New: SolarWinds backdoor infected at least 15 entities in critical infrastructure incl electric/oil/gas/manufacture + 3 managed service providers for crit infr. No evidence hackers used backdoor to enter but may be difficult to tell due to lack of logging theintercept.com/2020/12/24/sol…
Managed service providers can have authorized remote access directly into critical infr + privileges that let them alter network, install software, and control critical operations. This means hackers who breach a provider can potentially use that provider’s credentials and access
“If [provider] has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions," @RobertMLee told me. "But just because you have access...doesn’t mean they can then flip off the lights”
“compromising one [provider], depending on where you compromise them, could lead to access to thousands of organizations,” Lee said. “Two of the … [providers] that have been compromised … have access to hundreds of ICS networks around the world.”
It may not be possible to know if attackers accessed the infected networks and burrowed further into industrial control networks, because critical infrastructure entities often don’t do extensive logging and monitoring of their ICS networks.
“In these ICS networks, most organizations don’t have the data and visibility to actually look for the breach. So they might determine if they are compromised, but … almost none of them have network logs to … determine if there is follow-on activity [in their network].”
.@SpauldingSez, former undersecretary for DHS overseeing critical infrastructure security, also cautions that the intentions of the SolarWinds adversary are still unknown, and even if they breached crit infra networks this isn’t the same as having ability to disrupt or damage.
"I don’t think that we can know that their objective here is reconnaissance for being in a position to potentially disrupt critical infrastructure,” @SpauldingSez says. “I do think that we should always, for planning purposes, assume that and take measures to reduce the damage...
that could be done. But we can’t know that [this is their intention]. And there’s a difference between assuming that for planning purposes and for mitigation, and assuming that for a [U.S. government] response to Russia.”

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Kim Zetter

Kim Zetter Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @KimZetter

22 Dec
Per briefing today on SolarWinds hack, @RonWyden says IRS was not compromised or taxpayer data affected. However, hack of Treasury Department "appears to be significant." Treasury breach began in July, "the full depth of which isn’t known."
Microsoft notified Treasury Dept that dozens of email accounts were compromised. Additionally the hackers broke into systems in the Departmental Offices division of Treasury, home to Treasury's highest-ranking officials. Treasury still doesn't know precisely what info was stolen.
.@RonWyden on SW: “[A]fter yrs of gov officials advocating for encryption backdoors and ignoring warnings from [infosec] experts who said...encryption keys [are targets] for hackers, the USG has..suffered a breach that seems to involve...stealing encryption keys from USG servers”
Read 11 tweets
18 Dec
New: SolarWinds hackers did test-run of spy operation in Oct 2019, when malicious SolarWinds files were first downloaded by customers. That version didn't have backdoor in it, however. Indicates hackers were in SolarWinds network in 2019, if not earlier. news.yahoo.com/hackers-last-y…
Investigators have so far found no evidence the attackers did anything to infected machines once the malicious Oct 2019 SolarWinds software was installed; suggests this was just a dry-run to test that their malicious files would deliver to customer machines and not be detected.
I also clarify in story how FireEye first discovered breach. It occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes.
Read 7 tweets
18 Dec
Wow, this is bold. Employee of a US telecom, who was based in China, has been charged w/ disrupting video-conference meetings held in May and June this year by parties in the US to commemorate the June 4, 1989 Tiananmen Square massacre in China. justice.gov/opa/pr/china-b…
"No company with significant business interests in China is immune from the coercive power of the Chinese Communist Party. The Chinese Communist Party will use those within its reach to sap the tree of liberty, stifling free speech in China, the United States and elsewhere"
"The allegations in the complaint lay bare the Faustian bargain that the PRC government demands of U.S. technology companies doing business within the PRC’s borders, and the insider threat that those companies face from their own employees in the PRC”
Read 8 tweets
17 Dec
Second supply chain hack in SolarWinds campaign announced. Microsoft was also breached in the SolarWinds hack operation. Once in Microsoft’s network, the company's own "products were then used to further the attacks on others". Story from @josephmenn reuters.com/article/global…
If SolarWinds was used to hack Microsoft, and Microsoft was then used to hack Microsoft customers, this essentially means one supply chain was used to hack another supply chain. That's an impressive kill chain.
How often have we all said this before? "Some major companies have issued carefully worded statements saying that they have 'no evidence' that they were penetrated, but in some cases that may only be because the evidence was removed [by the attackers]" reuters.com/article/us-usa…
Read 6 tweets
14 Dec
Someone asked me to provide a simple description of what this SolarWinds hack is all about. So for anyone who is confused by the technical details, here's a thread with a simplified explanation of what happened and what it means.
The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
Read 7 tweets
14 Dec
@tcward_ The maker of software that is used in the highest echelons of gov, including the White House and NSA, was compromised by attackers who slipped malicious code into the software maker's trusted code without the software maker knowing it. The code got distributed to its customers
@tcward_ That malicious code, once it infected customer systems, opened a backdoor into those systems and contacted the hackers to let them know the door was open for them to surreptitiously enter those systems and begin stealing sensitive data on those networks.
@tcward_ The hackers did this back in March and their activity was only recently discovered - this means they have been inside gov systems all these months stealing data and spying on gov workers without anyone knowing until now. They also infected telecoms and other company networks.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!