New: SolarWinds hackers did test-run of spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version didn't have backdoor in it, however. Indicates hackers were in SolarWinds network in 2019, if not earlier. news.yahoo.com/hackers-last-y…
Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.
I also clarify in story how FireEye first discovered breach. It occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes.
FireEye's security system sent alert to the employee and to company's security team saying a new device had just been registered to the company's MFA system as if it belonged to the employee. This prompted FireEye to investigate.
As FireEye was trying to determine how the hackers obtained the employee's credentials to register their device, this led them to uncover the SolarWinds breach into their network. The hackers may have obtained the employee's credentials once inside FireEye's network.
Just want to emphasize there's no evidence a FireEye employee was duped into revealing their credentials to the hackers, as has been previously reported. The hackers could have obtained credentials for this and other employees once they breached got into FireEye via SolarWinds.
“This tells us the actor had access to SolarWinds’ environment much earlier than this yr. We know at minimum they had access Oct. 10, 2019...that intrusion has to originate probably at least a couple of months before that — probably at least mid-2019 [if not earlier].”

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

18 Dec
Wow, this is bold. Employee of a US telecom, who was based in China, has been charged w/ disrupting video-conference meetings held in May and June this year by parties in the US to commemorate the June 4, 1989 Tiananmen Square massacre in China. justice.gov/opa/pr/china-b…
"No company with significant business interests in China is immune from the coercive power of the Chinese Communist Party. The Chinese Communist Party will use those within its reach to sap the tree of liberty, stifling free speech in China, the United States and elsewhere"
"The allegations in the complaint lay bare the Faustian bargain that the PRC government demands of U.S. technology companies doing business within the PRC’s borders, and the insider threat that those companies face from their own employees in the PRC”
Read 8 tweets
17 Dec
Second supply chain hack in SolarWinds campaign announced. Microsoft was also breached in the SolarWinds hack operation. Once in Microsoft’s network, the company's own "products were then used to further the attacks on others". Story from @josephmenn reuters.com/article/global…
If SolarWinds was used to hack Microsoft, and Microsoft was then used to hack Microsoft customers, this essentially means one supply chain was used to hack another supply chain. That's an impressive kill chain.
How often have we all said this before? "Some major companies have issued carefully worded statements saying that they have 'no evidence' that they were penetrated, but in some cases that may only be because the evidence was removed [by the attackers]" reuters.com/article/us-usa…
Read 6 tweets
14 Dec
Someone asked me to provide a simple description of what this SolarWinds hack is all about. So for anyone who is confused by the technical details, here's a thread with a simplified explanation of what happened and what it means.
The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
Read 7 tweets
14 Dec
@tcward_ The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
@tcward_ That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The hackers did this back in March and their activity was only recently discovered - this means they have been inside gov systems all these months stealing data and spying on gov workers without anyone knowing until now. They also infected telecoms and other company networks.
Read 4 tweets
14 Dec
I have report from Microsoft about SolarWinds hack, including IoCs. Excerpts in this thread: "Microsoft security researchers recently discovered a sophisticated attack where an adversary inserted malicious code into a supply chain development process.... 1/
"A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.... 2/
"This attack was discovered as part of an ongoing investigation" 3/
Read 21 tweets
11 Nov
NOTe: This is a risk-limiting audit. It’s NOT a recount being done to appease Trump. It was always planned that Georgia would do a risk-limiting audit of one statewide race this election. It makes sense that the chosen race is the presidential one.
Journalists, if you’re going to write about this, please understand the difference between a recount and an audit. A risk-limiting audit does not recount all the ballots. Officials manually examine only a PERCENTAGE of randomly chosen paper ballots in such an audit.
In this particular case, GA will manually audit ALL of the ballots in the presidential race because of the type of risk-limiting audit they’ve chosen to do and because they chose the presidential race to audit. In risk-limiting audits, the percentage of ballots examined...
Read 19 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!