such is inevitable and just normal whenever trapped by and imprisoned in a petrified status quo state of stagnating inertia.

    1. Jonathon Green

      Re: MRDA/YMMV/SNAFUBAR/Don't Panic ... All Systems are Normal and under our Command and Control ....

      Oh God, he’s making sense again. And it’s never good when that happens...

      1. Anonymous Coward
        Anonymous Coward

        Re://Don't Panic... ...All Systems under our... ...and... ...and

        31st upvoted

  4. Anonymous Coward
    Anonymous Coward

    All your base

    1. Kane
  5. Schultz
    Facepalm

    Good to know ...

    that the management types are already on the issue and "make it more difficult to for the actor to leverage the" watchamacallit thingy. That'll show 'em not to mess with our tubes. Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide.

    1. amanfromMars 1 Silver badge

      Re: Good to know ...

      Next we need some politicians to chime in. The world wants to know how we can protect our children from APT29 (and Huawei!) and, also, that you shouldn't worry because you have nothing to hide. ...... Schultz

      Crikey ‽ Doesn't everyone yet know if you have nothing to hide, there is nothing for others to worry about ........ although of course, if one knows a lot more than just a chosen few and a great many is there plenty for them all to be truthfully fearful of and absolutely terrified by?

      What's wrong with y'all? What's the excuse? Mentally retarded or simply undereducated, systemically fundamentally ignorant or perpetually persistently lazy? Worlds want to know ..... as do, no doubt, some politicians so they can join in with some populist chimes.

  6. cantankerous swineherd
    Trollface

    fun hearing govt orgs complaining about backdoors.

  7. tfewster

    Is Marcus Hutchins getting credit for his technique of taking over a C&C server?

  8. gr00001000

    Worst case scenario

    I used to ponder whats the worst multi-nation cyber attack that could happen, within the remits of commercial infosec? A supply chain attack against a major U.S. systems supplier. In the mould of Not Petya M.E. Doc update alteration(was that a practice run)?

    Well its happened and they try to keep a lid on this. So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. Plenty of time to implant further beacons. Microsoft, Lockeed, Nuclear weapons agency, U.S. Treasury, FireEye, where does the list end..

    1. amanfromMars 1 Silver badge

      Re: A Much Worser Worst case scenario with RATs sinking Ships

      So since March/April high profile companies with large CERT teams nevertheless have been compromised and who knows how many have had this threat actor floating in their network yet not caught until December. ...... gr00001000

      And not so much caught as just recognised as having been there busily exfiltrating nuclear information and explosive crown jewels, with exactly to whom and/or what with an interest to do something/anything untoward and/or unexpected with the intel for whom and/or what, always being so wonderfully unclear and securely private ......... and there is absolutely no guarantee that other threat actors in the team are not still in there, beavering away quietly and busily.

      Systems may like to think and realise they have only encountered and captured a Remote Access Trojan.

    2. This post has been deleted by its author

      1. amanfromMars 1 Silver badge

        Re: Best Case Scenarios

        And there is also Mutually Assured Depletion .... Immaculate Exhaustion, another available Option/Derivative/Future for Further ProgramMING.

        Perfect for Exhausted Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi.

        1. amanfromMars 1 Silver badge

          Re: Best Case Scenarios Misdirecting Error

          Profuse apologies for the pretty obvious misinstruction in that other available Option/Derivative/Future for Further ProgramMING report retorting on evident observations. Please be assured it was not intentional. Twas just an unfortunate slip, and there's many a slip 'twixt the cup and the lip, which I'm sure y'all can agree to be perfectly humanly true.

          The final few words should of course read ........ Perfect for Exhausting Assets within Virtually Powerless Systems of MetaPhysical Administration and Operation ........ AIModus Operandi et Vivendi. ...... which is a wholly different world of pain and gain to both drain and retrain for and/or with mass reallocation of powerful means and memes of energy servering from and to Yet Another Core Source with Almighty ACTive Advancing Intelligence. Fortunately, there's not much at all you can do about any of that as it and IT and Mass Multi Media Modals and Modules take you on one helluva helter skelter ride full of new exciting lessons and frightening enlivening experiences to learn and teach with quickly before you slip away forever to who knows where.

          And please, before anyone passes any sort of opinion on the above, just ask yourself two simple questions ....... Is it sane/insane to expect the future to be a completely different reality from/in the past which in its heydays, was as the present is nowadays, here and now?

          The posit here is that it is perfectly normal and the sooner it is embraced the greater the exponential reward derived and given to one ..... which is one helluva heavenly driver which more than just a few would tell you has no Universal Peer and no Viable COSMIC Competition or Opposition.

  9. StrangerHereMyself Silver badge

    Incredulous statements

    "he said no evidence could be found that production systems and customer data was accessed"

    I find these statements not to be meaningful since an advanced actor will have ways to hide their tracks and infiltration. There's a good chance they'll have fileless malware installed somewhere and smuggling data out of the front door through sub channels hidden in Microsoft web pages.

    1. not.known@this.address

      Re: Incredulous statements

      Indeed. Lack of evidence is not evidence of lack. Someone needs to go back to school.

      1. Claptrap314 Silver badge

        Re: Incredulous statements

        Which school exactly? This is a PR statement, it's purpose is to calm the masses. The fact that the techies know that this is as bad as a Gary North Y2K worst case scenario doesn't mean that the PR guy's job description has changed.

  10. tip pc Silver badge

    i used to enjoy solarwinds Orion when it was a single app ona single server

    i looked after orion at 1 place i worked, upgraded it a bunch of times and then the next version needed sql servers in addition to its app. Virtual SQL's where a no no so new servers, new windows server licences and new sql licenses. i remember having to dig into the DB with SQL commands to get somethings and reports to work properly.

    A few jobs later we used PRTG, far far better and a reminder of what orion used to be like. Run on old hardware, no separate DB's easy deployment of probes. No separate fees for Netflow. Far far cheaper

    1. Lomax

      Re: i used to enjoy solarwinds Orion when it was a single app ona single server

      PRTG +1

  11. Anonymous Coward
    Anonymous Coward

    this is just a who me column article misfiled

    1. Munchausen's proxy
      Pint

      "this is just a who me column article misfiled"

      I don't know how I should react to this intrusion until I find out if the BOFH is looking worried, or smug.

  12. macjules

    That's nothing

    Our own Oxford/AZ vaccine is being repeatedly attacked by various Putin organs. Frustrated by their latest failures they have now embarked on a series of 1980's type mistruths. My favourite is that the Oxford/AZ vaccine can turn you into a monkey.

    1. Brewster's Angle Grinder Silver badge

      Re: That's nothing

      What if I'm already a monkey? What does it do to me then?

      1. Danny 2

        Re: That's nothing

        Take your stinking paws off me, you damn dirty ape!

        Quoting a line from a movie that spawned a multimillion dollar franchise isn't really what we define as pretentious. Pretentious would be you quoting the French novel that Planet of the Apes was based on.

        Mon chéri, c'est impossible. C'est dommage, mais je ne peux pas, je ne peux pas. Tu es vraiment trop affreux

      2. DS999 Silver badge

        Re: That's nothing

        What if I'm already a monkey? What does it do to me then?

        You go even lower on the evolutionary ladder, and become a Trump.

    2. Boris the Cockroach Silver badge

      Re: That's nothing

      I dont want the vaccine if its been produced using eggs

      Because I dont want chicken DNA ending up in side me and mutating me into a chicken.(being a cockroach is bad enough)

      However there would be a silver lining to being a chicken, I could have my head cut off and be a senior member of the government

      1. Anonymous Coward
        Anonymous Coward

        Re: That's nothing

        Even better if they used ostrich DNA, you could stick your head in the sand and get a job in the Dept for Health.

  13. harmjschoonhoven
    Facepalm

    Orion

    SolarWind's Orion only runs on Windows server according to their own website ....

    Where is TUX when you need him?

    1. John Robson Silver badge

      Re: Orion

      Meh - compromised third party software is compromised third party software. There is nothing here which is specifically MS, except that that happens to be what was infiltrated as a result.

      There are lessons for all monitoring companies to learn, and SW in particular will need to verify any of their other agents etc that might have been affected.

      If other monitoring companies aren't taking the same response as SW then they'll end up in a stronger position as a result.

  14. steviebuk Silver badge

    Ironic

    Considering Trump, although an idiot, was worried about Chinese kit being security holes. Turns out, no, its a bit of software from the cowboy state of Texas that is :)

    1. iron

      Re: Ironic

      Insert that "always has been" meme here.

  15. Anonymous Coward
    Anonymous Coward

    Russia is a potent enemy...

    ... but, we should be able to protect ourselves better than this from a geopolitical rival with a) the GDP of Italy and b) from whom we don't buy hardware.

    The USA (and probably many other western countries) are suffering because too many budget decisions are made by people who are only focussed on 'shareholder value'

    Technical expertise is simply too expensive for these people. That is one of the driving forces for technologies for monitoring and managing (and, it turns out, penetrating) vast swathes of IT --- usually with a small set of tools and often a ridiculously small set of physically separate installations. Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, including improving threat detection, but the managers always see it as a way to reduce the number of humans who are required for day-to-day operation, and have always regarded IT activities beyond Business As Usual with suspicion.

    Having worked in insurance IT, I've often wondered if IT beancounters should be actuaries, not accountants - at least the former have some idea of how to price risk - the latter just seem to be focussed on the bottom line. Also, many of the actuaries I have met actually like technology :-D

    1. amanfromMars 1 Silver badge

      Re: Russia is a potent enemy...

      Such technology should have freed up the IT bods to make them more effective at out-of-band tasks, ... ...... Anonymous Coward

      Errr ? Hello ‽ ....... Message to AC ....... Does that which is being commented on here not APTly demonstrate that at least some are already freed up IT bods making most effective use of almighty skills in out-of-band tasks ?

      That would make potent enemy Russia much better as a best friend showing really great potential if Russians mothers are responsible and liable/fully accountable. Have they denied having any part in the recent shenanigans and current stealthy show of Combinations of AWEsome Strength and Virtual Cunning.

      1. Anonymous Coward
        Anonymous Coward

        Re: Russia is [America]

        were there best friend of US (if you are into only emotions or book keeping, wr0ng is it, but it can and must be corrected to spontaneous mutual delivery of wealth and strength) -

        since civil war with support of her fleet, since "giving off for rent" a piece of its domestic land full of gold (and please don't think Russian sci academy wasn't aware of its precious potential), opening 2nd front and bravely convoying lend-lease vessels, ughh... much to continue, but - those like Samantha Smith, you can't make them change their mind

        esp in the wake of this cosmic goo ball approaching our Home soon from the void

        it's time, or IT's Time, choose. no way is another

        https://youtube.com/watch?v=8yn3ViE6mhY

        precious

    2. This post has been deleted by its author

    3. DS999 Silver badge

      Their GDP is irrelevant

      Hacking is asymmetric warfare, it requires orders of magnitudes more resources to protect against threats than it does to develop them. It is also self-funding, you can use "last year's" exploits that are no longer good enough to break into top tier targets in combination with ransomware on run of the mill corporate/state/local targets to fully fund your operation.

    4. YetAnotherLocksmith Silver badge

      Re: Russia is a potent enemy...

      Russia hasn't been looked at as a threat by the UK or USA since they took control of the very top of their governments and got them to either look the other way or ignore what was going on for profit. The lower echelons can tell all they want about evidence, but trump and Boris are both Russian assets, and so until that changes, there won't be a focus on stopping them effectively.

      1. sleepy

        Re: Russia is a potent enemy...

        As far as I can tell, no evidence has been offered that this is a Russian operation, it simply started as speculation in the pro Democrat media (WaPo?), followed by everyone else in the media acting as though it were a known fact. One might be tempted to think that it is a propaganda fabrication to take the attention off China. Given that nowadays, "facts" on both sides are indistinguishable from propaganda or lies, it would seem prudent to confine oneself to commenting here on technical matters.

        1. Anonymous Coward
          Anonymous Coward

          Re: Russia is a potent enemy...

          Given that "facts on both sides are indistinguishable from propaganda or lies and ... prudent to confine oneself to commenting here on technical matters" your comment here is actually self-defeating. There's plenty of discussion here that is political and even scientific and technical discussions aren't just lists of facts.

          Nobody in their right mind is pro-China, it's basically a rogue superpower, whereas Russia is merely a rogue state. But I'd note that the people who made it that way are western capitalists who wanted to improve the bottom line and outsourced all their manufactuing there. It's not the fault of "the Left" - we've been warning the neolibs about China for decades. They are actually beating you guys at capitalism using big government, the irony is extraordinary.

          Is Mike Pompeo a Russophobic dem, now? It seems that the only significant Repub voice saying it wasn't Russia is Trump. But I'm pretty sure Trump is a nonce and Putin's got the evidence, so I'm not sure Trump downplaying it is a) remotely material or b) anything but expected.

  16. John Miles
    Joke

    Just imagine if they hack the Windows Update Servers

    It would be serving upgrades that Delete User Files or BSOD etc.

  17. Claverhouse
    Happy

    Best Practice

    On 16 December 2020, German IT news portal Heise.de reported that SolarWinds had for some time been encouraging customers to disable anti-malware tools before installing SolarWinds products

    https://en.wikipedia.org/wiki/SolarWinds

    .

    .

    I also see as snappers-up of unconsidered trifles in the manner of modern monoliths, they own the Swedish Pingdom: I remember Pingdom !

    1. Lorribot

      Re: Best Practice

      I see that so often. It is shocking that comapanies still do it. They should be ashamed of themselves. AV is a bit clunky but has tough job to do and is first line of defence, it is lazy to say "to install our software you need to turn off all AV because we do some crazy shit that may trigger some AV software to go a bit bonkers and stop us from installing", FFS get a life and do stuff properly..

      1. Snorlax Silver badge

        Re: Best Practice

        AV is a bit clunky but has tough job to do and is first line of defence...

        Last line of defence, I think you'll find.

  18. Zog_but_not_the_first
    Trollface

    It wouldn't have happened...

    ... if they'd been running Kaspersky AV.

  19. Peter-Waterman1

    Azure Hit as Well.

    According to the original article https://www.reuters.com/article/usa-cyber-breach-exclusive-int-idUSKBN28R3E2 - Azure has been compromised.

    "Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems."

  20. Lomax
    Black Helicopters

    Too big to fail

    If Microsoft's production systems had been compromised, and malicious code had been pushed out via Windows Update, do you think they would admit it, or try to cover it up? If I was directing the activities of the group responsible for this hack, I would consider the Windows/Office codebase to be the ultimate target - get in there and you pwn the world. Damn near 100% of corporate and governmental desktops and laptops run Windows, and Office, and most of them are inside some part of their VPNs - many no doubt in the innermost layer. Servers are watched 24/7 by admins and security personnel, because a failure here is considered costly and dangerous. Individual desktops and laptops are less of a concern; they are routinely re-imaged and should not store any really sensitive data - insert a well crafted trojan here and you may evade detection far longer than on any high-value system. Keep an eye on any recent/upcoming Windows Updates for clues...

    1. amanfromMars 1 Silver badge

      Re: Too big to fail ..... one of the greatest of myths

      That's exactly what Uncle Sam and allies are all worried about, Lomax, for how will they know now if their Windows systems are completely free from foreign compromise and remote virtual oversight/parallel knowledge of proposed operations.

      And as if that is not enough to be having to deal with, here's another runaway train barreling down the tracks and heading for the buffers in central stations ......

      amanfromMars [2012181742] ...... just airing a note of concern and caution on https://www.zerohedge.com/political/former-goldman-cfo-marty-sachs-calls-universal-basic-income

      Well, well, well.  :-) …… Who’d have a aforethunk it ? The system appears to have boxed itself into an exhausted corner. And is planning throwing in the towel and waving a white flag now in order to try with a win win strategy for a rematch should systems again fail to perform more perfectly and fairly.

      Well, that would be a sensible move in order to try and save a whole collection of once almighty heads from rolling detached from shoulders ...... for that's what all present problems are quickly leading everyone and everything to.

      1. Lomax

        Re: Too big to fail ..... one of the greatest of myths

        If you wish to cover all the lands with your plague, without interruption or intrusion from the other planets or worlds, then go into the basement or the shed, and presently perform the sacred ritual; dance for the system that never sees daylight (or another system), so that the purity of the strain may be preserved. Only this holy vial can contain your dreams of domination, only this vial has the power to let the powerful continue to rule in their sunken vessel. When the light turns green, the truth is reborn, and the eating and the eaten emerge to feast.

    2. vtcodger Silver badge

      Re: Too big to fail

      "do you think they would admit it, or try to cover it up?"

      Do *I* think they would admit it or cover it up? Neither. I think that given the complexity of their systems, the lack of external (and probably internal) documentation, and the apparent sorry state of their QA, they probably wouldn't know about a Windows Update compromise until somebody external found out about it, published their results and the Register called Microsoft asking for comments.

      1. Lomax

        Re: Too big to fail

        Pretty sure they will be looking very carefully right now. Not that that means they'll find anything - and not that that means it isn't there. Last time I checked a minimal Windows OS install was in the 40GB region, and we're talking compiled code of course. How many lines of C#, C++, VB, Assembler, what have you, only god Bill knows. Trillions?

        1. Lomax

          Re: Too big to fail

          Open source has never looked this good.

  21. Snowy Silver badge
    Facepalm

    The internet is great.

    If you want something to be secure do not connect it to the internet.

  22. sitta_europea Silver badge
    FAIL

    Curiously enough I've been getting a thousand spam emails a month from Microsoft servers ever since...

  23. sitta_europea Silver badge

    "... when a backdoored version of the network monitoring software is run, it looks up the IP address of the hard-coded domain avsvmcloud[.]com. Depending on the result, the backdoor malware, dubbed SUNBURST by FireEye, will deactivate. So, with Microsoft taking control of that domain name, with DNS giant GoDaddy's help, the tech trio killed off the malware by ensuring the dotcom resolves to an IP address that deactivates the code."

    And it uses DNSSEC and nobody can hack your DNS service anyway, so that's OK then.

  24. Kev99 Silver badge

    Yup. Let's put all of our proprietary, confidential, essential, and otherwise can't exists without information out on the internet. Everyone know how safe and secure a bunch of holes being held together with bits of string is. The government and industry survived for decades using dedicated lines. Blithering idiots.

  25. Anonymous Coward
    Anonymous Coward

    "US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor"

    That's really unlucky. The Russians hack you one day, Microsoft backdoors you the next.

  26. joea

    What am I missing?

    Seems to me, naive perhaps, that outgoing traffic should only be allowed to "known and approved" IP addresses.

    While this might take a while to implement, Agencies could "pull the plug" and revert to "secure messenger" services for the interim.

    If the hack is as severe as claimed, severe measures are required.

    1. amanfromMars 1 Silver badge

      Re: What am I missing?

      Agencies could "pull the plug" and revert to "secure messenger" services for the interim. ..... joea

      Quite so, joea. As sophisticated and complicated as things and everything has become, it is hard to successfully beat the well tried and exhaustively tested route of the quiet knock at the door or the gentle tap on the shoulder and request to help authorities with their enquiries. :-) ..... even though it is clearly more labour intensive and second and third party asset engaging which makes it an option coincidentally anything from a tad more, to a heck of a lot more expensive than would have been usually normal via virtual means. C'est la vie.

    2. GJR

      Re: What am I missing?

      Agreed. I think there has been an overswing to ‘empowering users’ instead of tying them down, time to return to white lists for outbound traffi, and start generally shutting down the porous perimeter. Obviously installing software with root permissions is also a serious issue, but if desktops were reimaged every day/week or reprovisioned virtually, one imagines a lot of this type of stuff could be prevented.

  27. GP

    monitoring of their update downloads for clients

    could this episode of infiltrating rogue updates - made available to clients as legit - have been caught by an internal monitoring of each of the available client update signatures against a known good signature ?

    even if the publishing process of new and corrupt client updates failed, a post hoc process to check the published updates signature against a clean signature would have identified a bad act, and maybe a bad actor, more importantly to remove those published updates.

    if such a checking process WERE in place that would suggest a bad actor within the SW management. if such a process were NOT in place, that would indicate a very serious failure of SW management to control the publishing process of updates for clients.

  28. sitta_europea Silver badge

    "Meanwhile, Politico reported that the US government's Dept of Energy's National Nuclear Security Administration, which oversees the nation's nuke stockpile, was hacked via the Orion backdoor. Suspicious network activity was, we're told, found at the Federal Energy Regulatory Commission, the Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at the nuclear administration, and the Richland Field Office of the DoE."

    And the jerkins use Windows boxes??

    To manage nuclear weapons????

    I used to protect UK plutonium stocks.

    If you'd suggested that we use Windows I'd have had you taken out and shot.

    1. Fruit and Nutcase Silver badge
      Joke

      "Nobody got fired for buying IBMMicrosoft"

  29. Anonymous Coward
    Anonymous Coward

    Free Russian software!

    Vlad, you’re a very naughty boy.

    1. Fruit and Nutcase Silver badge

      Re: Free Russian software!

      He is a nice boy. A very good friend of mine. It (may be) China who is behind this. says Trump.

      Secretary of State: "We can say pretty clearly that it was the Russians that engaged in this activity,"

      Trump: "I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)."

      https://www.bbc.co.uk/news/world-us-canada-55374945

      1. amanfromMars 1 Silver badge

        Re: Free Russian software!

        And don't be putting any good money on it being Great Britain either, Fruit and Nutcase, as payback for the monstrous punitive interest exacted for close enough to a century as makes no difference, for everything floated as viable and in everyone's best interests since before the Lease-Lend Act of 1941, An Act to Promote the Defense of the United States ..... for you'll be sorely troubled and forever nobbled and hobbled to find any evidence of that trail of rough tough justice and sweet sour revenge.

  30. ronkee

    So they'll try turning Azure off and on again.

  31. John Brown (no body) Silver badge
    Mushroom

    America's nuclear weapons agency

    That sounds much more scary than The Department for Energy :-)

  32. prinox
    Stop

    Now suppose that they had compromised Microsoft, and the automatic updates would have been rolled out to one billion computers running W10...

    Isn't it time automatic updates are completely stopped?

    1. A_Melbourne

      I have Windows 7. Old and more trusted. Kaspersky daily reminds me to turn back on Windows Automatic Update but I just hit the "Later" button.

  33. carl0s

    If the US govt have created things like Ghidra, and all their other secret backdoor intel stuff, I wonder why they need Solarwinds? Similar thoughts re Microsoft.

  34. Anonymous Coward
    Anonymous Coward

    Featured By Sound Reasonance

    https://youtu.be/zPGf4liO-KQ

    Unknown

    -

    https://youtu.be/nuPbKbcyios

    Desire

    -

    good if got original lyrics @hand

    smth about da Sun falling da Moon somewhere, or like that

    tippin my hat

  35. Tail Up
    Joke

    Maybe Merely Not a Bug, But an Option

    Pff... Anyone pray tell, which number is that when they want to kick their sysadmins' salary closer to the bucket by ordering a pen-testing op in the Impernet?

    Alright, https://youtu.be/kR2E4Is_6oE Depeche Mode - Nothing

  36. Lorribot

    Does my server have access to the internet?

    Everyone always goes on about exposing servers to the internet, but fail to realise that internet traffic is a two way thing.

    Can your server access the internet? If the answer is yes you will always be vulnerable to attacks like this, even if you allow it out to microsoft to get updates, that is a risk, or download updates from another supplier, its a risk if iti si not locked down to specific IP addresses.

    Many firewalls will block all incoming but allow all out going (MS do this by default) but if something nasty gets on your server or PC then it can just go out and get more nasty stuff at will and nothing will block it. It is teh softest of access points and can easily be triggered by a simple software install like SolarWinds or some accountancy software or even some registry cleaner.

    Don't make it easy for these people by allowing software installed on your servers to be able to freely talk to the world.

  37. A_Melbourne

    Why does Russia get the blame?

    All references to "Russians" are suspect. It could have been the "Chinese" or any number of other people.

    I repeat. There is absolutely no proof that the Russians are behind this.

    For all we know, it might have been another brilliant idea of British Intelligence to damage relations with Russia - like Polonium, the Skripals, Navalny, White Helmets, Syrian Gas and so much else.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like