Wednesday, January 13, 2021

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?

This article is by

Share this article

Article Contributor(s)

Vaishnavi Krishna Mohan

Article Title

SolarWinds Attack and its implication for U.S. Security: Sabotage or espionage?


Global Views 360

Publication Date

January 13, 2021


SolarWinds office in Texas | Source: Glassdoor

SolarWinds, a publicly listed Texas-based company with a value of more than $6 billion, has a very reputed customer list including multiple U.S. government agencies. The company develops softwares for businesses and agencies to help manage and monitor their networks, systems and  IT infrastructure. The company is a service provider to over 425 of the Fortune 500 companies, top 5 U.S. accounting firms, all major U.S. telecom providers, the U.S. treasury, several global universities and educational institutions, the NSA and the White House.

A set of hackers managed to sneak a malicious code into the software update of SolarWinds for a tool called “Orion”. Earlier, in 2020, the hackers had injected malware into the updates of Orion which were released between March and June of 2020. On 5th of Jan, 2021, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure security Agency (CISA), the Office of the director of National Intelligence (ODNI) and the National Security Agency (NSA) made an official joint statement stating, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks". U.S. government agencies like The Pentagon, National institute of Health, FBI, DHS, the Department of Energy and the Department of Veterans affairs were some significant users of Orion. In fact, in August 2020, the Department of Veterans affairs renewed its Orion license in a 2.8-million-dollar order. The Department of Veterans affairs has been heavily involved in COVID-19 relief.

The Orion hack began as early as March 2020. Over 18,000 customers had installed the compromised software which implies that these customers were vulnerable to spy operations throughout 2020. The malware inserted in the updates provided remote access of an organization’s network to the elite hackers. Since the malware was undetected for months, it gave the hackers an opportunity to obtain information from their targets. In fact, the hackers could also monitor emails and other internal communications. FireEye, the cybersecurity company who were the first to discover the breach describes the capability of the malware, from initially lying dormant up to two weeks, to hiding in plain sight by masquerading its investigation as “Orion Activity”. In 2016, Russian Military hackers used a method called “supply chain: to infect companies performing business in Ukraine with a hard-drive wiping virus called NotPetya. This attack is considered to be one of the most damaging cyber-attacks till date. The infiltration tactic used in the current hack is also identified to be similar to the “supply chain” method.

The Orion software framework contained a backdoor that communicated via HTTP to third party servers. Cybersecurity firm, FireEye has been tracking the trojanized version of Orion plug-in as SUNBURST.

FireEye Logo

FireEye described the use of SUNBURST backdoor on one of its blogs published on 13th December 2020. It stated,

“After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”

FireEye described the attack through the SUNBURST backdoor as “highly evasive”. Meanwhile, SolarWinds is facing a class action lawsuit filed by a stakeholder of the IT Infrastructure Management software company in the U.S. District Court for the Western District of Texas on 4th Jan 2021. The lawsuit is filed against SolarWinds’ ex-president, Kevin Thompson and chief financial officer, J. Barton Kalsu on the grounds of violating Federal Securities laws under Securities Exchange Act of 1934. The complaint states that SolarWinds Company failed to disclose that "since mid-2020, Orion monitoring products had a vulnerability that allowed hackers to compromise the server upon which the products ran". The complaint also mentioned that SolarWinds update server had a fairly weak and easily accessible password, ‘solarwinds123’.

Microsoft’s internal security research team found evidence that the same hackers had accessed some internal source code in their company’s systems. Microsoft mentioned that the attempted activities were beyond just the presence of malware SolarWinds code in their environment. Microsoft has “an open source like culture” which allows teams within Microsoft to view the source code. The company acknowledges that it is a threat model but they are downplaying the risk by saying “just viewing the source code should not cause any elevated risk”.

The Russian Hackers have also managed to breach the network of Austin City, Texas. The breach dates back to at-least mid of October 2020. The hackers have seemed to target the U.S. Treasury, Departments of Commerce and Homeland Security, The Pentagon, Cybersecurity firm FireEye, and SolarWinds. The breach of the network of the Austin city is an apparent win for Russian hackers. Theoretically, the compromise could have helped them access sensitive information in accordance with the city governance, elections, city police and by excavating deeper, the hackers can practically burrow inside energy, water and airport networks of the city.

Berserk Bear, the hacking outfit that is currently believed to be behind Austin’s breach appears to have used Austin’s network as grounds to stage larger attacks. Berserk Bear also known as BROMINE inter alia several names is believed to have been responsible for a series of breaches of significant U.S. infrastructures in the past year.

The attacks on SolarWinds, U.S. government and FireEye have been linked to another Russian group called APT29 also popularly known as Cozy Bear. Berserk Bear is allegedly a unit of Russian federal Security Service (FSB). Cozy Bear is known to be affiliated with the Russian Foreign Intelligence Service, or SVR. FSB and SVR are considered to be successors of the Committee of State Security of the Soviet-era which was widely known as the KGB.

The Austin Council seems to have been aware of the breach from October 2020. The FBI and CISA had published an initial advisory warning of “advanced persistent threat actors” (APTs) on October 9th, 2020. The advisory warned the city council of APTs targeting state and local governments. On October 22nd, a follow-up advisory was published in which both agencies accredited the breach to Berserk Bear. CISA published a heat map listing the types of organizations that were breached, scanned or targeted by Berserk Bear. The reputation of Berserk Bear of lurking fit their common pattern of espionage-oriented attacks. Sami Ruohonen, a researcher at Finnish cybersecurity firm F-Secure said that the adversaries have already been in the network for more than a couple of months before someone discovers their existence. Ruohonen also mentioned that this technique is specially preferred by APT groups because, the longer they go unnoticed, the longer they have a remote access to the network. F-Secure, in a report published in 2019, compared Berserk Bear and similar groups to the cyber equivalent of sleeper cells.

The cybersecurity experts have warned Austin city and the U.S that Berserk Bear hackers are not just involved in espionage and sabotage. They can gear up at any moment and create havoc in the United States. These Russian Hackers can cause city blackouts, disturbance in water supply and can even disrupt COVID-19 relief. Vikram Thakur, a technical director at Symantec who has tracked Berserk Bear for years quotes,  “We should be cognizant of the level of information that they have, turning on valves or closing valves, things of that sort — they have the expertise to do it.”

Kevin Thomson, the ex-CEO of SolarWinds | Source: SolarWinds Facebook

SolarWinds replaced their ex-CEO Kevin Thomson with Mr Sudhakar Ramakrishnan. Unlike his predecessor Thomson, who is an accountant by training, Ramakrishnan comes from a security background having led Pulse Secure in the recent past. The new CEO publicly stated that the company will be making 5 critical changes to put security front and center. The company also hired ex-CISA chief Chris Krebs and Facebook’s former security lead, Alex Stamos. Krebs and Stamos work as independent consultants to help the company coordinate its crisis response. Krebs told the Financial Times that it could even take years to uncover the full extent of the hack. On the brighter side, the new CEO mentioned that the company has engaged several cybersecurity experts to assist SolarWinds in its efforts to become more secure.  We can hope that, with better expertise, vision and understanding of threat and vulnerability management, the company is now headed towards a better future.

Support us to bring the world closer

To keep our content accessible we don't charge anything from our readers and rely on donations to continue working. Your support is critical in keeping Global Views 360 independent and helps us to present a well-rounded world view on different international issues for you. Every contribution, however big or small, is valuable for us to keep on delivering in future as well.

Support Us

Share this article

Read More

January 17, 2021 12:28 PM

Storming of the Capitol Hill and the Anatomy of Trumpism

On January 6, 2021, thousands of Trump supporters marched towards the Capitol Hill and stormed the building after outgoing President Donald Trump allegedly incited the crowd during his speech. It is also being called one of the worst security breaches in American history.

One of the often-cited reason for the insurrection is the idea of “Trumpism.” Therefore, this article explores what happened at the Capitol Hill in light of the idea of Trumpism.

What happened that led to the storming of the US Capitol?

Prior to the storming, the protesters assembled on the South Lawn for the 'Save America March'  where President Trump, his lawyer and advisor Rudy Giuliani, and others gave speeches. There,  Giuliani called the election results “crooked” and Trump, who gave the speech behind a glass barrier, declared that he would “never concede”, criticised the media by calling it “fake” and “biased”, and wrongly claimed that the Vice President Mike Pence had the power to overturn the election results. He also went on to tell the crowd to “fight like hell”.

Storming at Capitol Hill | Source: Tyler Merbler via Flickr

After the rally, the crowd of supporters instigated by Trump marched down Pennsylvania Avenue towards the Capitol Hill and breached security, occupying parts of the building for several hours. They did this in an effort to disrupt the electoral college vote count during a joint session of the Congress and prevent the formalization of President-elect Joe Biden’s electoral victory. They ransacked and vandalised several parts of the building including the senate chamber and Speaker Nancy Pelosi’s office. They allegedly wanted to “hang” Vice President Mike Pence and also chanted the slogan “Where is Pence?” The vice president had been whisked to a secure location in the Capitol complex. Apart from that, they were chanting the slogans “stop the steal” and “USA,USA”, among others.

The rioters left the Capitol Hill after hours of looting and riots. It led to 5 deaths, out of which one was a police officer. After the rioting was over, the senate continued its session and declared Biden as the President. It also concluded that there was no voter fraud. There have been many arrests since then and police is still searching for more.

Why do Trump’s supporters believe him?

A supporter of Donald Trump | Source: Lorie Shaull via Flickr

They believe in something which is nowadays termed ‘Trumpism'. Trumpism is a term for the political ideology, type of governance, political movement and set of mechanisms for acquiring and keeping power that are associated with the 45th United States president, Donald Trump and his political base. It is a kind of American politics that is right wing to far-right, and has nationalist sentiments. His ideologies are also believed to be illiberal and close to fascism. Trump also claimed once, in 2016, that he could shoot someone standing in the Fifth Avenue, and his supporters wouldn’t abandon him.

Trump has managed to establish an emotional connection with his supporters, which consists of around 40% of the Americans. An article by Timothy Pytell on Psychology Today pointed out that it is a narcissistic identification with Trump that leads his supporters to follow him. By openly claiming he can do whatever he wants to, shoot anyone and still retain support, or grab women without their consent, he has tapped into the unconscious desires and thoughts of millions of Americans. His vulgarity, indecency, and law-breaking leads his followers into a narcissistic identification – as if they are Trump. Even though Trump may have to leave the White House, he will have the spotlight and Trumpism will not fade away from politics. This is the reason why the protestors believed in the “stop the steal” slogan.

Whenever Trump says “ I’m suffering for you” or shows as if he’s doing everything for America, his followers begin to see him as a true leader and it consolidates belief. Another thing is Trump considers himself God-like, and therefore religious groups and other people start connecting him to religion. They start believing even in his blatant lies.

Another reason that strengthened the Trump ideology are pro-right wing TV Channels like Fox news. They turn everything that Trump did into something “great”. Such channels are able to support the movement on a deeper level by brainwashing the audience.

The way he speaks, behaves and acts – makes such people relate with him so much that they start believing in him. There’s more about feelings, emotions and “dreampolitik realm” in Trumpism rather than economics and policies. The supporters were literally devoted to Trump. And if someone is not believing in his dangerous ideas, such as the liberals, Democrats, and especially some of the Republicans who went against Trump, they have either been termed “weak” or “losers” and in some cases, even traitors. An example of this is - "Where are Republicans! Have some backbone," Eric Trump tweeted in November during the elections. "Fight against this fraud. Our voters will never forget you if your sheep!" Clearly he wanted to convey that the people who are not fighting lack “backbone” and are somewhat like a coward. Such things instigated people in the name of bravery and nationalism.

Many of his supporters and base includes White supremacists, including the Ku Klux Klan, an American white supremacist hate group whose primary targets are African Americans. Its lesser enemies include Jews, immigrants, leftists, homosexuals, Muslims and, until recently, Catholics. Other than the above mentioned his main supporters include people from the rural areas, the middle states, white evangelists, and those into blue collar jobs or without college degrees. There’s a small population of non-white as well.

The riots proved that although the President has been defeated in the elections, his Trumpism remains deep-rooted, and will outlast him. “The work of undoing the siren call of Trumpism will require, to begin, a deeper understanding of its appeal”, Jeff Goodwin, an New York University Professor of Sociology and expert on movement politics, told CNN. He added, “A large part of Trumpism's appeal is Trump's personal appeal to a lot of people -- as a celebrity, as a crass speaker of truth, as these people see him, someone who doesn't mince words, someone who really tells it like it is. He's figured things out, he's a billionaire and he knows how the system works. All these elements of Trump's personality and character seem to have a lot of appeal to a big segment of the population. But I don't know if there is Trumpism without Trump.” He describes Trumpism as a “contradictory, unstable amalgam” of five key ideological pieces – Social conservatism (anti-abortion and anti-LGBT policies), Neoliberal capitalism (tax cuts for the wealthy and deregulation), Economic nationalism, Nativism (anti-immigration policies), and white nationalism (refusal to condemn Proud Boys and others).

Aftermath and Reactions on the Capitol Insurrection

People commented and condemned the incident, not only in America but from all over the world. “This is what the president has caused today, this insurrection,” Republican Senator Mitt Romney told a reporter. But the President himself didn’t condemn the rioters. Instead, he released a video message, telling his supporters to “go home and go home in peace” and said, “We love you; you’re very special.” He further went on with his false claims that the elections were “stolen”. In fact, in his speech which incited these people, Trump said he would join them and march together towards the Capitol, which he certainly didn’t do and went back to the White House, because most probably he didn’t want the dirt on him. He later tweeted telling the protestors to “stay peaceful”, but did not condemn or tell them to return back.

Reacting to President Trump’s irresponsible behaviour, Facebook locked Trump's accounts and removed posts related to the incident, Twitter locked his account for 12 hours, and then permanently suspended it.

Even the police was criticised for its role in the protests. In several footages, police officials can be seen bringing in the protestors and even clicking selfies with them. They were criticised for their biased attitude towards the riot and the leniency shown towards it as compared to the Black Lives Matter movement, that was comparatively peaceful. Several leaders, including President-elect Joe Biden have pointed out this racism which is visible in the difference between the handling of both the movements by the police.

The flags, signs, and other damaged items, including Nancy Pelosi’s broken name plate, will be preserved as historical artefacts in the House and Senate collections and shared with national museums.

It has also been called a coup d’état, and was a possible attempt to overturn the decision in a forceful manner, which certainly was undemocratic. Several leaders from countries around the world including France, China, Australia, Germany India, Israel, and the UK reacted to the incident and condemned it. British Prime Minister Boris Johnson called it “disgraceful” while Iranian President Hassan Rouhani went on to blame the system itself and tweeted “What we saw last night and today in America firstly proved what a failure the Western democracy is and how fragile and weak its foundation is,” he said.

Democrats have introduced an article of impeachment against US President Donald Trump for his role in the deadly invasion of the Capitol. The article accuses M.r Trump of “incitement of insurrection.” Democratic House Speaker Nancy Pelosi has said, "The president represents an imminent threat to our constitution, our country and the American people, and he must be removed from office immediately," Calls for Mr Trump's resignation, removal from office or impeachment have grown among Democrats and some Republicans in the days following the riots in Congress in which five people died. No US president has ever been impeached twice. However, it’s unlikely that Trump will be successfully impeached, because of his broad Republican support in the Senate.

Trump has said he is ready for a transition, and President-elect Joe Biden will be sworn-in as the 46th President on January 20th. But he added he will not attend the swearing-in ceremony.

In the last four years, the liberals, Democrats, the left and all Trump’s critics were accused of hysteria and hyperbole for calling his movements fascist, authoritarian and lawless. But now, the scenario seems to validate their claims showing how the Trump movement really proved to be a threat to the US as well as to the idea of democracy.

Read More