- Spitfire List - https://spitfirelist.com -

Cyber Attribution, the Mega-Hacks of 2021, and the Existential Threat of Blind Faith in Bad-Faith

Move over COVID. 2021 is turn­ing out to be anoth­er year of the dig­i­tal virus. One mas­sive hack­ing sto­ry after anoth­er. Unre­lat­ed sto­ries in many cas­es, we are told. In par­tic­u­lar:

1. The Solar­Winds mega-hack announced in Decem­ber of 2020, blamed on Rus­sia. Specif­i­cal­ly, blamed on the hack­ing group known as ‘Cozy Bear’/APT29/Pawn Storm. Microsoft dubbed them Nobeli­um.

2. The Microsoft Exchange mega-hack dis­closed in March 2021, blamed on Chi­na. Specif­i­cal­ly, blamed on a pre­vi­ous­ly uniden­ti­fied state-backed group Microsoft dubbed Hafni­um.

3. The rev­e­la­tions about NSO Group’s over­sight (or lack there­of) of its pow­er­ful spy­ware sold to gov­ern­ments around the world.

4. The emerg­ing sto­ry of Can­diru, one of NSO Group’s fel­low “com­mer­cial sur­veil­lance ven­dors”, sell­ing toolk­its over­flow­ing with zero-day exploits, spe­cial­iz­ing in tar­get­ing Microsoft prod­ucts.

But how unre­lat­ed are these sto­ries? That’s the big ques­tion we’re going to explore in this post. A ques­tion punc­tu­at­ed by anoth­er meta-sto­ry we’ve looked at many times before: the meta-sto­ry of a cyber­at­tri­bu­tion par­a­digm seem­ing­ly designed to allow pri­vate com­pa­nies and gov­ern­ments to con­coct an attri­bu­tion sce­nario for what­ev­er guilty par­ty they want to fin­ger [1]. As long as there was some sort of ‘clue’ found by inves­ti­ga­tors — like piece of Cyril­lic or Man­darin text or mal­ware pre­vi­ous­ly attrib­uted to a group — these clues were strung togeth­er in a “pat­tern recog­ni­tion” man­ner to arrive at a con­clu­sion about the iden­ti­ty of the per­pe­tra­tors [2]. Attri­bu­tion con­clu­sions often arrived at with incred­i­ble lev­els of con­fi­dence. Recall how the Japan­ese cyber­se­cu­ri­ty firm Trend­Mi­cro attrib­uted a 2017 US Sen­ate email phish­ing cam­paign to ‘Pawn Storm’/Fancy Bear with 100 per­cent cer­tain­ty [3], and they made this high­ly cer­tain attri­bu­tion based heav­i­ly on how sim­i­lar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phish­ing cam­paign that Trend­Mi­cro attrib­uted at the time with 99 per­cent cer­tain­ty to Pawn Storm/Fancy Bear [4] and yet the ANSSI, the French government’s cyber­se­cu­ri­ty agency, was leav­ing open the pos­si­bil­i­ty that the hack they could be the work of “oth­er high-lev­el” hack­ers try­ing to pin the blame on “Pawn Storm” (anoth­er name for “Fan­cy Bear”) [5]. Trend­Mi­cro was mak­ing 99 per­cent cer­tain attri­bu­tions that the French gov­ern­ment said could be any range of actors. That was the state of affairs for cyber­at­tri­bu­tions in 2017 and noth­ing has changed in the years since. High­ly cer­tain attri­bu­tions con­tin­ued to be piled on top of high­ly cer­tain attri­bu­tions — almost always point­ing towards Russ­ian, Iran, Chi­na, or North Korea — built on a foun­da­tion of what appear to be large­ly guess­work. Often high­ly moti­vat­ed guess­work.

It’s that will­ing­ness by cyber­se­cu­ri­ty firms and gov­ern­ments to make strong ‘100 per­cent cer­tain’ dec­la­ra­tions about who was behind a hack, based on seem­ing­ly no com­pelling evi­dence, that con­tin­ues plague our col­lec­tive under­stand­ing of glob­al dig­i­tal threats. A lack of under­stand­ing that could have grave glob­al impli­ca­tions going for­ward. Because as we’re going to see, the repeat­ed pre­vail­ing nar­ra­tive encour­ag­ing the pub­lic to fix­ate their hack­ing fears on Russ­ian and Chi­nese hack­ers is a nar­ra­tive that con­ve­nient­ly leaves out the explo­sion over the last decade of a glob­al indus­try of pow­er­ful legal cut­ting-edge spy­ware sold to gov­ern­ments around the world. Dozens of gov­ern­ments that did­n’t pre­vi­ous­ly have access to spy­ware of this cal­iber. In oth­er words, the default ‘Rus­sia or Chi­na did!’ nar­ra­tive acts as a cov­er sto­ry to deflect sus­pi­cions from all the oth­er coun­tries (or pri­vate enti­ties) with access to the kind of spy­ware pre­vi­ous­ly assumed to be the exclu­sive to a hand­ful of nations with known pow­er­ful hack­ing capa­bil­i­ties.

Also loom­ing large in this dis­cus­sion is the sto­ry of the “Shad­ow­Bro­kers” sto­ry of 2016 and the leak of Vault7, the CIA’s hack­ing toolk­it that includ­ed fea­tures explic­it­ly designed to con­fuse this “pat­tern recog­ni­tion” approach to cyber­at­tri­bu­tion. The toolk­it lit­er­al­ly con­tained fea­tures that inject­ed Cyril­lic or Man­darin or oth­er ‘clues’ into the mal­ware code [6]. This was all revealed months before Trend­Mi­cro made its ‘100 per­cent cer­tain’ attri­bu­tion of the Macron email hacks based on pat­tern recog­ni­tion. And yet, oth­er than the acknowl­edg­ment by France’s ANSSI that some­one could be inten­tion­al­ly leav­ing false ‘clues’, the sto­ry of the Shad­ow­Bro­kers and the dig­i­tal ‘clues’ left by Vault7 did not appear to impact the report­ing or analy­sis of the Macron hack in any mean­ing­ful way. It’s a big part of the meta-sto­ry here: no mat­ter how many reports come out that should raise major ques­tions about the qual­i­ty of cur­rent cyber­at­ti­bu­tions based on “pat­tern recog­ni­tion”, noth­ing actu­al­ly changes in terms of how the cyber­se­cu­ri­ty car­ries out its attri­bu­tions.

For exam­ple, as we’re going to see, when the Solar­Winds hack was first uncov­ered, it was a team led Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, who first exam­ined the hack. In an inter­view [7] describ­ing their ear­ly inves­ti­ga­tion, Mey­ers claimed to be ful­ly expect­ing to find some sort of ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin and expressed dis­may that noth­ing was found. They nonethe­less attrib­uted the hack to Rus­sia. We’re nev­er giv­en a clear expla­na­tion why. The whole episode, and Mey­er­s’s shock at a lack of any ‘clues’, sug­gests the elite cyber­se­cu­ri­ty firms like Crowd­Strike are not only will­ing to uti­lize “pat­tern recog­ni­tion” to car­ry out these attri­bu­tions but are rou­tine­ly doing so, rais­ing the ques­tion of whether or not hack­ers these days just now know to leave ‘clues’ in order to sat­is­fy the cyber­se­cu­ri­ty indus­try and their clients.

Now, when we learn that it was Crowd­Strike who led the Solar­Winds hack inves­ti­ga­tion rely­ing heav­i­ly on look­ing for ‘cul­tur­al arti­facts’ in the mal­ware, it’s also import to recall how [1] Crowd­Strike itself was lit­er­al­ly found­ed in 2011 by Dmitri Alper­ovitch on the con­vic­tion that hacks should be respond­ed to with clear pub­lic attri­bu­tions as a pri­ma­ry means of ward­ing off future attacks. Before Crowd­Strike, the idea of pub­licly nam­ing cul­prits was anath­e­ma in the cyber secu­ri­ty indus­try in large part because it is so dif­fi­cult to tru­ly know who the cul­prit is due to this hall-of-mir­rors nature of dig­i­tal evi­dence [8]. So in that sense, we should­n’t at all be sur­prised to learn that Crowd­Strike con­tin­ues to make base­less attri­bu­tions. It’s Crowd­Strike’s busi­ness mod­el.

As we’re also going to see, it’s not like cyber­se­cu­ri­ty indus­try always plays dumb about the pos­si­bil­i­ty of actors spoof­ing the ‘pat­tern recog­ni­tion’ meth­ods by inten­tion­al­ly leav­ing ‘clues’ like Cyril­lic. When the Solar­Winds mega-hack sto­ry broke, it broke in the wake of a dis­clo­sure by cyber­se­cu­ri­ty firm Fire­Eye that its own “Red Team” suite of hack­ing tools — kits of known exploits used to test clients sys­tems for vul­ner­a­bil­i­ties — was stolen by unknown hack­ers. Imme­di­ate­ly, experts warned how a toolk­it like that could be used by gov­ern­ments to cov­er their tracks. But that’s real­ly the only time we’re going see this kind of basic insight plain­ly stat­ed. Right at the start of it with the Fire­Eye attack. For the rest of the time, this obvi­ous prob­lem with our glob­al cyber­at­tri­bu­tion regime is sys­tem­at­i­cal­ly ignored. Still.

NSO Group: A Quick Review

First, recall how NSO Group first came to the pub­lic’s atten­tion in rela­tion to Michael Fly­n­n’s appoint­ment in May of 2016 to the advi­so­ry board of OSY Tech­nolo­gies and con­sult­ed for Fran­cis­co Part­ners. Fran­cis­co Part­ners was NSO Group’s own­er at the time and OSY hap­pened to be an NSO Group off­shoot [9].

Next, recall how Fran­cis­co Part­ners end­ed up sell­ing NSO Group to a Euro­pean pri­vate equi­ty firm, Novalpina, in ear­ly 2019 [10] fol­low­ing the inter­na­tion­al out­rage over the role NSO Group’s mal­ware played in the assas­si­na­tion of Jamal Khashog­gi [11]. We’re going to learn more about that sale and why it hap­pened (hint: Sau­di Ara­bi­a’s access to that spy­ware was part of a larg­er diplo­mat­ic process).

In May of 2019, we learned that NSO Group was sell­ing its clients the “zero-click” capa­bil­i­ty of infect­ing smart­phones via What­sApp and there was noth­ing vic­tims could do to pre­vent it. The exploit worked auto­mat­i­cal­ly when the attack­ers called the vic­tim’s phone via What­sApp. But we also learned that Israel was treat­ing access to this kind of mal­ware as a diplo­mat­ic tool in its nego­ti­a­tions with its region­al part­ners. Beyond that, there was osten­si­bly a lim­i­ta­tion on how this pow­er­ful mal­ware is used by client states: the Israeli gov­ern­ment was set­ting geo­graph­i­cal lim­i­ta­tions on where the mal­ware could be deployed [10].

So the pic­ture that had already emerged about NSO Group was that of a provider of cut­ting-edge hack­ing toolk­its to gov­ern­ments around the world, but also a point of lever­age in Israel’s own diplo­mat­ic toolk­it. It was the kind of cor­po­rate pro­file that sug­gests any scan­dals involv­ing NSO Group are implic­it­ly gov­ern­ment-relat­ed scan­dals. And that pic­ture of a com­pa­ny that dis­trib­utes pow­er­ful hack­ing tools as part of Israel’s diplo­mat­ic efforts gets all the more intrigu­ing when we fac­tor in the chap­ter of the #TrumpRus­sia saga involv­ing Michael Fly­nn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear pow­er plants across the Mid­dle East (except for Iran) [12]. In oth­er words, there’s no way of sep­a­rat­ing the NSO Group sto­ry from the larg­er sto­ry of the cozy­ing rela­tion­ship between Israel and its Sun­ni allies in a region­al alliance against Iran and the still-unre­solved agen­da of Michael Fly­nn, Erik Prince, and the net­work of oth­er US con­ser­v­a­tives in Don­alt Trump’s orbit who had major agen­da’s of their own involv­ing the Mid­dle East.

That’s all part of the con­text we’re going to have to keep in mind when read­ing about these new rev­e­la­tions that appears to show the wide­spread use of NSO Group’s pow­er­ful mal­ware against a num­ber of jour­nal­ist, activists, and even gov­ern­ment min­is­ters around the world. And the more we’re learn­ing about the his­to­ry of the NSO Group, the clear­er it’s becom­ing that the NSO Group’s mal­ware has been secret­ly used by dozens of gov­ern­ments around the world for at least decade now.

And as we’re going to see with the sto­ry of Can­diru, it’s impor­tant to keep in mind that NSO Group is mere­ly one of a num­ber of secre­tive firms sell­ing cut­ting-edge hack­ing toolk­its to gov­ern­ments around the world. This is a glob­al indus­try.

Final­ly, it’s impor­tant to keep in mind anoth­er major dimen­sion of this sto­ry: the explo­sion of gov­ern­ment access to these pow­er­ful hack­ing tools over the last decade has pre­sum­ably coin­cid­ed with an explo­sion of actu­al hack­ing. Well, that pre­sumed explo­sion of actu­al hack­ing just hap­pened to coin­cide with the emer­gence of high­ly ‘noisy’ and high-pro­file ‘Russ­ian hack­er’ cam­paigns. As we’ve seen, fol­low­ing the out­break of con­flict in Ukraine, a num­ber of very pub­licly vis­i­ble mass phish­ing attacks were waged against NATO gov­ern­ments and insti­tu­tions. It was described by cyber­se­cu­ri­ty experts as a sig­nif­i­cant shift in the behav­ior of Russ­ian gov­ern­ment-backed hack­ers and yet we were nonethe­less told that these high-pro­file hacks must be com­ing from Rus­sia despite a lack of any sol­id tech­ni­cal evi­dence. It was the rise of the “pat­tern recog­ni­tion” form of cyber­at­tri­bu­tion, which con­sis­tent­ly found pat­terns of “Russ­ian hack­ers” [1]. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phish­ing cam­paign that hit 50–60,000 email address­es and was described is very dif­fer­ent from tra­di­tion­al Russ­ian gov­ern­ment hack­er phish­ing cam­paigns that would nor­mal­ly just have 5 to 6 care­ful­ly craft­ed phish­ing emails [13]. Noth­ing has done a more effec­tive job at obscur­ing from the glob­al pub­lic the emer­gence of this glob­al super-hack­ing capa­bil­i­ty bet­ter than the pre­vail­ing nar­ra­tive that all hacks are being done by Rus­sia and Chi­na. Hard­ly any­one even both­ers ask­ing if it could be any­one else any­more.

Final­ly, it’s impor­tant to keep in mind anoth­er major dimen­sion of this sto­ry: the explo­sion of gov­ern­ment access to these pow­er­ful hack­ing tools over the last decade has pre­sum­ably coin­cid­ed with an explo­sion of actu­al hack­ing. Well, that pre­sumed explo­sion of actu­al hack­ing just hap­pened to coin­cide with the emer­gence of high­ly ‘noisy’ and high-pro­file ‘Russ­ian hack­er’ cam­paigns. As we’ve seen, fol­low­ing the out­break of con­flict in Ukraine, a num­ber of very pub­licly vis­i­ble mass phish­ing attacks were waged against NATO gov­ern­ments and insti­tu­tions. It was described by cyber­se­cu­ri­ty experts as a sig­nif­i­cant shift in the behav­ior of Russ­ian gov­ern­ment-backed hack­ers and yet we were nonethe­less told that these high-pro­file hacks must be com­ing from Rus­sia despite a lack of any sol­id tech­ni­cal evi­dence. It was the rise of the “pat­tern recog­ni­tion” form of cyber­at­tri­bu­tion, which con­sis­tent­ly found pat­terns of “Russ­ian hack­ers” [1]. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phish­ing cam­paign that hit 50–60,000 email address­es and was described is very dif­fer­ent from tra­di­tion­al Russ­ian gov­ern­ment hack­er phish­ing cam­paigns that would nor­mal­ly just have 5 to 6 care­ful­ly craft­ed phish­ing emails [13].

Let’s not for­get that the glob­al­iza­tion of NSA-lev­el spy­ware was one of the obvi­ous pos­si­ble log­i­cal con­clu­sions of the Snow­den affair. Yes, it was remark­able what a stun­ning edge the NSA had over almost every oth­er gov­ern­ment. A desire for a lev­el­ing of the play­ing field was under­stand­able and the glob­al­iza­tion of super-spy­ware is one of the obvi­ous ways to achieve that. There are no easy answer on this top­ic. It’s a ‘less­er evil’ sit­u­a­tion.

So we have to ask: what role have these very high-pro­file pub­lic mass hack­ing cam­paigns waged over the last decade and blamed on ‘Rus­sia hack­ers’ (or ‘Chi­nese hack­ers’) played in obscur­ing the real­i­ty that dozens of gov­ern­ments around the world sud­den­ly got access to qui­et super hack­ing tools? The tim­ing sure has been con­ve­nient. And it’s not hard to imag­ine that the high pro­file ‘noisy’ phish­ing cam­paigns of the last decade simul­ta­ne­ous­ly ran zero-click super-mal­ware like NSO Group’s unstop­pable What­sApp exploit mal­ware. One of the key sell­ing points of this NSO Group mal­ware is how dif­fi­cult it is to detect. A lot of peo­ple and orga­ni­za­tions have pre­sum­ably been hacked with­out ever dis­cov­er­ing the source of the hack. How often have orga­ni­za­tions over the past decade, espe­cial­ly gov­ern­ments, dis­cov­ered they were hacked by a com­pa­ny’s ‘legal’ hack­er toolk­it like NSO Group’s and just assumed it was ‘Russ­ian hack­ers’ due to the waves of glob­al high-pro­file ‘Russ­ian hack­er’ cam­paigns? It’s a ques­tion that looms ever larg­er as the client list of this glob­al legal hack­ing indus­try con­tin­ues to grow in the shad­ows.

**************************

Let’s Play “What’s Wrong With This Pic­ture?”

Ok, so let’s start off with an overview of the arti­cles we’re going to be review­ing. An overview that screams the ques­tion “What’s wrong with this pic­ture?”. Again, it’s four major sto­ries. Unre­lat­ed sto­ries we are told: 1. The Solar­Winds mega-hack of Decem­ber 2020 (blamed on Rus­sia). 2. The Microsoft Exchange mega-hack of March 2021 (blamed on Chi­na). 3. Rev­e­la­tions of NSO Group abus­es. 4. Rev­e­la­tions that Can­diru is sell­ing cut­ting-edge spy­ware show­ing, spe­cial­ized in tar­get­ing Microsoft­’s sys­tems. We are told those are four large­ly unre­lat­ed sto­ries. What’s wrong with this pic­ture?

* Decem­ber 8, 2020 [14]: Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State [15]:

The sto­ry that got the ball rolling. At least pub­licly. Cyber­se­cu­ri­ty firm Fire­Eye informs the world of a night­mare sce­nario. FireEye’s “Red Team” code suite was stolen. So who­ev­er man­aged to hack Fire­Eye obtained a toolk­it of vir­tu­al­ly all the most pow­er­ful known exploits. A dig­i­tal trea­sure trove that had sud­den­ly fall­en into the hands of who­ev­er already had the where­with­al to pull off this hack. And as experts warned, nation-states could poten­tial­ly hide their own tracks using this toolk­it. This is basi­cal­ly going to be the only time we see an expert admit that gov­ern­ments around the world could be inten­tion­al­ly , an implic­it admis­sion as to how shod­dy con­tem­po­rary cyber­at­tri­bu­tion tru­ly are today. So who did it? Fire­Eye was­n’t ready to name a cul­prit. The FBI announced was it was con­fi­dent it was car­ried out by a nation-state, and while they would name a spe­cif­ic nation it was pret­ty clear Rus­sia was the prime sus­pect. No rea­son for these sus­pi­cions are giv­en.

* Decem­ber 14, 2020 [16]: Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce [17]:

The night­mare explodes. We learn it was­n’t just Fire­Eye after Fire­Eye informs Solar­Winds that it was Solar­Wind­s’s own Ori­on update soft­ware that deliv­ered the mal­ware onto FireEye’s sys­tems. It was a rather omi­nous update giv­en that the same Ori­on soft­ware is on anoth­er 18,000 client net­works. Oh, and the US was already nam­ing names: It was Rus­sia again. Specif­i­caly APT29/Cozy Bear/Pawn Storm, the infa­mous hack­ing group thought to work for Rus­si­a’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) in 2015 [13]. Cozy Bear was also behind this new mega-hack. That was the line from the US a week after Fire­Eye first announced the hack. Rus­sia did it. No rea­sons for this attri­bu­tion are giv­en, of course, but is treat­ed as more of a giv­en since numer­ous US gov­ern­ment agen­cies were hit. Simul­ta­ne­ous­ly, we are told that the aggres­sive nature of this hack was unprece­dent­ed for Cozy Bear.

We also get an ear­ly impor­tant clue about how the Solar­Winds hack was car­ried out: Solar­Winds informed the world that it sus­pects Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers. In oth­er words, the Solar­Winds hack start­ed with the hack of Microsoft­’s prod­ucts.

* Decem­ber 15, 2020 [18]: Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack [19]:

In some addi­tion­al report­ing on the break­ing Solar­Winds news, we learn that Fire­Eye isn’t actu­al­ly ready to join the US gov­ern­ment in attribut­ing the hack to Rus­sia due to a lack of evi­dence.

* Decem­ber 15, 2020 [20]: Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny [21]:

More infor­ma­tion is com­ing out about the role Microsoft prod­uct vul­ner­a­bil­i­ties played in the hack. The hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. This includes forg­ing authen­ti­ca­tion tokens for Microsoft­’s Azure cloud ser­vices and cre­at­ing pass­word cre­den­tials for legit­i­mate process­es enabling them to read emails from Microsoft­’s Exchange Online cloud-based email ser­vice. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was tar­get­ing the non-cloud self-host­ed Microsoft Exchange email servers. So when the Solar­Winds hack­ers demon­strate an abil­i­ty to break into the cloud-based Exchange servers, they were demon­strat­ing a capa­bil­i­ty that was­n’t exact­ly the same as that used to exe­cute the Microsoft Exchange mega-hack but awful­ly close. And yet we will be assured by Microsoft that the Microsoft-Exchange hack was car­ried out by Chi­na.

* Decem­ber 21, 2020 [22]: Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing [23]:

The US Trea­sury Depart­ment gives us an update on the scope of the hack. The hack­ers gained access to agency emails in July 2020, via the manip­u­la­tion of inter­nal soft­ware keys. Specif­i­cal­ly, we are told the hack­ers per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work. This tak­en allowed the hack­ers to fool the sys­tem into think­ing they were legit­i­mate users. So spoof­ing Microsoft cre­den­tials appears to be one of the Solar­Winds hack­er spe­cial­ties.

* Febuary 4, 2021 [24]: Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack [25]:

It’s con­firmed! Solar­Winds con­firms the hack start­ed via a com­pro­mised Microsoft Office 365 email account. The hack­ers used a pre­vi­ous­ly unknown zero-day vul­ner­a­bil­i­ty in Microsoft­’s Offi­cer 365 email soft­ware to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on.

But beyond that, we learn that 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds. It’s the kind of rev­e­la­tion that rais­es the dis­turb­ing ques­tion of whether or not these hack­ers had some oth­er yet-to-be-dis­cov­ered tech­nique for infil­trat­ing net­works. Which obvi­ous­ly rais­es a num­ber of ques­tions about whether or not oth­er Microsoft exploits were being used by these hack­ers. After all, the hack­ers man­aged to infil­trate Solar­Wind­s’s own net­work via a zero-day Microsoft exploit. Why would­n’t it work else­where? In oth­er words, the Solar­Winds mega-hack might actu­al­ly be part of an even larg­er Microsoft super-mega-hack. A still unrec­og­nized super-mega-Microsoft-hack.

* Feb­ru­ary 05, 2021 [26]: Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365 [27]:

Not true! None of it! That’s the line from Microsoft a day after Solar­Wind­s’s CEO appears to con­firm that the exploita­tion of a Microsoft Office 365 email vul­ner­a­bil­i­ty was­n’t just used in the hack but used to exe­cute the ini­tial com­pro­mise of Solar­Wind­s’s soft­ware devel­op­ment envi­ron­ment. Microsoft does admit that Microsoft ser­vices were indeed tar­get­ed by the Solar­Winds hack­ers, but insists that the hack­ers gained priv­i­leged cre­den­tials in anoth­er way, imply­ing it was due to soft­ware con­fig­u­ra­tion issues on the client end and not due to vul­ner­a­bil­i­ties in Microsoft­’s prod­ucts. And what about all the reports from Solar­Winds and the US gov­ern­ment that they found evi­dence of an Office 365 email exploit? “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.” That was Microsoft­’s line. Still.

* Feb­ru­ary 19, 2021 [28]: Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary [29]:

Microsoft gave us an update on its Solar­Winds inves­ti­ga­tion. The com­pa­ny acknowl­edge that its own net­works were plun­dered dur­ing the attack, and even some of its source was stolen. The source code report­ed involved the cloud-based ver­sions of Asure, Intune, and Exchange (email serv­er soft­ware). We are also told the hack­ers were search­ing Microsoft­’s net­works for use­ful secrets like API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code.

* March 5, 2021 [30]: At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware [31]:

A new mega-hack is upon us! Back-to-back mega-hacks. This time Microsoft is the main tar­get. The soft­ware giant informed the world that hun­dreds of thou­sands of Microsoft Exchange Servers were attacked around the world. The attack was first detect­ed by Volex­i­ty on Jan­u­ary 6, dur­ing the Capi­tol insur­rec­tion, with a large down­load to an ille­git­i­mate user, although days lat­er Volex­i­ty issued an update that it found evi­dence of the attack start­ing on Jan­u­ary 3rd [32]. Days lat­er this qui­et hack explod­ed into a loud glob­al ran­sack­ing. Vir­tu­al­ly every self-host­ed Microsoft Exchange email serv­er in the world con­nect­ed to the inter­net was hit over the next two months. Or at least is assumed hit. That’s a lot of hacked email. And poten­tial­ly voice­mail [33]. Microsoft was con­tin­u­ing to assure us the hack had noth­ing to do with the Solar­Winds hack, and also that the Solar­Winds hack had noth­ing to do with any Microsoft vul­ner­a­bil­i­ties. They were seri­ous­ly tout­ing the ‘don’t wor­ry about Microsoft secu­ri­ty’ line dur­ing the Exchange mega-hack dis­clo­sure.

* March 10, 2021 [34]: Microsoft Exchange Hack Could Be Worse Than Solar­Winds [35]:

With more infor­ma­tion about the Hafni­um hack com­ing in the more this is look­ing like the worst worst case sce­nario. Or at least worse than the Solar­Winds hack, which would make this the worst yet. Lit­er­al­ly the worst hack ever. So far. Give it a few months.

The hack start­ed on Jan 3, with “Hafni­um” qui­et­ly hack­ing away at dozens of tar­gets until Microsoft issued a patch in ear­ly March. At that point, it was a crim­i­nal free-for-all race that includ­ed at least a dozen more crim­i­nal actors.

A big part of what make it the worst hack ever is the scale, with poten­tial­ly hun­dreds of thou­sands of Exchange email servers all hit in short order but this is an attack that can be auto­mat­ed. The hack­ers need­ed scrips and time to let the scripts to their work.

But anoth­er part of what arguably makes this the worst hack ever is that the abil­i­ty to remote­ly take over the Exchange serv­er soft­ware does­n’t just poten­tial­ly give the hack­ers the abil­i­ty to read emails. It also poten­tial­ly give hack­ers the abil­i­ty to com­pro­mise the Microsoft Active Direc­to­ry sys­tem, which is the sys­tem used for ID authen­ti­ca­tion across the Microsoft ecosys­tem of soft­ware. So if you cor­rupt the Active Direc­to­ry sys­tem on a com­put­er, you can poten­tial­ly get super-user access to all the Microsoft soft­ware run­ning on that com­put­er’s net­work. And the catch here is that Microsoft Exchange serv­er only runs on Win­dows. So any­one run­ning it is run­ning it on a Win­dows Serv­er oper­at­ing sys­tem. So com­pro­mis­ing the Active Direc­to­ry sys­tem on the com­put­er run­ning the Microsoft Exchange serv­er soft­ware can hand over com­plete con­trol of the serv­er. This also means the hack­ers could have bur­rowed in all sorts of hid­den back­doors all over the vic­tim net­works. This was a huge deep hack.

But here’s the big detail we learn from Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny, who is com­ment­ing to a reporter about the hack: the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade. As Hunter put it, “one has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box.”

And, again, it was just two weeks ear­li­er that Microsoft dis­closed that the Solar­Winds hack­ers stole Exchange source code for the cloud-based ver­sion of Exchange. But in this case, it was the self-host Exchange servers that got hacked. All of them. Hun­dreds of thou­sands of email servers around the world. Also keep in mind the Solar­Winds hack­ers had already demon­strat­ed zero-day abil­i­ties to manip­u­late Microsoft­’s cre­den­tial sys­tems. So this hack sure seems close­ly relat­ed to the Solar­Winds hack­ers, and yet Microsoft con­fi­dent­ly assured us that this had noth­ing to do with the Solar­Winds hack and was in fact car­ried out by a state-backed Chi­nese hack­ing group Microsoft dubbed “Hafni­um”.

* April 16, 2021 [36]: A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack [7]:

Four months after it was first announced, NPR has a big piece on the then-untold sto­ry of how the hack unfold­ed. By that point, the Biden White House was unequiv­i­cal­ly stat­ing Russ­ian intel­li­gence was behind it. While the rea­son Rus­sia is giv­en the attri­bu­tion is, as always, nev­er giv­en, there was by now enough known about the hack to deter­mine that these real­ly were excep­tion­al hack­ers. Mul­ti­ple nev­er-before-seen “zero-day” exploits were uti­lized. Beyond that, the mal­ware was intro­duced into the Solar­Winds soft­ware devel­op­ment pipeline at the very last pos­si­ble moment, dur­ing the com­pi­la­tion process, allow­ing it to evade the stan­dard secu­ri­ty checks for unwant­ed soft­ware. It was proof-of-con­cept and could be used against any­one else using the same com­pi­la­tion soft­are (they did­n’t name the soft­ware). This abil­i­ty to use this attack against oth­er soft­ware devel­op­ers is par­tic­u­lar­ly acute when we recall that this attack cre­at­ed back­doors on the net­works of the many of the largest soft­ware devel­op­ers in the world. Includ­ing Microsoft. Yikes.

And it’s in this April 2021 NPR piece where we get fur­ther con­fir­ma­tion of some­thing that has long been clear but is rare said out loud so clear­ly: con­tem­po­rary cyber­at­tri­bu­tion real­ly does rely heav­i­ly on ‘clues’ like Cyril­lic char­ac­ters or Man­darin in the code and such ‘clues’ are fre­quent­ly found. At least that’s how Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, described his approach to deter­min­ing the iden­ti­ty of the Solar­Winds hack­ers. And he was lead­ing the team that first inves­ti­gat­ed it. Mey­ers express­es dis­may at how thor­ough the hack­ers were. Thor­ough in the sense that there was no ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. Mey­ers describe the lack of any­thing that a human might have inad­ver­tent­ly left behind as a clue as “mind-blow­ing”. His response to the tiny piece of mal­ware used in the ini­tial Solar­Winds hack — dis­trib­uted to all 18,000 clients via the Ori­on soft­ware — and it’s lack of clues as “the cra­zi­est f***ing thing I’d ever seen.” So this update on the Solar­Winds inves­ti­ga­tion includes an update on the gen­er­al state of affairs in cyber­at­tri­bu­tion. A state of affairs where mal­ware that’s cleaned and lacks a ‘cul­tur­al arti­fact’ is “the cra­zi­est f***ing thing I’d ever seen.” This is a good time to recall the sto­ry of the Shad­ow Bro­kers and the CIA’s hack­ing toolk­it that includ­ed fea­tures like leav­ing Cyril­lic or Man­darin char­ac­ters to leave a false lead [6]. This was con­firmed just four years ago. Every­one real­ly is play­ing dumb here. Dou­ble yikes.

* April 23, 2021 [37]: Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat [38]:

Microsoft­’s ter­ri­ble, hor­ri­ble, no good, very bad year con­tin­ues. A week after that big NPR piece on Solar­Winds, we learn new sig­nif­i­cant details on the Solar­Winds hack in a new report put out by The Atlantic Coun­cil. The kind of details that have Microsoft scram­bling for expla­na­tions. And cul­prits. Again. It turns out the deliv­ery of the back­door mal­ware via the Solar­Winds Ori­on updat­ing soft­ware was just the first phase of the mega-hack. Once the hack­ers used those back­doors to gain access to vic­tims’ net­works they con­tin­ued to exploit more vul­ner­a­bil­i­ties. In par­tic­u­lar Microsoft vul­ner­a­bil­i­ties involv­ing how Microsoft prod­ucts val­i­date user iden­ti­ties. Now, part of the rea­son Microsoft vul­ner­a­bil­i­ties were heav­i­ly tar­get­ed was because, well, these vul­ner­a­bil­i­ties exist. But the oth­er big rea­son is that Microsoft has more than 85% of the mar­ket share for gov­ern­ment and indus­try. In oth­er words, the juici­est tar­gets — espe­cial­ly gov­ern­ment agen­cies — were almost all run­ning Microsoft tools on their net­works. Microsoft con­tin­ued to deflect blame, sug­gest­ing poor­ly con­fig­ured soft­ware by the clients was the cause. But accord­ing to Sen­a­tor Ron Wyden, the soft­ware Microsoft sup­plies to US fed­er­al agen­cies is itself poor­ly con­fig­ured with default log set­tings that won’t cap­ture the infor­ma­tion need­ed to catch attacks while they’re in progress.

* May 28, 2021 [39]: Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs [40]:

Cozy Bear/APT29/“Nobelium” is back at it. They’re up to their old tricks, accord­ing to Microsoft. Tar­get­ed phish­ing, with orga­ni­za­tions who signed up to received com­mu­ni­ca­tions from USAID being the tar­gets. 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions. Some­how, the hack­ers man­aged to minick emails from the firm Con­stant Con­tact, the firm that han­dle’s USAID’s email com­mu­ni­ca­tions, to make it look like a USAID com­mu­ni­ca­tion. At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work. The US and UK blame Rus­si­a’s SVR (the same agency Cozy Bear/APT is said to work for...long with the FSB).

How did Microsoft deter­mine that this was done by the same hack­ers who pulled off the Solar­Winds hack? That’s nev­er explained. It’s not due to tech­ni­cal sim­i­lar­i­ties. In fact, the Microsoft blog post describ­ing this USAID phish­ing scheme [41] explic­it­ly states that this new attack had few tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the Solar­Winds hack was uncov­ered. Four new zero-day pieces of mal­ware deployed [42] on the com­put­ers of the vic­tims that clicked on the mali­cious link, so keep in mind that if this was the same hack­ing group that is involved with the Solar­Winds hack and/or Microsoft Exchange hack, this crew is sport­ing a sig­nif­i­cant num­ber of zero-day exploits.

* June 25, 2021 [43]: Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers [44]:

Cozy Bear/APT29/“Nobelium” is at it again. Again. This time, Microsoft tells is the hack­ers some­how hacked a Microsoft agent who had access to Microsoft cus­tomer sup­port tools with sub­scrip­tion infor­ma­tion. Of course, we’ve already been told about how the Solar­Winds hack­ers stole code involv­ing how Microsoft tools ver­i­fy iden­ti­ties, and the same hack­ers report­ed­ly pulled this hack off. So it’s not hard to imag­ine some of those stolen insights were used to car­ry out this hack. But we aren’t told much else from Microsoft oth­er than that it was def­i­nite­ly the Solar­Winds hack­ers who are def­i­nite­ly work­ing for the Russ­ian state. Of that they are sure. Always and for­ev­er, except when it’s Chi­na.

* July 4, 2021 [45]: Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments [46]:

Less than two weeks lat­er, CBS has an arti­cle with more inter­views of fig­ures involved with the Solar­Winds hack inves­ti­ga­tion, includ­ing Brad Smith, pres­i­dent of Microsoft. Smith points to the list of US gov­ern­ment agen­cies hit by the hack and insists that means it was a for­eign intel­li­gence col­lec­tion mis­sion (which ignores the oth­er 18,000 large­ly com­mer­cial group of vic­tims also hit). The piece reveals that the Solar­Winds hack­ers were on US fed­er­al net­works read­ing emails and oth­er traf­fic for months.

It ends an inter­view of Jon Miller, who runs a com­pa­ny Bold­end, that sells cut­ting-edge cyber weapons to US intel­li­gence agen­cies. Miller observes that the notable thing about the Solar­Winds hack was­n’t the sophis­ti­ca­tion. He builds things much more sophis­ti­cat­ed (pre­sum­ably for his US intel­li­gence clients). Instead, what makes this attack stand out is how aggres­sive it was. It’s the kind of assess­ment that sug­gests a lot of dif­fer­ent actors could have pulled this attack of for some time and some­one final­ly did it.

Miller also reminds us of anoth­er cru­cial aspect of both the Solar­Winds and Exchange mega-hacks: It would be triv­ial to turn those back­doors into dig­i­tal bombs that destroy vic­tim net­works. In oth­er words, these mega-hacks could have been A LOT more dam­ag­ing had the hack­ers want­ed them to be. And since the hack­ers like embed­ded them­selves in vic­tim net­works in ways not yet detect­ed, they could decide to unleash those dig­i­tal bombs in the future if they choose to in the future.

* July 15, 2021 [47]: Microsoft says Israeli group sold tools to hack Win­dows [48]:

Cit­i­zen­Lab put out a report on an Israeli com­mer­cial hack­ing group behind mal­ware dis­cov­ered tar­get­ing Win­dows. But Can­diru’s toolk­it does­n’t just hit MIcrosoft prod­ucts. It appears to be the same com­pa­ny Google had just attrib­uted to a set of addi­tion­al zero-day exploits tar­get­ing Google’s prod­ucts that Cit­i­zen Lab also con­nect­ed to Can­diru. So Microsoft and Google both announced the dis­cov­ery of Can­diru zero-day exploits as rough­ly the same time.

* July 15, 2021 [49]: Microsoft says it blocked spy­ing on rights activists, oth­ers [50]:

In some more report­ing on Can­diru, we learn that the com­pa­ny goes by sev­er­al names. We also learn that its spy­ware “infra­struc­ture” includes webistes “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.

* July 15, 2021: [51]Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign [52]:

More on Google’s Threat Assess­ment Group (TAG) secu­ri­ty announce­ment. A Russ­ian-lan­guage group was exploit­ing a vul­ner­a­bil­i­ty in the Safari brows­er on iOS sys­tems. Mali­cious links that exe­cut­ed the vul­ner­a­bil­i­ty were being sent to West­ern Euro­pean gov­ern­ment offi­cials through Linked­In’s direct mes­sage app. It is not­ed that the mali­cious link cam­paign coin­cid­ed with a “Nobeli­um’s” USAID phish­ing cam­paign in May tar­get­ing Win­dows devices.

Dur­ing this same report, Google’s TAG announced a new exploit it dis­cov­ered that was used against Armen­ian activists in April. A zero-day exploit against Microsoft­’s Inter­net Explor­er.

The TAG team also announced three new zero-day exploits attrib­uted to an unnamed “com­mer­cial sur­veil­lance ven­dor” (Can­diru). Two vul­ner­a­bil­i­ties in Google’s Chrome and one in Microsoft­’s Inter­net Explor­er. These exploits were also used against Armen­ian tar­gets but we are told that this was a sep­a­rate cam­paign for the oth­er Armen­ian hack, with one of the Chrome exploits dis­cov­ered in Feb­ru­ary and the sec­ond in June.

Final­ly, the arti­cle notes that secu­ri­ty researchers have iden­ti­fied 33 zero-day vul­ner­a­bil­i­ties until that point in 2021, which is 11 more than the 22 total found in 2020. That’s triple the rate of the pre­vi­ous year, which itself was a record year.

* July 17, 2021 [53]: Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing [54]:

NSO Group’s recent headache has begun. The New York Times has an update on NSO Group and long-stand­ing ques­tions about the extent to which the license giv­en to coun­tries to buy NSO Group’s super-spy­ware is used as a tool of Israel’s for­eign pol­i­cy. It’s a ques­tion that relates to more than NSO Group but the entire Israeli ‘com­mer­cial sur­veil­lance’ indus­try that gov­ern­ments around the world turn to. As we should have expect­ed, it turns out the super-spy­ware suites like NSO Group’s Pega­sus soft­ware aren’t just super-spy­ware suites. They’re also diplo­mat­ic tools for the Israeli gov­ern­ment. And that means some­times NSO Groups might effec­tive­ly be forced to keep sell­ing to clients like Sau­di Ara­bia even when its rela­tion­ship with those clients becomes tox­ic. That’s appar­ent­ly what hap­pened fol­low­ing the Sau­di gov­ern­men­t’s assas­si­na­tion of Jamal Khashog­gi. NSO Group can­celed the Sau­di con­tract only to be pres­sured by the Israeli gov­ern­ment to renew it. NSO Group was ulti­mate­ly sold to new pri­vate equi­ty own­ers and pro­ceed­ed to renew the Sau­di con­tract.

But the NSO Group reveals a far more legit­i­mate excuse for its appar­ent neg­li­gence in reg­u­lat­ing its super-spy­ware: the Israeli gov­ern­ment approves of these sales. If you want a sub­scrip­tion for Pega­sus, you bet­ter make sure you’re on at least least decent terms with the Israeli gov­ern­ment. It’s pret­ty

* July 18, 2021 [55]: Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide [56]:

The Wash­ing­ton Post fol­lows up with a huge report that con­firmed a bunch of oth­er things that have been sus­pect­ed about NSO Group: Peo­ple have long accused the com­pa­ny of not hav­ing any safe­guards to ensure the super-spy­ware it sells to gov­ern­ments around the world around only used to track ‘ter­ror­ists and crim­i­nals’. And, yep, there are basi­cal­ly no safe­guards. It’s up to the gov­ern­ment to promise not to abuse the super spy­ware. Although there are geo­graph­ic lim­i­ta­tions. The spy­ware was con­fig­ured to not work on US-based smart­phones and could be lim­it­ed to cer­tain coun­tries. But how it was used inside those approved geo­graph­ic areas was up to the gov­ern­ments. In oth­er words, Pega­sus was abused. A lot. At least that’s accord­ing to an inves­ti­ga­tion released by For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al.

How much abused of the NSO Group’s super-spy­ware has been tak­ing place? Well, this report was based on thou­sands phone num­bers leaked that were pur­port­ed­ly the tar­get phone num­bers of NSO Group’s feared Pega­sus spy­ware. Almost unstop­pable spy­ware suits that can hit almost any smart­phone. And if those thou­sands of num­bers real­ly are an accu­rate tar­get list, it was ram­pant abuse, with activists and rival politi­cians fre­quent­ly on the tar­get list. 60 gov­ern­ment agen­cies in 40 coun­tries were allowed to buy sub­scrip­tions to the soft­ware and, again, they policed them­selves.

NSO Group’s defense against charges that it was know­ing­ly allow­ing gov­ern­ments to abuse its super-spy­ware was to point out that the com­pa­ny does­n’t police how gov­ern­ments use its soft­ware. It real­ly is up to the gov­ern­ments to polices them­selves, as con­firmed by this study and the ram­pant abuse it reveals. It’s not actu­al­ly a great defense if you think about it, but it gets bet­ter when you keep in mind this is all sanc­tioned and encour­aged by the Israeli gov­ern­ment (and prob­a­bly the US gov­ern­ment).

* July 19, 2021 [57]: Microsoft Exchange hack caused by Chi­na, US and allies say [58]:

The US for­mal­ly accus­es Chi­nese state-backed hack­ers of car­ry­ing out the Microsoft Exchange mega-hack. At the same time, the US Jus­tice Depart­ment announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with China’s Min­istry of State Secu­ri­ty in a dif­fer­ent hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. But beyond that, the US accused these state-backed Chi­nese hack­ers of car­ry­ing out ran­somware and oth­er for-prof­it extor­tion hacks for their own per­son­al enrich­ment. In fact, an admin­is­tra­tion offi­cial told reporters that the for­mal attri­bu­tion of the Exchange hack to Chi­na took this many months (recall Microsoft did it imme­di­ate­ly) in part because of the ran­somware and for-prof­it hack­ing oper­a­tions. In oth­er words, the hack­ers the US was accus­ing of work­ing on behalf of the Chi­nese state were behav­ing like reg­u­lar crim­i­nals. But we are nonethe­less assured that, no, they were work­ing for Chi­na. Dmitri Alper­ovitch — co-founder of Crowd­Strike and the guy who pio­neered the mod­ern approach of mak­ing loud evi­dence-free hack­ing accu­sa­tions against coun­tries as a means of pre­vent­ing future attacks [1] — express­es a sense of puz­zle­ment that sanc­tions against Chi­na haven’t been declared yet.

* July 20, 2021 [59]: Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies [60]:

The US’s allies (the UK, New Zealand, Aus­tralia, and EU) join the US in joint­ly con­demn­ing Chi­na for the Microsoft Exchange mega-hack. Anony­mous West­ern secu­ri­ty sources tell reports that they believe Hafni­um new Microsoft was going to plug the Exchange vul­ner­a­bil­i­ty and so shared it with oth­er Chi­na-based hack­ers, cul­mi­nat­ing in the giant glob­al smash-and-grab. It’s anoth­er indi­ca­tion that the Microsoft Exchange mega-hack has the appear­ance of being a crim­i­nal smash-and-grab event and we are now told that this was all how Chi­na planned it to play out. And we are also told that Microsoft was about to plug this mas­sive vul­ner­a­bil­i­ty but were thwart­ed by Chi­nese spies or some­thing. The facts and details may change, but two things always stays the same: Chi­na did it and this def­i­nite­ly did­n’t involve the Solar­Winds hack.

* July 22, 2021 [61]: France’s Macron changes phone in light of Pega­sus case [62]:

The NSO Group scan­dal gets extra awk­ward when Emmanuel Macron’s admin­is­tra­tion offi­cial­ly acknowl­edges that it changed Macron’s mobile phone and phone num­ber after the num­ber showed up on a list of poten­tial tar­gets for sur­veil­lance by Moroc­co in the report by For­bid­den Sto­ries and Amnesty Inter­na­tion­al. Israel has formed an inter-min­is­te­r­i­al team to look into the export licens­es issued by the Defence Export Con­trols Agency (DECA). NSO Group con­tin­ues to defend itself by reit­er­at­ing that it does­n’t know the iden­ti­ties of the peo­ple tar­get­ed by Pega­sus. The com­pa­ny can, how­ev­er, retroac­tive­ly acquire the tar­get lists in the event of a com­plaint and uni­lat­er­al­ly shut down the offend­ing gov­ern­men­t’s sub­scrip­tion fol­low­ing an inves­ti­ga­tion. So over­sight only hap­pens if a com­plaint is issued over the abuse of the super-secret dif­fi­cult-to-find spy­ware. There pre­sum­ably aren’t very many com­plaints.

*******************************

That’s the sto­ry we are being asked to buy. Or rather, those are the sto­ries we are being asked to buy. Break­ing sto­ries about two record-break­ing mega-hacks and rev­e­la­to­ry sto­ries about two cut­ting-edge ‘com­mer­cial sur­veil­lance ven­dors’ licens­ing sell­ing zero-day exploits around the world. Sep­a­rate sto­ries, at least that’s what we are told. The Solar­Winds hack and the Microsoft Exchange hack are two com­plete­ly sep­a­rate hacks, one exe­cut­ed by Rus­sia and the oth­er by Chi­na. The fact that the Solar­Winds hack­ers pos­sessed Microsoft zero-day exploits and appeared to ini­ti­ate the hack using those exploits is just ignored. The fact that no actu­al evi­dence indi­cat­ing it was Rus­sia or Chi­na behind the hacks are also just ignored. And the fact that sto­ries about a mas­sive pow­er­ful glob­al “com­mer­cial sur­veil­lance” indus­try sell­ing super-exploits to gov­ern­ments around the world are also just ignored. Or oth­er gov­ern­ment hack­ing toolk­its like the CIA’s Vault7, that had fea­tures specif­i­cal­ly designed to spoof the “pat­tern recog­ni­tion” approach to cyber­at­tri­bu­tion. Ignore all that. It’s a faith-based attri­bu­tion par­a­digm, ripe for bad-faith attri­bu­tions.

FireEye Wakes Up to a “Red Team Tools” Nightmare. Which Could Become Everyone’s Nightmare

Decem­ber 8, 2020, was a dark day for dig­i­tal secu­ri­ty. A worst case sce­nario was play­ing out in real-time. Some­one hacked the secu­ri­ty firm and stole its “Red Team” code suite. A toolk­it of vir­tu­al­ly all the most pow­er­ful known exploits. And as experts warned, nation-states could poten­tial­ly hide their own tracks using this toolk­it. This is basi­cal­ly going to be the only time we see an expert admit that gov­ern­ments around the world could be inten­tion­al­ly. Fire­Eye was­n’t ready to name a cul­prit. But the FBI announced was it was con­fi­dent it was car­ried out by a nation-state, and while they would name a spe­cif­ic nation it was pret­ty clear Rus­sia was the prime sus­pect. No rea­son for these sus­pi­cions are giv­en [15]:

The New York Times

Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State

The Sil­i­con Val­ley com­pa­ny said hack­ers — almost cer­tain­ly Russ­ian — made off with tools that could be used to mount new attacks around the world.

By David E. Sanger and Nicole Perl­roth
Pub­lished Dec. 8, 2020 Updat­ed Feb. 6, 2021

WASHINGTON — For years, the cyber­se­cu­ri­ty firm Fire­Eye [63] has been the first call for gov­ern­ment agen­cies and com­pa­nies around the world who have been hacked by the most sophis­ti­cat­ed attack­ers, or fear they might be.

Now it looks like the hack­ers [64] — in this case, evi­dence points to Russia’s intel­li­gence agen­cies — may be exact­ing their revenge.

Fire­Eye revealed on Tues­day that its own sys­tems were pierced by what it called “a nation with top-tier offen­sive capa­bil­i­ties.” The com­pa­ny said hack­ers [65] used “nov­el tech­niques” to make off with its own tool kit, which could be use­ful in mount­ing new attacks around the world.

It was a stun­ning theft, akin to bank rob­bers who, hav­ing cleaned out local vaults, then turned around and stole the F.B.I.’s inves­tiga­tive tools. In fact, Fire­Eye said on Tues­day, moments after the stock mar­ket closed, that it had called in the F.B.I.

The $3.5 bil­lion com­pa­ny, which part­ly makes a liv­ing by iden­ti­fy­ing the cul­prits in some of the world’s bold­est breach­es — its clients have includ­ed Sony and Equifax — declined to say explic­it­ly who was respon­si­ble. But its descrip­tion, and the fact that the F.B.I. has turned the case over to its Rus­sia spe­cial­ists, left lit­tle doubt who the lead sus­pects were and that they were after what the com­pa­ny calls “Red Team tools.”

These are essen­tial­ly dig­i­tal tools that repli­cate the most sophis­ti­cat­ed hack­ing tools in the world. Fire­Eye uses the tools — with the per­mis­sion of a client com­pa­ny or gov­ern­ment agency — to look for vul­ner­a­bil­i­ties in their sys­tems. Most of the tools are based in a dig­i­tal vault that Fire­Eye close­ly guards.

The F.B.I. on Tues­day con­firmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assis­tant direc­tor of the F.B.I. Cyber Divi­sion, said, “The F.B.I. is inves­ti­gat­ing the inci­dent and pre­lim­i­nary indi­ca­tions show an actor with a high lev­el of sophis­ti­ca­tion con­sis­tent with a nation-state.”

The hack rais­es the pos­si­bil­i­ty that Russ­ian intel­li­gence agen­cies saw an advan­tage in mount­ing the attack while Amer­i­can atten­tion — includ­ing FireEye’s — was focused on secur­ing the pres­i­den­tial elec­tion sys­tem. At a moment that the nation’s pub­lic and pri­vate intel­li­gence sys­tems were seek­ing out breach­es of vot­er reg­is­tra­tion sys­tems or vot­ing machines, it may have a been a good time for those Russ­ian agen­cies, which were involved in the 2016 elec­tion breach­es, to turn their sights on oth­er tar­gets.

The hack was the biggest known theft of cyber­se­cu­ri­ty [66] tools since those of the Nation­al Secu­ri­ty Agency were pur­loined in 2016 [67] by a still-uniden­ti­fied group that calls itself the Shad­ow­Bro­kers [68]. That group dumped the N.S.A.’s hack­ing tools online over sev­er­al months, hand­ing nation-states and hack­ers the “keys to the dig­i­tal king­dom,” as one for­mer N.S.A. oper­a­tor put it. North Korea and Rus­sia ulti­mate­ly used the N.S.A.’s stolen weapon­ry in destruc­tive attacks on gov­ern­ment agen­cies, hos­pi­tals and the world’s biggest con­glom­er­ates — at a cost of more than $10 bil­lion.

The N.S.A.’s tools were most like­ly more use­ful than FireEye’s since the U.S. gov­ern­ment builds pur­pose-made dig­i­tal weapons. FireEye’s Red Team tools are essen­tial­ly built from mal­ware that the com­pa­ny has seen used in a wide range of attacks.

Still, the advan­tage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

“Hack­ers could lever­age FireEye’s tools to hack risky, high-pro­file tar­gets with plau­si­ble deni­a­bil­i­ty,” said Patrick War­dle, a for­mer N.S.A. hack­er who is now a prin­ci­pal secu­ri­ty researcher at Jamf, a soft­ware com­pa­ny. “In risky envi­ron­ments, you don’t want to burn your best tools, so this gives advanced adver­saries a way to use some­one else’s tools with­out burn­ing their best capa­bil­i­ties.”

A Chi­nese state-spon­sored hack­ing group was pre­vi­ous­ly caught using the N.S.A.’s hack­ing tools [69] in attacks around the world, osten­si­bly after dis­cov­er­ing the N.S.A.’s tools on its own sys­tems. “It’s like a no-brain­er,” said Mr. War­dle.

The breach is like­ly to be a black eye for Fire­Eye. Its inves­ti­ga­tors worked with Sony after the dev­as­tat­ing 2014 attack [70] that the firm lat­er attrib­uted to North Korea. It was Fire­Eye that was called in after the State Depart­ment and oth­er Amer­i­can gov­ern­ment agen­cies were breached by Russ­ian hack­ers in 2015. And its major cor­po­rate clients include Equifax [71], the cred­it mon­i­tor­ing ser­vice that was hacked three years ago, affect­ing near­ly half of the Amer­i­can pop­u­la­tion.

In the Fire­Eye attack, the hack­ers went to extra­or­di­nary lengths to avoid being seen. They cre­at­ed sev­er­al thou­sand inter­net pro­to­col address­es — many inside the Unit­ed States — that had nev­er before been used in attacks. By using those address­es to stage their attack, it allowed the hack­ers to bet­ter con­ceal their where­abouts.

“This attack is dif­fer­ent from the tens of thou­sands of inci­dents we have respond­ed to through­out the years,” said Kevin Man­dia, FireEye’s chief exec­u­tive. (He was the founder of Man­di­ant, a firm that Fire­Eye acquired in 2014 [72].)

But Fire­Eye said it was still inves­ti­gat­ing exact­ly how the hack­ers had breached its most pro­tect­ed sys­tems. Details were thin.

Mr. Man­dia, a for­mer Air Force intel­li­gence offi­cer, said the attack­ers “tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” He said they appeared to be high­ly trained in “oper­a­tional secu­ri­ty” and exhib­it­ed “dis­ci­pline and focus,” while mov­ing clan­des­tine­ly to escape the detec­tion of secu­ri­ty tools and foren­sic exam­i­na­tion. Google, Microsoft and oth­er firms that con­duct cyber­se­cu­ri­ty inves­ti­ga­tions said they had nev­er seen some of these tech­niques.

Fire­Eye also pub­lished key ele­ments of its “Red Team” tools so that oth­ers around the world would see attacks com­ing.

Amer­i­can inves­ti­ga­tors are try­ing to deter­mine if the attack has any rela­tion­ship to anoth­er sophis­ti­cat­ed oper­a­tion that the N.S.A. said Rus­sia was behind in a warn­ing issued on Mon­day. That gets into a type of soft­ware, called VM for vir­tu­al machines, which is used wide­ly by defense com­pa­nies and man­u­fac­tur­ers. The N.S.A. declined to say what the tar­gets of that attack were. It is unclear whether the Rus­sians used their suc­cess in that breach to get into FireEye’s sys­tems.

...

On Tues­day, Russia’s Nation­al Asso­ci­a­tion for Inter­na­tion­al Infor­ma­tion Secu­ri­ty held a forum with glob­al secu­ri­ty experts where Russ­ian offi­cials again claimed that there was no evi­dence its hack­ers were respon­si­ble for attacks that have result­ed in Amer­i­can sanc­tions and indict­ments.

Secu­ri­ty firms have been a fre­quent tar­get for nation-states [73] and hack­ers, in part because their tools main­tain a deep lev­el of access to cor­po­rate and gov­ern­ment clients all over the world. By hack­ing into those tools and steal­ing source code, spies and hack­ers can gain a foothold to vic­tims’ sys­tems.

McAfee, Syman­tec and Trend Micro were among the list of major secu­ri­ty com­pa­nies whose code a Russ­ian-speak­ing hack­er group claimed to have stolen last year. Kasper­sky, the Russ­ian secu­ri­ty firm, was hacked by Israeli hack­ers in 2017 [74]. And in 2012, Syman­tec con­firmed that a seg­ment of its antivirus source code was stolen by hack­ers [75].

————

“Fire­Eye, a Top Cyber­se­cu­ri­ty Firm, Says It Was Hacked by a Nation-State” by David E. Sanger and Nicole Perl­roth; The New York Times; 12/08/2020 [15]

“Fire­Eye revealed on Tues­day that its own sys­tems were pierced by what it called “a nation with top-tier offen­sive capa­bil­i­ties.” The com­pa­ny said hack­ers [65] used “nov­el tech­niques” to make off with its own tool kit, which could be use­ful in mount­ing new attacks around the world.

Fire­Eye could­n’t say who pen­e­trat­ed their sys­tems. But they nonethe­less con­fi­dent­ly state it was the work a “a nation with top-tier offen­sive capa­bil­i­ties,” an asser­tion osten­si­bly root­ed in the sophis­ti­cat­ed nature of the attack, the dis­cip­ine of the attack­ers, and the num­ber of nev­er-before-seen tech­niques used by these unknown hack­ers. In oth­er words, a guess made based on pat­tern recog­ni­tion, and not an asser­tion made with real cer­tain­ty. Fire­Eye did­n’t actu­al­ly know this attack came from a nation with top-tier offen­sive capa­bil­i­ties when it made that state­ment. Fire­Eye could­n’t have tru­ly ruled out a pri­vate actor when it made that con­fi­dent state­ment. Or a nation with­out top-tier capa­bilites that pur­chased those top-tier capa­bil­i­ties from a top-tier com­mer­cial mal­ware provider like NSO Group. But mak­ing attri­bu­tions in cyber attacks is a ser­vice Fire­Eye pro­vides. It points towards one of the fun­da­men­tal binds the cyber­se­cu­ri­ty indus­try faces: their clients are pay­ing for answers, whether answers are fea­si­ble or not.

And when the FBI turned the case over to its Rus­sia spe­cial­ist, and ‘con­firmed’ the hack was the work of a state, it was pret­ty clear where the blame was ulti­mate­ly going to go. That ‘con­fir­ma­tion’ was no doubt pred­i­cat­ed in part on the sophis­ti­ca­tion of the hack. And yet the appar­ent prize of this hack was FireEye’s “Red Team” tool kit that repli­cat­ed the most sophis­ti­cat­ed hack­ing tools in the world. Or at least the most sophis­ti­cat­ed known hack­ing tools seen in the wild. It’s implic­it­ly obvi­ous in this very hack that the pos­ses­sion of world-class hack­ing tools isn’t lim­it­ed to major nation-states like the US, Rus­sia, and Chi­na. Beyond that, we are told how the theft of the Fire­Eye Red Team kit was high­ly use­ful to nation-states because it would give them plau­si­ble deni­a­bil­i­ty by allow­ing them to car­ry out risky hacks with­out using their ‘zero-day’ exploits, using some­one else’s tools instead. All of the details about this sto­ry point towards the hall of mir­rors nature of cyber­at­tri­bu­tion inves­ti­ga­tions:

...
It was a stun­ning theft, akin to bank rob­bers who, hav­ing cleaned out local vaults, then turned around and stole the F.B.I.’s inves­tiga­tive tools. In fact, Fire­Eye said on Tues­day, moments after the stock mar­ket closed, that it had called in the F.B.I.

The $3.5 bil­lion com­pa­ny, which part­ly makes a liv­ing by iden­ti­fy­ing the cul­prits in some of the world’s bold­est breach­es — its clients have includ­ed Sony and Equifax — declined to say explic­it­ly who was respon­si­ble. But its descrip­tion, and the fact that the F.B.I. has turned the case over to its Rus­sia spe­cial­ists, left lit­tle doubt who the lead sus­pects were and that they were after what the com­pa­ny calls “Red Team tools.”

These are essen­tial­ly dig­i­tal tools that repli­cate the most sophis­ti­cat­ed hack­ing tools in the world. Fire­Eye uses the tools — with the per­mis­sion of a client com­pa­ny or gov­ern­ment agency — to look for vul­ner­a­bil­i­ties in their sys­tems. Most of the tools are based in a dig­i­tal vault that Fire­Eye close­ly guards.

The F.B.I. on Tues­day con­firmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assis­tant direc­tor of the F.B.I. Cyber Divi­sion, said, “The F.B.I. is inves­ti­gat­ing the inci­dent and pre­lim­i­nary indi­ca­tions show an actor with a high lev­el of sophis­ti­ca­tion con­sis­tent with a nation-state.

...

The N.S.A.’s tools were most like­ly more use­ful than FireEye’s since the U.S. gov­ern­ment builds pur­pose-made dig­i­tal weapons. FireEye’s Red Team tools are essen­tial­ly built from mal­ware that the com­pa­ny has seen used in a wide range of attacks.

Still, the advan­tage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.

“Hack­ers could lever­age FireEye’s tools to hack risky, high-pro­file tar­gets with plau­si­ble deni­a­bil­i­ty,” said Patrick War­dle, a for­mer N.S.A. hack­er who is now a prin­ci­pal secu­ri­ty researcher at Jamf, a soft­ware com­pa­ny. “In risky envi­ron­ments, you don’t want to burn your best tools, so this gives advanced adver­saries a way to use some­one else’s tools with­out burn­ing their best capa­bil­i­ties.

A Chi­nese state-spon­sored hack­ing group was pre­vi­ous­ly caught using the N.S.A.’s hack­ing tools [69] in attacks around the world, osten­si­bly after dis­cov­er­ing the N.S.A.’s tools on its own sys­tems. “It’s like a no-brain­er,” said Mr. War­dle.
...

And as the arti­cle reminds us, despite all hype about the ‘Shad­ow Bro­kers’ being a Russ­ian hack­er group, the glob­al com­mu­ni­ty has still nev­er tru­ly deter­mined their iden­i­ty. As is the case with near­ly all major hacks, the iden­ti­ties of the per­pe­tra­tors is ulti­mate­ly unknow­able based on the avail­able evi­dence:

...
The hack was the biggest known theft of cyber­se­cu­ri­ty [66] tools since those of the Nation­al Secu­ri­ty Agency were pur­loined in 2016 [67] by a still-uniden­ti­fied group that calls itself the Shad­ow­Bro­kers [68]. That group dumped the N.S.A.’s hack­ing tools online over sev­er­al months, hand­ing nation-states and hack­ers the “keys to the dig­i­tal king­dom,” as one for­mer N.S.A. oper­a­tor put it. North Korea and Rus­sia ulti­mate­ly used the N.S.A.’s stolen weapon­ry in destruc­tive attacks on gov­ern­ment agen­cies, hos­pi­tals and the world’s biggest con­glom­er­ates — at a cost of more than $10 bil­lion.
...

It’s also worth observ­ing how Fire­Eye was declar­ing that the attack­ers tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” And yet, as we learn, this was­n’t a spe­cif­ic attack on Fire­Eye at all. It was an attack on Fire­Eye and Solar­Wind­s’s 18,000 oth­er cus­tomers. Fire­Eye was just a very juicy tar­get to pil­fer amongst the thou­sands the hack­ers had to choose from:

...
But Fire­Eye said it was still inves­ti­gat­ing exact­ly how the hack­ers had breached its most pro­tect­ed sys­tems. Details were thin.

Mr. Man­dia, a for­mer Air Force intel­li­gence offi­cer, said the attack­ers “tai­lored their world-class capa­bil­i­ties specif­i­cal­ly to tar­get and attack Fire­Eye.” He said they appeared to be high­ly trained in “oper­a­tional secu­ri­ty” and exhib­it­ed “dis­ci­pline and focus,” while mov­ing clan­des­tine­ly to escape the detec­tion of secu­ri­ty tools and foren­sic exam­i­na­tion. Google, Microsoft and oth­er firms that con­duct cyber­se­cu­ri­ty inves­ti­ga­tions said they had nev­er seen some of these tech­niques.

...

On Tues­day, Russia’s Nation­al Asso­ci­a­tion for Inter­na­tion­al Infor­ma­tion Secu­ri­ty held a forum with glob­al secu­ri­ty experts where Russ­ian offi­cials again claimed that there was no evi­dence its hack­ers were respon­si­ble for attacks that have result­ed in Amer­i­can sanc­tions and indict­ments.

Secu­ri­ty firms have been a fre­quent tar­get for nation-states [73] and hack­ers, in part because their tools main­tain a deep lev­el of access to cor­po­rate and gov­ern­ment clients all over the world. By hack­ing into those tools and steal­ing source code, spies and hack­ers can gain a foothold to vic­tims’ sys­tems.
...

Final­ly, note that Fire­Eye is far from the only cyber­se­cu­ri­ty firm to report hav­ing their code stolen by ‘a Russ­ian-speak­ing hack­er group’ last year. McAfee, Syman­tec, and Trend­Mi­cro all report­ed get­ting hit. Which mean the “Red Team code” kits from all those oth­er firms are also float­ing around out there. And in each case, it was “Russ­ian-speak­ing hack­ers”. Who­ev­er has been hack­ing these oth­er secu­ri­ty firms was been leav­ing Russ­ian lan­guage arti­facts in their mal­ware. It’s a thing:

...
McAfee, Syman­tec and Trend Micro were among the list of major secu­ri­ty com­pa­nies whose code a Russ­ian-speak­ing hack­er group claimed to have stolen last year. Kasper­sky, the Russ­ian secu­ri­ty firm, was hacked by Israeli hack­ers in 2017 [74]. And in 2012, Syman­tec con­firmed that a seg­ment of its antivirus source code was stolen by hack­ers [75].
...

And yet, as we’re going to see, that’s not actu­al­ly the case with the Fire­Eye hack. No Russ­ian lan­guage arti­facts, or any oth­er lan­guage arti­facts, were left in the mal­ware used to attack Fire­Eye. And as we’re also going to see, this lack of lan­guage arti­facts in the att­tack — no Cyril­lic, or Man­darin or Per­sion — was seen as a utter shock by the Crowd­Strike fig­ures tasked with study­ing the attack.

FireEye Didn’t Start the Fire. Welcome to the SolarWinds Nightmare. Brought to You by Cozy Bear, According to the FBI, although FireEye isn’t So Sure

The Fire­Eye night­mare explodes into the Solar­Winds wak­ing worst night­mare. It was deter­mined that Solar­Wind­s’s Ori­on update soft­ware deliv­ered the mal­ware onto FireEye’s sys­tems. It’s the kind of omi­nous dis­cov­ery that comes with the impli­ca­tion that the oth­er 18,000 Solar­Winds clients run­ning the Ori­on soft­ware got hit too. Which is basi­cal­ly what hap­pened.

We also got an ear­ly hint from Solar­Winds about how the hack start­ed in the first place: in its cor­po­rate fil­ing dis­clos­ing the hack with the SEC, Solar­Winds indi­cat­ed that Microsoft­’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

And as we can see, the FBI was ready to name names from the very onset of this inves­ti­ga­tion. It took basi­cal­ly no time at all: APT29 aka Cozy Bear is at it again. That was the line from the FBI. The infa­mous hack­ing group thought to work for Rus­si­a’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Demo­c­ra­t­ic Nation­al Com­mit­tee (DNC) in 2015 [13] was also behind the new Solar­Winds mega-hack. No rea­sons for this attri­bu­tion are giv­en, of course [17]:

The Wash­ing­ton Post

Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce

By Ellen Nakashima and Craig Tim­berg
Decem­ber 14, 2020 at 11:30 a.m. EST

Russ­ian gov­ern­ment hack­ers breached the Trea­sury and Com­merce depart­ments, along with oth­er U.S. gov­ern­ment agen­cies, as part of a glob­al espi­onage cam­paign that stretch­es back months, accord­ing to peo­ple famil­iar with the mat­ter.

Offi­cials were scram­bling over the week­end to assess the nature and extent of the intru­sions and imple­ment effec­tive coun­ter­mea­sures, but ini­tial signs sug­gest­ed the breach was long-run­ning and sig­nif­i­cant, the peo­ple famil­iar with the mat­ter said.

The Russ­ian hack­ers, known by the nick­names APT29 or Cozy Bear, are part of that nation’s for­eign intel­li­gence ser­vice, the SVR, and they breached email sys­tems in some cas­es, said the peo­ple famil­iar with the intru­sions, who spoke on the con­di­tion of anonymi­ty because of the sen­si­tiv­i­ty of the mat­ter. The same Russ­ian group hacked the State Depart­ment and the White House email servers dur­ing the Oba­ma admin­is­tra­tion.

The FBI is inves­ti­gat­ing the cam­paign, which may have begun as ear­ly as spring, and had no com­ment Sun­day. The vic­tims have includ­ed gov­ern­ment, con­sult­ing, tech­nol­o­gy, tele­com, and oil and gas com­pa­nies in North Amer­i­ca, Europe, Asia and the Mid­dle East, accord­ing to Fire­Eye, a cyber firm that itself was breached.

The Russ­ian Embassy in Wash­ing­ton on Sun­day called the reports of Russ­ian hack­ing “base­less.” In a state­ment on Face­book it said, “attacks in the infor­ma­tion space con­tra­dict” Russ­ian for­eign pol­i­cy and nation­al inter­ests. “Rus­sia does not con­duct offen­sive oper­a­tions” in the cyber domain.

All of the orga­ni­za­tions were breached through the update serv­er of a net­work man­age­ment sys­tem made by the firm Solar­Winds, Fire­Eye said in a blog post Sun­day.

The fed­er­al Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency issued an alert Sun­day warn­ing about an “active exploita­tion” of the Solar­Winds Ori­on Plat­form, from ver­sions of the soft­ware released in March and June. “CISA encour­ages affect­ed orga­ni­za­tions to read the Solar­Winds and Fire­Eye advi­sories for more infor­ma­tion and FireEye’s GitHub page for detec­tion coun­ter­mea­sures,” the alert said.

Solar­Winds said Sun­day in a state­ment that mon­i­tor­ing prod­ucts it released in March and June of this year may have been sur­rep­ti­tious­ly weaponized in a “high­ly-sophis­ti­cat­ed, tar­get­ed . . . attack by a nation state.”

The com­pa­ny filed a doc­u­ment Mon­day with the Secu­ri­ties and Exchange Com­mis­sion say­ing that “few­er than 18,000” of its more than 300,000 cus­tomers may have installed a soft­ware patch enabling the Russ­ian attack. It was not clear, the fil­ing said, how many sys­tems were actu­al­ly hacked. The cor­po­rate fil­ing also said that Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

Microsoft said in a blog post Sun­day that it had not iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties in its inves­ti­ga­tion of the mat­ter.

The scale of the Russ­ian espi­onage oper­a­tion appears to be large, said sev­er­al indi­vid­u­als famil­iar with the mat­ter. “This is look­ing very, very bad,” said one per­son. Solar­Winds prod­ucts are used by orga­ni­za­tions across the world [76]. They include all five branch­es of the U.S. mil­i­tary, the Pen­ta­gon, State Depart­ment, Jus­tice Depart­ment, NASA, the Exec­u­tive Office of the Pres­i­dent and the Nation­al Secu­ri­ty Agency, the world’s top elec­tron­ic spy agency, accord­ing to the firm’s web­site.

Its clients also include the top 10 U.S. telecom­mu­ni­ca­tions com­pa­nies.

“This is a big deal, and giv­en what we now know about where breach­es hap­pened, I’m expect­ing the scope to grow as more logs are reviewed,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs and Pub­lic Pol­i­cy. “When an aggres­sive group like this gets an open sesame to many desir­able sys­tems, they are going to use it wide­ly.”

Fire­Eye report­ed last week [77] that it was breached and that hack­ing tools it uses to test clients’ com­put­er defens­es were stolen. The Wash­ing­ton Post report­ed that APT29 was the group behind that hack. Fire­Eye and Microsoft, which were inves­ti­gat­ing the breach, dis­cov­ered the hack­ers were gain­ing access to vic­tims through updates to Solar­Winds’ Ori­on net­work mon­i­tor­ing soft­ware, Fire­Eye said in its blog post, [78] with­out pub­licly nam­ing the Rus­sians.

...

At Com­merce, the Rus­sians tar­get­ed the Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion, an agency that han­dles Inter­net and telecom­mu­ni­ca­tions pol­i­cy, Reuters report­ed. They have also been linked to attempts to steal coro­n­avirus coro­n­avirus [79] research.

In 2014 and 2015, the same group car­ried out a wide-rang­ing espi­onage cam­paign that tar­get­ed thou­sands of orga­ni­za­tions, includ­ing gov­ern­ment agen­cies, for­eign embassies, ener­gy com­pa­nies, telecom­mu­ni­ca­tions firms and uni­ver­si­ties.

As part of that oper­a­tion, it hacked the unclas­si­fied email sys­tems of the White House [80], the Pentagon’s Joint Chiefs of Staff and the State Depart­ment.

“That was the first time we saw the Rus­sians become much more aggres­sive, and instead of sim­ply fad­ing away like ghosts when they were detect­ed, they actu­al­ly con­test­ed access to the net­works,” said Michael Daniel, who was White House cyber­se­cu­ri­ty coor­di­na­tor at the time.

One of its vic­tims in 2015 was the Demo­c­ra­t­ic Nation­al Com­mit­tee. But unlike a rival Russ­ian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen mate­r­i­al. In 2016, the GRU mil­i­tary spy agency leaked hacked emails to the online anti-secre­cy orga­ni­za­tion Wik­iLeaks in an oper­a­tion that dis­rupt­ed the Democ­rats’ nation­al con­ven­tion in the midst of the pres­i­den­tial cam­paign.

The SVR, by con­trast, gen­er­al­ly steals infor­ma­tion for tra­di­tion­al espi­onage pur­pos­es, seek­ing secrets that might help the Krem­lin under­stand the plans and motives of politi­cians and pol­i­cy­mak­ers. Its oper­a­tors also have filched indus­tri­al data and hacked for­eign min­istries.

Because the Oba­ma admin­is­tra­tion saw the APT29 oper­a­tion as tra­di­tion­al espi­onage, it did not con­sid­er tak­ing puni­tive mea­sures, said Daniel, who is now pres­i­dent and chief exec­u­tive of the Cyber Threat Alliance, an infor­ma­tion-shar­ing group for ­cyber­se­cu­ri­ty com­pa­nies.

“It was infor­ma­tion col­lec­tion, which is what nation states — includ­ing the Unit­ed States — do,” he said. “From our per­spec­tive, it was more impor­tant to focus on shoring up defens­es.”

But Chris Painter, State Depart­ment cyber coor­di­na­tor in the Oba­ma admin­is­tra­tion, said even if the Russ­ian cam­paign is strict­ly about espi­onage and there’s no norm against spy­ing, if the scope is broad there should be con­se­quences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.

Sanc­tions might be one answer, espe­cial­ly if done in con­cert with allies who were sim­i­lar­ly affect­ed, he said. “The prob­lem is there’s not even been con­dem­na­tion from the top. Pres­i­dent Trump hasn’t want­ed to say any­thing bad to Rus­sia, which only encour­ages them to act irre­spon­si­bly across a wide range of activ­i­ties.”

At the very least, he said, “you’d want to make clear to [Russ­ian Pres­i­dent Vladimir] Putin that this is unac­cept­able — the scope is unac­cept­able.”

So far there is no sign that the cur­rent cam­paign is being waged for pur­pos­es of leak­ing infor­ma­tion or for dis­rup­tion of crit­i­cal infra­struc­ture, such as elec­tric grids.

Solar­Winds’ mon­i­tor­ing tool has extreme­ly deep “admin­is­tra­tive” access to a network’s core func­tions, which means that hack­ing the tool would allow the Rus­sians to freely root around vic­tims’ sys­tems.

APT29 com­pro­mised Solar­Winds so that any time a cus­tomer checked in to request an update, the Rus­sians could hitch a ride on the weaponized update to get into a victim’s sys­tem. Fire­Eye dubbed the mal­ware that the hack­ers used “Sun­burst.”

“Mon­day may be a bad day for lots of secu­ri­ty teams,” tweet­ed Dmitri Alper­ovitch [81], a cyber­se­cu­ri­ty expert and founder of the Sil­ver­a­do Pol­i­cy Accel­er­a­tor think tank.

———–

“Russ­ian gov­ern­ment hack­ers are behind a broad espi­onage cam­paign that has com­pro­mised U.S. agen­cies, includ­ing Trea­sury and Com­merce” by Ellen Nakashima and Craig Tim­berg; The Wash­ing­ton Post; 12/14/202 [17]

“The Russ­ian hack­ers, known by the nick­names APT29 or Cozy Bear, are part of that nation’s for­eign intel­li­gence ser­vice, the SVR, and they breached email sys­tems in some cas­es, said the peo­ple famil­iar with the intru­sions, who spoke on the con­di­tion of anonymi­ty because of the sen­si­tiv­i­ty of the mat­ter. The same Russ­ian group hacked the State Depart­ment and the White House email servers dur­ing the Oba­ma admin­is­tra­tion.”

Less than a week after the Fire­Eye night­mare hack is first announced to the world, we learn it was just one part of a much larg­er Solar­Winds night­mare. A glob­al espi­onage cam­paign that seem­ing­ly tar­get­ed US gov­ern­ment agen­cies. And the US gov­ern­ment had already deter­mined the cul­prit: APT29/Cozy Bear was behind it. That’s the word we were get­ting from anony­mous sources tied to the inves­ti­ga­tion. It was def­i­nite­ly Rus­sia who had thor­ough­ly hacked the US gov­ern­men­t’s net­works start­ing in March of 2020 and was read­ing all those gov­ern­ment emails and rout­ing through US gov­ern­ment net­works this whole time:

...
The fed­er­al Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency issued an alert Sun­day warn­ing about an “active exploita­tion” of the Solar­Winds Ori­on Plat­form, from ver­sions of the soft­ware released in March and June. “CISA encour­ages affect­ed orga­ni­za­tions to read the Solar­Winds and Fire­Eye advi­sories for more infor­ma­tion and FireEye’s GitHub page for detec­tion coun­ter­mea­sures,” the alert said.

Solar­Winds said Sun­day in a state­ment that mon­i­tor­ing prod­ucts it released in March and June of this year may have been sur­rep­ti­tious­ly weaponized in a “high­ly-sophis­ti­cat­ed, tar­get­ed . . . attack by a nation state.”

...

Solar­Winds’ mon­i­tor­ing tool has extreme­ly deep “admin­is­tra­tive” access to a network’s core func­tions, which means that hack­ing the tool would allow the Rus­sians to freely root around vic­tims’ sys­tems.
...

And note this omi­nous ear­ly detail: in its cor­po­rate fil­ing dis­clos­ing the hack with the SEC, Solar­Winds indi­cat­ed that Microsoft­’s Office 365 email may have been “an attack vec­tor” used by the hack­ers. Now, it’s impor­tant to note that this lan­guage is some­what vague as to whether or not Microsoft­’s Office 365 was used for the ini­tial attack to infect the Solar­Winds net­work or it was used after the Solar­Winds hack to fur­ther exploit the net­works of the 18,000 vic­tims. But as we’re going to see, Solar­Winds does con­firm two months lat­er that, yes, this Microsoft Office 365 email vul­ner­a­bil­i­ty was used in the ini­tial hack of the Solar­Winds net­work:

...
The com­pa­ny filed a doc­u­ment Mon­day with the Secu­ri­ties and Exchange Com­mis­sion say­ing that “few­er than 18,000” of its more than 300,000 cus­tomers may have installed a soft­ware patch enabling the Russ­ian attack. It was not clear, the fil­ing said, how many sys­tems were actu­al­ly hacked. The cor­po­rate fil­ing also said that Microsoft’s Office 365 email may have been “an attack vec­tor” used by the hack­ers.

Microsoft said in a blog post Sun­day that it had not iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties in its inves­ti­ga­tion of the mat­ter.
...

Final­ly, observe how sim­i­lar the nar­ra­tive we’re hear­ing now is to exact­ly what we heard from the US gov­ern­ment in 2016 fol­low­ing the remark­ably ‘aggres­sive’ and ‘noisy’ sec­ond hack of the DNC that we are told was exe­cut­ed by ‘Fan­cy Bear’ of Rus­si­a’s GRU. Recall how, back in late July 2016, US inves­ti­ga­tors were sug­gest­ing Fan­cy Bear was try­ing to get caught in the DNC hack. That was the expla­na­tion giv­en for the notable appar­ent lack of sophis­ti­ca­tion in the hack that was seen as very dif­fer­ent from pre­vi­ous hacks attrib­uted to Fan­cy Bear [82]. So now we’re more or less hear­ing the same sto­ry in rela­tion to Cozy Bear: this hack was high­ly unchar­ac­ter­is­tic for Cozy Bear in the sense that the hack­ers active­ly fought to main­tain their grip on the net­works even after being caught. But we are nonethe­less assured it’s Cozy Bear:

...
As part of that oper­a­tion, it hacked the unclas­si­fied email sys­tems of the White House [80], the Pentagon’s Joint Chiefs of Staff and the State Depart­ment.

“That was the first time we saw the Rus­sians become much more aggres­sive, and instead of sim­ply fad­ing away like ghosts when they were detect­ed, they actu­al­ly con­test­ed access to the net­works,” said Michael Daniel, who was White House cyber­se­cu­ri­ty coor­di­na­tor at the time.

One of its vic­tims in 2015 was the Demo­c­ra­t­ic Nation­al Com­mit­tee. But unlike a rival Russ­ian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen mate­r­i­al. In 2016, the GRU mil­i­tary spy agency leaked hacked emails to the online anti-secre­cy orga­ni­za­tion Wik­iLeaks in an oper­a­tion that dis­rupt­ed the Democ­rats’ nation­al con­ven­tion in the midst of the pres­i­den­tial cam­paign.

The SVR, by con­trast, gen­er­al­ly steals infor­ma­tion for tra­di­tion­al espi­onage pur­pos­es, seek­ing secrets that might help the Krem­lin under­stand the plans and motives of politi­cians and pol­i­cy­mak­ers. Its oper­a­tors also have filched indus­tri­al data and hacked for­eign min­istries.
...

They weren’t behav­ing like Cozy Bear, which has nev­er been known to behave this aggres­sive­ly before. But it was def­i­nite­ly Cozy Bear. That’s what the US was con­fi­dent­ly stat­ing less than a week after the Fire­Eye hack was dis­closed. Yet Fire­Eye was­n’t con­vinced. It’s one of the many data points point­ing in the direc­tion of con­tem­po­rary cyber attri­bu­tions being most­ly just made up con­ve­nient nar­ra­tives [19]:

Bloomberg Quint

Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack

Kar­tikay Mehro­tra
Pub­lished Dec 15 2020, 7:32 AM
Updat­ed Dec 16 2020, 7:25 AM

(Bloomberg) — When Fire­Eye Inc. dis­cov­ered that it was hacked this month, the cyber­se­cu­ri­ty firm’s inves­ti­ga­tors imme­di­ate­ly set about try­ing to fig­ure out how attack­ers got past its defens­es.

It wasn’t just Fire­Eye that got attacked, they quick­ly found out. Inves­ti­ga­tors dis­cov­ered a vul­ner­a­bil­i­ty in a prod­uct made by one of its soft­ware providers, Texas-based Solar­Winds Corp.

“We looked through 50,000 lines of source code, which we were able to deter­mine there was a back­door with­in Solar­Winds,” said Charles Car­makal, senior vice pres­i­dent and chief tech­ni­cal offi­cer at Man­di­ant, FireEye’s inci­dent response arm.

After dis­cov­er­ing the back­door, Fire­Eye con­tact­ed Solar­Winds and law enforce­ment, Car­makal said.

...

Nation­al Secu­ri­ty Advi­sor Robert O’Brien cut short a trip [83] to the Mid­dle East and Europe to deal with the hack of U.S. gov­ern­ment agen­cies. And Sen­a­tor Richard Blu­men­thal, Demo­c­rat from Con­necti­cut, said a clas­si­fied brief­ing on “Russia’s cyber-attack left me deeply alarmed, in fact down­right scared.”
s
The hack­ers who attacked Fire­Eye stole sen­si­tive tools that the com­pa­ny uses to find vul­ner­a­bil­i­ties in clients’ com­put­er net­works. While the hack on Fire­Eye was embar­rass­ing for a cyber­se­cu­ri­ty firm, Car­makal argued that it may prove to be a cru­cial mis­take for the hack­ers.

“If this actor didn’t hit Fire­Eye, there is a chance that this cam­paign could have gone on for much, much longer,” Car­makal said. “One sil­ver lin­ing is that we learned so much about how this threat actor works and shared it with our law enforce­ment, intel­li­gence com­mu­ni­ty and secu­ri­ty part­ners.” Car­makal said there is no evi­dence FireEye’s stolen hack­ing tools were used against U.S. gov­ern­ment agen­cies.

“There will unfor­tu­nate­ly be more vic­tims that have to come for­ward in the com­ing weeks and months,” he said. While some have attrib­uted the attack to a state-spon­sored Russ­ian group known as APT 29, or Cozy Bear, Fire­Eye had not yet seen suf­fi­cient evi­dence to name the actor, he said. A Krem­lin offi­cial denied that Rus­sia had any involve­ment.

...

Car­makal said the hack­ers took advanced steps to con­ceal their actions. “Their lev­el of oper­a­tional secu­ri­ty is tru­ly excep­tion­al,” he said, adding that the hack­ers would oper­ate from servers based in the same city as an employ­ee they were pre­tend­ing to be in order to evade detec­tion.

...

———–

“Fire­Eye Dis­cov­ered Solar­Winds Breach While Prob­ing Own Hack” by Kar­tikay Mehro­tra; Bloomberg Quint; 12/15/2020 [19]

““There will unfor­tu­nate­ly be more vic­tims that have to come for­ward in the com­ing weeks and months,” he said. While some have attrib­uted the attack to a state-spon­sored Russ­ian group known as APT 29, or Cozy Bear, Fire­Eye had not yet seen suf­fi­cient evi­dence to name the actor, he said. A Krem­lin offi­cial denied that Rus­sia had any involve­ment.”

That ear­ly hes­i­tan­cy on FireEye’s behalf to name a cul­prit due to a lack of evi­dence is going to be impor­tant to keep in mind. Because as we see in an NPR arti­cle from April of 2021, four months after the attack, there was­n’t real­ly any new con­clu­sive infor­ma­tion about the hack­ers that emerges [7]. No clue that can pos­i­tive­ly iden­ti­fy the hack­ers and not even the joke ‘clues’ like Cyril­lic or Man­darin char­ac­ters. Noth­ing. The big shock expressed by Adam Mey­ers of Crowd­Strike — the fig­ure who led the ear­ly inves­ti­ga­tion of the Solar­Winds hack — was that there was­n’t any ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. And yet we’re going to hear asser­tion after asser­tion that this was the work of Russ­ian gov­ern­ment hack­ers. Nev­er an expla­na­tion why.

Is this the SolarWinds Mega-Hack? Or the Microsoft Mega-hack?

Sim­i­lar­ly, note how Solar­Winds was point­ing an fin­ger at a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email as being a vec­tor in the hack, and yet Microsoft was vocif­er­ous­ly deny­ing that a vul­ner­a­bil­i­ty in its own prod­ucts played a role at all. As we’ll see [25], there’s nev­er an expla­na­tion. Just faith. Faith in Microsoft. Faith that was again test­ed days after the ini­tial dis­clo­sure of the hack when Solar­Winds revealed more details on nature of the Microsoft exploits used by the hack­ers. Some­how the hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. This includes forg­ing authen­ti­ca­tion tokens for Microsoft­’s Azure cloud ser­vices and cre­at­ing pass­word cre­den­tials for legit­i­mate process­es enabling them to read emails from Microsoft­’s Exchange Online cloud-based email ser­vice. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was tar­get­ing the non-cloud self-host­ed Microsoft Exchange email servers. So when the Solar­Winds hack­ers demon­strate an abil­i­ty to break into the cloud-based Exchange servers, they were demon­strat­ing a capa­bil­i­ty that was­n’t exact­ly the same as that used to exe­cute the Microsoft Exchange mega-hack but awful­ly close. And yet we will be repeat­ed­ly assured by Microsoft that the Microsoft-Exchange hack was car­ried out by Chi­na and not at all con­nect­ed to the Solar­Winds hack or “com­mer­cial sur­veil­lance ven­dors”. That’s part of what makes these ear­ly dis­clo­sures by Microsoft itself, that the Solar­Winds hack­ers demon­strat­ed a remark­able abil­i­ty to manip­u­late Microsoft sys­tem cre­den­tials, is so sig­nif­i­cant. These are dis­clo­sures Microsoft seems to want to for­get as this looks more and more like a Microsoft mega-hack [21]:

CRN

Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny

By Michael Novin­son
Decem­ber 15, 2020, 05:18 PM EST

Microsoft has become ensnared in probes sur­round­ing the recent­ly dis­closed colos­sal U.S. gov­ern­ment hack [84], with media reports and com­pa­ny mes­sages focus­ing on Office 365, Azure Active Direc­to­ry and a key domain name.

Two key vic­tims in the mas­sive nation-state hack­ing cam­paign report­ed­ly had their Microsoft Office 365 accounts bro­ken into. The Russ­ian intel­li­gence ser­vice hack­ers for months mon­i­tored staff emails sent via Office 365 at the Com­merce Department’s Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion (NTIA) after break­ing into the NTIA’s office soft­ware, Reuters report­ed Sun­day.

The hack­ers are “high­ly sophis­ti­cat­ed” and were able to trick the Microsoft platform’s authen­ti­ca­tion con­trols [85], accord­ing to Reuters, cit­ing a per­son famil­iar with the inci­dent. The Com­merce Depart­ment said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.

Microsoft didn’t pro­vide an on-the-record response to CRN ques­tions about if the com­pa­ny itself was breached as part of this cam­paign, and how sig­nif­i­cant Microsoft’s tech­nol­o­gy was in the hack­ers’ abil­i­ty to exploit cus­tomers. Microsoft said in a blog post Sun­day [86] that its inves­ti­ga­tions haven’t iden­ti­fied any Microsoft prod­uct or cloud ser­vice vul­ner­a­bil­i­ties. Once an attack­er has com­pro­mised a tar­get net­work, they poten­tial­ly have access to a range of sys­tems, accord­ing to a source famil­iar with the sit­u­a­tion.”

On Mon­day, Solar­Winds said it was made aware of an attack vec­tor that was used to com­pro­mise the company’s Microsoft Office 365 emails [87], accord­ing to a fil­ing with the U.S. Secu­ri­ties and Exchange Com­mis­sion (SEC). Hack­ers had gained access to numer­ous pub­lic and pri­vate orga­ni­za­tions through tro­janized updates to Solar­Winds’ Ori­on net­work mon­i­tor­ing soft­ware, Fire­Eye said in a blog Sun­day.

That same attack vec­tor might have pro­vid­ed access to oth­er data con­tained in Solar­Winds’ Office 365 office pro­duc­tiv­i­ty tool, the com­pa­ny said. Solar­Winds said it’s prob­ing with Microsoft if any cus­tomer, per­son­nel or oth­er data was exfil­trat­ed as a result of this com­pro­mise, but hasn’t uncov­ered any evi­dence at this time of exfil­tra­tion.

“Solar­Winds, in col­lab­o­ra­tion with Microsoft, has tak­en reme­di­a­tion steps to address the com­pro­mise and is inves­ti­gat­ing whether fur­ther reme­di­a­tion steps are required, over what peri­od of time this com­pro­mise exist­ed and whether the com­pro­mise is asso­ci­at­ed with the attack on its Ori­on soft­ware build sys­tem,” the com­pa­ny wrote in its SEC fil­ing.

As for Azure, the hack­ers were able to forge a token [88] which claims to rep­re­sent a high­ly priv­i­leged account in Azure Active Direc­to­ry (AD), the Microsoft Secu­ri­ty Research Cen­ter wrote in a blog Sun­day. The hack­ers could also gain admin­is­tra­tive Azure AD priv­i­leges with com­pro­mised cre­den­tials. Microsoft said this was par­tic­u­lar­ly like­ly if the account in ques­tion is not pro­tect­ed by mul­ti-fac­tor authen­ti­ca­tion.

“Hav­ing gained a sig­nif­i­cant foothold in the on-premis­es envi­ron­ment, the actor has made mod­i­fi­ca­tions to Azure Active Direc­to­ry set­tings to facil­i­tate long term access,” the Microsoft Secu­ri­ty Research Cen­ter wrote.

The hack­ers were observed adding new fed­er­a­tion trusts to an exist­ing ten­ant or mod­i­fy­ing the prop­er­ties of an exist­ing fed­er­a­tion trust to accept tokens signed with hack­er-owned cer­tifi­cates, Microsoft said. They could also use their admin­is­tra­tor priv­i­leges to grant addi­tion­al per­mis­sions to the tar­get Appli­ca­tion or Ser­vice Prin­ci­pal, accord­ing to Microsoft.

Microsoft also observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es, grant­i­ng them the abil­i­ty to read mail con­tent from Exchange Online via Microsoft Graph or Out­look REST. Exam­ples of this hap­pen­ing include mail archiv­ing appli­ca­tions, the firm said. Per­mis­sions usu­al­ly, but not always, con­sid­ered only the app iden­ti­ty rather than the cur­rent user’s per­mis­sions.

And from a domain per­spec­tive, Microsoft on Mon­day took con­trol over a key domain name that was used by the Solar­Winds hack­ers to com­mu­ni­cate with sys­tems com­pro­mised by the back­door Ori­on prod­uct updates, Kreb­sOn­Se­cu­ri­ty report­ed Tues­day. Microsoft has a long his­to­ry of seiz­ing con­trol of domains involved with mal­ware, par­tic­u­lar­ly when those sites are being used to attack Win­dows clients.

Armed with that access, Kreb­sOn­Se­cu­ri­ty said Microsoft should soon have some idea which and how many Solar­Winds cus­tomers were affect­ed [89]. That’s because Microsoft now has insight into which orga­ni­za­tions have IT sys­tems that are still try­ing to ping the mali­cious domain, Kreb­sOn­Se­cu­ri­ty said.

“How­ev­er, because many Inter­net ser­vice providers and affect­ed com­pa­nies are already block­ing sys­tems from access­ing that mali­cious con­trol domain or have dis­con­nect­ed the vul­ner­a­ble Ori­on ser­vices, Microsoft’s vis­i­bil­i­ty may be some­what lim­it­ed,” Kreb­sOn­Se­cu­ri­ty cau­tioned.

...

———-

“Microsoft’s Role In Solar­Winds Breach Comes Under Scruti­ny” by Michael Novin­son; CRN; 12/15/2020 [21]

“Two key vic­tims in the mas­sive nation-state hack­ing cam­paign report­ed­ly had their Microsoft Office 365 accounts bro­ken into. The Russ­ian intel­li­gence ser­vice hack­ers for months mon­i­tored staff emails sent via Office 365 at the Com­merce Department’s Nation­al Telecom­mu­ni­ca­tions and Infor­ma­tion Admin­is­tra­tion (NTIA) after break­ing into the NTIA’s office soft­ware, Reuters report­ed Sun­day.

The ‘Russ­ian hack­ers’ were read­ing gov­ern­ment emails for months. And while we were get­ting assured that it was Rus­sia behind it, it’s worth keep­ing in mind that the idea that it was Rus­sia read­ing these emails is actu­al­ly far more assur­ing than the idea of cyber crim­i­nals doing the same because at least Rus­sia is less inclined to sell or release the data. In oth­er words, these ear­ly aggres­sive­ly high­ly con­fi­dent attri­bu­tions towards Rus­sia aren’t just self-serv­ing from the stand­point of align­ing with US geopo­lit­i­cal inter­ests. They’re also high­ly self-serv­ing for Microsoft, Solar­Winds, and the US gov­ern­ment agen­cies that got hacked by down­play­ing the poten­tial impli­ca­tions of the hack.

Now note these ear­ly details of how Microsoft vul­ner­a­bil­i­ties were used in the attack. The hack­ers were trick­ing Microsoft­’s authen­ti­ca­tion con­trols. They could forge authen­ti­ca­tion tokens enabling access to Microsoft­’s cloud-based Azure ser­vices. But crit­i­cal­ly, they were gain­ing access to read mail con­tent from Exchange Online, effec­tive­ly demon­strat­ing the abil­i­ty to hack Microsoft­’s cloud-based Exchange email servers. This is going to be an impor­tant detail to keep in mind as we read about the Microsoft Exchange serv­er mega-hack dis­closed in March:

...
The hack­ers are “high­ly sophis­ti­cat­ed” and were able to trick the Microsoft platform’s authen­ti­ca­tion con­trols [85], accord­ing to Reuters, cit­ing a per­son famil­iar with the inci­dent. The Com­merce Depart­ment said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.

...

As for Azure, the hack­ers were able to forge a token [88] which claims to rep­re­sent a high­ly priv­i­leged account in Azure Active Direc­to­ry (AD), the Microsoft Secu­ri­ty Research Cen­ter wrote in a blog Sun­day. The hack­ers could also gain admin­is­tra­tive Azure AD priv­i­leges with com­pro­mised cre­den­tials. Microsoft said this was par­tic­u­lar­ly like­ly if the account in ques­tion is not pro­tect­ed by mul­ti-fac­tor authen­ti­ca­tion.

...

Microsoft also observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es, grant­i­ng them the abil­i­ty to read mail con­tent from Exchange Online via Microsoft Graph or Out­look REST. Exam­ples of this hap­pen­ing include mail archiv­ing appli­ca­tions, the firm said. Per­mis­sions usu­al­ly, but not always, con­sid­ered only the app iden­ti­ty rather than the cur­rent user’s per­mis­sions.
...

And note that at this point Microsoft itself is also describ­ing how it observed the hack­ers adding pass­word cre­den­tials or x509 cer­tifi­cates to legit­i­mate process­es to enabling the read­ing of emails. Microsoft­’s own secu­ri­ty researchers were telling us about this. And yet, as we’ll see in the arti­cles below from Feb­ru­ary [27], Microsoft insists that vul­ner­a­bil­i­ties in its soft­ware played no role at all in the hack and all such reports are mis­in­for­ma­tion.

A week into the Solar­Winds hack dis­clo­sure, the US Trea­sury Depart­ment gives an update. We’re told the depart­men­t’s hack start­ed in July. And in anoth­er indi­ca­tion that the hack­ers had the abil­i­ty to authen­ti­cate the cre­den­tial need­ed to extract data from Microsoft­’s Office 365 email soft­ware, we’re told that’s exact­ly what they were doing on the Trea­sury’s net­work. So both Solar­Winds and the US Trea­sury were giv­ing us strong hints ear­ly on that the sto­ry of the Solar­Winds mega-hack is the sto­ry of a still-unrec­og­nized Microsoft mega-hack [23]:

The New York Times

Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing

The dis­clo­sure was the first acknowl­edg­ment of a spe­cif­ic intru­sion in the vast cyber­at­tack. At the White House, nation­al secu­ri­ty lead­ers met to assess how to deal with the sit­u­a­tion.

By David E. Sanger and Alan Rappe­port
Pub­lished Dec. 21, 2020 Updat­ed Jan. 6, 2021

WASHINGTON — The Russ­ian hack­ers [90] who pen­e­trat­ed Unit­ed States gov­ern­ment agen­cies broke into the email sys­tem used by the Trea­sury Department’s most senior lead­er­ship, a Demo­c­ra­t­ic mem­ber of the Sen­ate Finance Com­mit­tee said on Mon­day, the first detail of how deeply Moscow bur­rowed into the Trump administration’s net­works.

In a state­ment after a brief­ing for com­mit­tee staff mem­bers, Sen­a­tor Ron Wyden of Ore­gon, who has often been among the sharpest crit­ics of the Nation­al Secu­ri­ty Agency and oth­er intel­li­gence agen­cies, said that the Trea­sury Depart­ment had acknowl­edged that “the agency suf­fered a seri­ous breach, begin­ning in July, the full depth of which isn’t known.”

The Trea­sury Depart­ment ranks among the most high­ly pro­tect­ed cor­ners of the gov­ern­ment because of its respon­si­bil­i­ty for mar­ket-mov­ing eco­nom­ic deci­sions, com­mu­ni­ca­tions with the Fed­er­al Reserve and eco­nom­ic sanc­tions against adver­saries. Mr. Wyden said the hack­ers had gained access to the email sys­tem by manip­u­lat­ing inter­nal soft­ware keys.

The depart­ment learned of the breach not from any of the gov­ern­ment agen­cies whose job is to pro­tect against cyber­at­tacks, but from Microsoft, which runs much of Treasury’s com­mu­ni­ca­tions soft­ware, Mr. Wyden said. He said that “dozens of email accounts were com­pro­mised,” appar­ent­ly includ­ing in what is called the depart­men­tal offices divi­sion, where the most senior offi­cials oper­ate.

“Trea­sury still does not know all of the actions tak­en by hack­ers, or pre­cise­ly what infor­ma­tion was stolen,” he said.

An aide to Mr. Wyden said the department’s offi­cials indi­cat­ed that Trea­sury Sec­re­tary Steven Mnuchin’s email account had not been breached.

The newest dis­clo­sures under­scored the administration’s con­flict­ing mes­sages about the source of the attacks and the extent of the dam­age as more reports about the tar­gets leak out. A Trea­sury Depart­ment spokes­woman did not imme­di­ate­ly respond to a request for com­ment.

Mr. Mnuchin addressed the hack­ing ear­li­er on Mon­day and said the department’s clas­si­fied sys­tems had not been breached.

“At this point, we do not see any break-in into our clas­si­fied sys­tems,” he said in an inter­view with CNBC. “Our unclas­si­fied sys­tems did have some access.”

Mr. Mnuchin said that the hack­ing was relat­ed to third-par­ty soft­ware. He added that there had been no dam­age or large amounts of infor­ma­tion dis­placed as a result of the attack and that the agency had robust resources to pro­tect the finan­cial indus­try.

“I can assure you, we are com­plete­ly on top of this,” he said. He did not explain how the Russ­ian pres­ence was not detect­ed in the sys­tem for more than four months.

His state­ment came on the same day that Attor­ney Gen­er­al William P. Barr, at his final news con­fer­ence before step­ping down, sided with Sec­re­tary of State Mike Pom­peo in say­ing that Moscow was almost cer­tain­ly behind the hack­ing. The intru­sion went through a com­mer­cial net­work man­age­ment soft­ware pack­age made by Solar­Winds, a com­pa­ny based in Austin, Texas, and allowed the hack­ers broad access to gov­ern­ment and cor­po­rate sys­tems.

“I agree with Sec­re­tary Pompeo’s assess­ment: It cer­tain­ly appears to be the Rus­sians,” Mr. Barr said, fur­ther under­cut­ting Pres­i­dent Trump’s effort to cast doubt on whether the gov­ern­ment of Pres­i­dent Vladimir V. Putin of Rus­sia was behind the attack. Mr. Trump appears to be alone in the admin­is­tra­tion in his con­tention that Chi­na might have been the source of the hack­ing.

Mr. Mnuchin was among sev­er­al top offi­cials in the gov­ern­ment who met with nation­al secu­ri­ty offi­cials for the first time at the White House on Mon­day to assess the dam­age and dis­cuss how to deal with it.

The meet­ing was a prin­ci­pals com­mit­tee ses­sion led by Robert C. O’Brien, the nation­al secu­ri­ty advis­er. It was held two days after Mr. Trump said the attack on fed­er­al net­works was “under con­trol,” [91] was being exag­ger­at­ed by the news media and might have been car­ried out by Chi­na rather than Rus­sia, which has been iden­ti­fied by intel­li­gence agen­cies, oth­er gov­ern­ment offi­cials and cyber­se­cu­ri­ty firms as the almost cer­tain source of the hack­ing.

The ses­sion was clas­si­fied, but if it was like the brief­in­gs to Con­gress in recent days, the intel­li­gence offi­cials expressed lit­tle doubt that the attack was most like­ly car­ried out by hack­ers asso­ci­at­ed with the S.V.R., Russia’s pre­mier intel­li­gence agency.

But on Mon­day there was no pub­lic dec­la­ra­tion attribut­ing the hack­ing to Rus­sia, per­haps reflect­ing Mr. Trump’s reluc­tance to con­front Moscow over the issue and the doubts he has expressed about the seri­ous­ness of the attack.

The meet­ing, accord­ing to one senior admin­is­tra­tion offi­cial, was intend­ed to “take stock of the intel­li­gence, the inves­ti­ga­tion and the actions being tak­en to reme­di­ate” the attack. Absent from that descrip­tion was any prepa­ra­tion for impos­ing a cost on the attack­er. Mr. Trump did not attend the meet­ing.

...

The list of atten­dees at the meet­ing was notable because it pro­vid­ed some indi­ca­tion of which parts of the gov­ern­ment might have been affect­ed. White House offi­cials said Trea­sury Sec­re­tary Steven Mnuchin, Com­merce Sec­re­tary Wilbur Ross, the act­ing home­land secu­ri­ty sec­re­tary Chad F. Wolf and Ener­gy Sec­re­tary Dan Brouil­lette were present. All of those agen­cies were pre­vi­ous­ly iden­ti­fied by news orga­ni­za­tions as tar­gets of the hack­ing.

John Rat­cliffe, the direc­tor of nation­al intel­li­gence, par­tic­i­pat­ed in the meet­ing; so did Gina Haspel, the C.I.A. direc­tor, and Gen. Paul M. Naka­sone, the direc­tor of the Nation­al Secu­ri­ty Agency and the com­man­der of the Unit­ed States Cyber Com­mand. Sec­re­tary of State Mike Pom­peo, who was the first high-rank­ing admin­is­tra­tion offi­cial to acknowl­edge that Rus­sia was the most like­ly source of the attack before he was under­cut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.

Gen­er­al Naka­sone, an expe­ri­enced cyber­war­rior who is respon­si­ble for the defense of nation­al secu­ri­ty sys­tems, has been silent since the hack­ing was revealed. At the N.S.A. and Cyber Com­mand, offi­cials said, there was extra­or­di­nary embar­rass­ment that a pri­vate com­pa­ny, Fire­Eye, had been the first to alert the gov­ern­ment that it had been hacked.

Accord­ing to the details released by Mr. Wyden, once the Russ­ian hack­ers used the Solar­Winds soft­ware update to get inside Treasury’s sys­tems, they per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work.

That coun­ter­feit­ing enabled them to fool the sys­tem into think­ing they were legit­i­mate users — and to sign on with­out try­ing to guess user names and pass­words. Microsoft said last week that it had fixed the flaw that the Rus­sians had exploit­ed, but that did not answer the ques­tion of whether the hack­ers used their access to bore through oth­er chan­nels into the Trea­sury Depart­ment or oth­er sys­tems.

For­mal­ly deter­min­ing who was respon­si­ble for a hack­ing like this one can be time-con­sum­ing work, though the admin­is­tra­tion did so twice in Mr. Trump’s first year in office, point­ing to North Korea for the so-called Wan­naCry attack [92] on the British health care sys­tem and Rus­sia for the “Not­Petya” attack [93] that cost Maer­sk, Fed­er­al Express and oth­er major cor­po­ra­tions hun­dreds of mil­lions of dol­lars [94].

In this case, offi­cials say, a for­mal dec­la­ra­tion of who was respon­si­ble for the attack — which is need­ed to start any form of retal­i­a­tion — may not come until after Mr. Biden is inau­gu­rat­ed. That would leave the Trump admin­is­tra­tion to focus on dam­age con­trol but skip the hard ques­tions of how to deter Moscow from future attacks.

Capt. Kat­ri­na J. Cheesman, a spokes­woman for Cyber Com­mand, said that so far the mil­i­tary had found “no evi­dence of com­pro­mis­es” in the Pentagon’s net­work. She said that parts of the Defense Department’s “soft­ware sup­ply chain source have dis­closed a vul­ner­a­bil­i­ty with­in their sys­tems, but we have no indi­ca­tion the D.O.D. net­work has been com­pro­mised.”

———–

“Trea­sury Department’s Senior Lead­ers Were Tar­get­ed by Hack­ing” by David E. Sanger and Alan Rappe­port; The New York Times; 12/21/2020 [23]

“The Trea­sury Depart­ment ranks among the most high­ly pro­tect­ed cor­ners of the gov­ern­ment because of its respon­si­bil­i­ty for mar­ket-mov­ing eco­nom­ic deci­sions, com­mu­ni­ca­tions with the Fed­er­al Reserve and eco­nom­ic sanc­tions against adver­saries. Mr. Wyden said the hack­ers had gained access to the email sys­tem by manip­u­lat­ing inter­nal soft­ware keys.

It’s the sec­ond ear­ly indi­ca­tion that the Solar­Winds hack­ers have some advanced Microsoft email exploits: Less than two weeks after the ini­tial Fire­Eye dis­clo­sure, the Trea­sury Depart­ment informs us that it was the manip­u­la­tion of inter­nal soft­ware keys that enabled access to the agen­cy’s emails after the hack­ers entered the gov­ern­ment net­works via the Solar­Winds back­door. Spe­cial­ly Microsoft Office 365 iden­ti­ty tokens:

...
Accord­ing to the details released by Mr. Wyden, once the Russ­ian hack­ers used the Solar­Winds soft­ware update to get inside Treasury’s sys­tems, they per­formed a com­plex step inside Microsoft’s Office 365 sys­tem to cre­ate an encrypt­ed “token” that iden­ti­fies a com­put­er to the larg­er net­work.

That coun­ter­feit­ing enabled them to fool the sys­tem into think­ing they were legit­i­mate users — and to sign on with­out try­ing to guess user names and pass­words. Microsoft said last week that it had fixed the flaw that the Rus­sians had exploit­ed, but that did not answer the ques­tion of whether the hack­ers used their access to bore through oth­er chan­nels into the Trea­sury Depart­ment or oth­er sys­tems.
...

So claims about Microsoft­’s Office 365 email vul­ner­a­bil­i­ties being exploit­ed as part of the Solar­Winds hack were com­ing from not just the Solar­Winds com­pa­ny itself but also the US Trea­sury Depart­ment. Claims Microsoft con­tin­ued to vocif­er­ous­ly dis­pute for months.

And just note again how soon and defin­i­tive the attri­bu­tions to Rus­sia were com­ing from the Trump admin­is­tra­tion: they could­n’t explain how the hack­ers evad­ed detec­tion for months, but every­one was ready to join Mike Pom­peo in declar­ing that Moscow was almost cer­tain­ly behind it. No rea­sons are giv­en. None are nec­es­sary. It’s just a giv­en: if there’s a major hack that hits West­ern 0government agen­cies, it’s either Rus­sia or Chi­na. Because of course it is. Who else could it be? It’s the unques­tioned oper­at­ing par­a­digm for con­tem­po­rary cyber­at­tri­bu­tion:

...
Mr. Mnuchin said that the hack­ing was relat­ed to third-par­ty soft­ware. He added that there had been no dam­age or large amounts of infor­ma­tion dis­placed as a result of the attack and that the agency had robust resources to pro­tect the finan­cial indus­try.

“I can assure you, we are com­plete­ly on top of this,” he said. He did not explain how the Russ­ian pres­ence was not detect­ed in the sys­tem for more than four months.

His state­ment came on the same day that Attor­ney Gen­er­al William P. Barr, at his final news con­fer­ence before step­ping down, sided with Sec­re­tary of State Mike Pom­peo in say­ing that Moscow was almost cer­tain­ly behind the hack­ing. The intru­sion went through a com­mer­cial net­work man­age­ment soft­ware pack­age made by Solar­Winds, a com­pa­ny based in Austin, Texas, and allowed the hack­ers broad access to gov­ern­ment and cor­po­rate sys­tems.

“I agree with Sec­re­tary Pompeo’s assess­ment: It cer­tain­ly appears to be the Rus­sians,” Mr. Barr said, fur­ther under­cut­ting Pres­i­dent Trump’s effort to cast doubt on whether the gov­ern­ment of Pres­i­dent Vladimir V. Putin of Rus­sia was behind the attack. Mr. Trump appears to be alone in the admin­is­tra­tion in his con­tention that Chi­na might have been the source of the hack­ing.

...

The ses­sion was clas­si­fied, but if it was like the brief­in­gs to Con­gress in recent days, the intel­li­gence offi­cials expressed lit­tle doubt that the attack was most like­ly car­ried out by hack­ers asso­ci­at­ed with the S.V.R., Russia’s pre­mier intel­li­gence agency.

...

John Rat­cliffe, the direc­tor of nation­al intel­li­gence, par­tic­i­pat­ed in the meet­ing; so did Gina Haspel, the C.I.A. direc­tor, and Gen. Paul M. Naka­sone, the direc­tor of the Nation­al Secu­ri­ty Agency and the com­man­der of the Unit­ed States Cyber Com­mand. Sec­re­tary of State Mike Pom­peo, who was the first high-rank­ing admin­is­tra­tion offi­cial to acknowl­edge that Rus­sia was the most like­ly source of the attack before he was under­cut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
...

Keep in mind how dis­turb­ing these warn­ings about Microsoft vul­ner­a­bil­i­ties were at the time. We already knew by that point that some­one plant­ed back­doors on 18,000 of the com­pa­nies and orga­ni­za­tions around the world, includ­ing numer­ous gov­ern­ment agen­cies. But we did­n’t nec­es­sar­i­ly know what the hack­ers could do on all those net­works after they walked through the back­doors. Learn­ing about these Microsoft exploits told us at least some of what they could do on those net­works. And giv­en how ubiq­ui­tous Microsoft­’s soft­ware is in large orga­ni­za­tions, it’s a safe assump­tion that a large num­ber of those Solar­Winds clients were run­ning Microsoft ser­vices on those net­works.

SolarWinds Update: ‘It Started with a Zero-Day Microsoft Exploit.’ Microsoft Counter-Update: ‘No it Didn’t.’ CISA Update: ‘It’s Not Just SolarWinds.’

It was ear­ly Feb­ru­ary, less than two months after the ini­tial Fire­Eye dis­clo­sure, when we got a con­fir­ma­tion of sorts. The ques­tion of whether or not the Microsoft Office 365 email vul­ner­a­bil­i­ty char­ac­ter­ized as an “attack vec­tor” by Solar­Winds in Decem­ber was actu­al­ly used to exe­cute the ini­tial hack of Solar­Winds. Solar­Winds CEO Sud­hakar Ramakr­ish­na appeared to con­firm that, yes, a Microsoft vul­ner­a­bil­i­ty was used in the ini­tial hack of the Solar­Winds Ori­on soft­ware devel­op­er. A zero-day vul­ner­a­bil­i­ty nev­er seen before. Although Solar­Winds did­n’t iden­ti­fy the spe­cif­ic Office 365 vul­ner­a­bil­i­ty.

But we also got anoth­er updat­ed from Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency: Rough­ly 30 per­cent of the vic­tim orga­ni­za­tions that found the back­door mal­ware on their net­work had no con­nec­tion to Solar­Winds. Oth­er meth­ods for cre­at­ing back­doors were being deployed by these hack­ers. So we learn that the Solar­Winds hack like­ly start­ed with a Microsoft exploit and also that the hack­ers are infect­ing oth­er net­works through means oth­er than the infect­ed Solar­Winds soft­ware. It’s not great news for Microsoft users [25]:

CRN

Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack

Solar­Winds CEO Sud­hakar Ramakr­ish­na has ver­i­fied sus­pi­cious activ­i­ty in its Office 365 envi­ron­ment, with a com­pa­ny email account com­pro­mised and used to access accounts of tar­get­ed Solar­Winds staff in busi­ness and tech­ni­cal roles.

By Michael Novin­son
Feb­ru­ary 04, 2021, 07:28 AM EST

Solar­Winds CEO Sud­hakar Ramakr­ish­na ver­i­fied Wednes­day “sus­pi­cious activ­i­ty” in its Office 365 envi­ron­ment allowed hack­ers to gain access to and exploit the Solar­Winds Ori­on devel­op­ment envi­ron­ment.

Hack­ers most like­ly entered SolarWinds’s envi­ron­ment through com­pro­mised cre­den­tials and/or a third-par­ty appli­ca­tion that cap­i­tal­ized on a zero-day vul­ner­a­bil­i­ty, Ramakr­ish­na said [95].

“We’ve con­firmed that a Solar­Winds email account was com­pro­mised and used to pro­gram­mat­i­cal­ly access accounts of tar­get­ed Solar­Winds per­son­nel in busi­ness and tech­ni­cal roles,” he said in the blog post. “By com­pro­mis­ing cre­den­tials of Solar­Winds employ­ees, the threat actors were able to gain access to and exploit our Ori­on devel­op­ment envi­ron­ment.”

The belea­guered Austin, Texas-based IT infra­struc­ture man­age­ment ven­dor said a Solar­Winds email account was com­pro­mised and used to pro­gram­mat­i­cal­ly access accounts of tar­get­ed Solar­Winds per­son­nel in busi­ness and tech­ni­cal roles.

By com­pro­mis­ing the cre­den­tials of Solar­Winds employ­ees, Ramakr­ish­na said the hack­ers were able to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on net­work mon­i­tor­ing plat­form. Solar­Winds was first noti­fied by Microsoft about a com­pro­mise relat­ed to its Office 365 envi­ron­ment on Dec. 13, the same day news of the hack went pub­lic.

SolarWinds’s inves­ti­ga­tion has not iden­ti­fied a spe­cif­ic vul­ner­a­bil­i­ty in Office 365 that would have allowed the hack­ers to enter the company’s envi­ron­ment through Office 365, he said Wednes­day. A day ear­li­er, Ramakr­ish­na told The Wall Street Jour­nal that one of sev­er­al the­o­ries [96] the com­pa­ny was pur­su­ing is that the hack­ers used an Office 365 account com­pro­mise as the ini­tial point of entry into Solar­Winds.

Microsoft declined to com­ment to CRN. Ramakr­ish­na said Solar­Winds has ana­lyzed data from mul­ti­ple sys­tems and logs, includ­ing from our Office 365 and Azure ten­ants, as part of its inves­ti­ga­tion. The Solar­Winds hack [97] is believed to be the work of the Russ­ian for­eign intel­li­gence ser­vice.

“While it’s wide­ly under­stood any one com­pa­ny could not pro­tect itself against a sus­tained and unprece­dent­ed nation-state attack of this kind, we see an oppor­tu­ni­ty to lead an indus­try-wide effort that makes Solar­Winds a mod­el for secure soft­ware envi­ron­ments, devel­op­ment process­es, and prod­ucts,” Ramakr­ish­na wrote in a blog post Wednes­day.

Some 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds, Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, told The Wall Street Jour­nal Fri­day. But he said inves­ti­ga­tors haven’t iden­ti­fied anoth­er com­pa­ny whose prod­ucts were broad­ly com­pro­mised [98] to infect oth­er firms the way Solar­Winds was.

SolarWinds’s inves­ti­ga­tions will be ongo­ing for at least sev­er­al more weeks [99], and pos­si­bly months, due to the sophis­ti­ca­tion of the cam­paign and actions tak­en by the hack­ers to remove evi­dence of their activ­i­ty, he said. Solar­Winds has not deter­mined the exact date hack­ers first gained unau­tho­rized access to the company’s envi­ron­ment, though innocu­ous code changes were first made to Ori­on in Octo­ber 2019.

The hack­ers delet­ed pro­grams fol­low­ing use to avoid foren­sic dis­cov­ery and mas­quer­ad­ed file names and activ­i­ty to mim­ic legit­i­mate appli­ca­tions and files, he said. The hack­ers had auto­mat­ed dor­man­cy peri­ods of two weeks or more pri­or to acti­va­tion and uti­lized servers out­side the mon­i­tor­ing author­i­ty of U.S. intel­li­gence, he said.

...

———–

“Solar­Winds CEO Con­firms Office 365 Email ‘Com­pro­mise’ Played Role In Broad-Based Attack” by Michael Novin­son; CRN; 02/02/2021 [25]

By com­pro­mis­ing the cre­den­tials of Solar­Winds employ­ees, Ramakr­ish­na said the hack­ers were able to gain access to and exploit the devel­op­ment envi­ron­ment for the Solar­Winds Ori­on net­work mon­i­tor­ing plat­form. Solar­Winds was first noti­fied by Microsoft about a com­pro­mise relat­ed to its Office 365 envi­ron­ment on Dec. 13, the same day news of the hack went pub­lic.”

It’s more or less con­firmed: The Solar­Winds hacked start­ed with the exploita­tion of a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email. The vul­ner­a­bil­i­ty gave the hack­ers access to the Solar­Winds Ori­on soft­ware devel­op­ment envi­ron­ments. That’s where it all start­ed.

Or at least that’s where the Solar­Winds hack all start­ed. As they note, some 30 per­cent of the vic­tims of this hack don’t actu­al­ly have a direct con­nec­tion to Solar­Winds, rais­ing the pos­si­bil­i­ty of that the Solar­Winds hacks is real­ly part of an even larg­er hack being exe­cut­ed by a group of actors with numer­ous pow­er­ful Microsoft exploit. In oth­er words, we might not be look­ing at the Solar­Winds mega-hack but instead a Microsoft mega-hack that just includes a large Solar­Winds com­po­nent:

...
Some 30 per­cent of the pri­vate sec­tor and gov­ern­ment vic­tims of the colos­sal hack­ing cam­paign had no direct con­nec­tion to Solar­Winds, Bran­don Wales, act­ing direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, told The Wall Street Jour­nal Fri­day. But he said inves­ti­ga­tors haven’t iden­ti­fied anoth­er com­pa­ny whose prod­ucts were broad­ly com­pro­mised [98] to infect oth­er firms the way Solar­Winds was.
...

So if 30 per­cent of the vic­tims weren’t run­ning Solar­Wind­s’s Ori­on soft­ware, what was the attack vec­tor in their cas­es? That’s a mys­tery, but we have a pret­ty obvi­ous clue if the Solar­Winds hack start­ed with a Microsoft exploit. It’s no won­der Microsoft­’s pub­lic rela­tions team was is hyper-dam­age-con­trol mode, deny­ing all reports going back to Decem­ber that it’s prod­ucts played any role at all in the attack. Recall [21] how it was Microsoft­’s own secu­ri­ty team that was telling us back in Decem­ber how the hack­ers were mod­i­fy­ing cre­den­tials to read emails from Microsoft Exchange Online (the cloud Exchange ser­vice). But once it start­ed looked like the Solar­Winds mega-hack was real­ly the Microsoft mega-hack, it was a com­plete denial from Microsoft. The com­pa­ny has noth­ing to do with any of this and any­one say­ing any­thing to the con­trary they are mis­in­ter­pret­ing or mis­read­ing the avail­able data [27]:

CRN

Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365

‘The word­ing of the Solar­Winds 8K [reg­u­la­to­ry] fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,’ Microsoft said Thurs­day.

By Michael Novin­son
Feb­ru­ary 05, 2021, 06:52 AM EST

Microsoft said its inves­ti­ga­tion hasn’t found any evi­dence that Solar­Winds was attacked through Office 365, mean­ing the hack­ers gained priv­i­leged cre­den­tials in some oth­er way.

The Red­mond, Wash.-based soft­ware giant said a Dec. 14 reg­u­la­to­ry fil­ing [100] by Solar­Winds gave the impres­sion that Solar­Winds was inves­ti­gat­ing an attack vec­tor relat­ed to Microsoft Office 365. In the fil­ing, Solar­Winds said it’s aware of an attack vec­tor [21] used to com­pro­mise the company’s Office 365 emails that may have pro­vid­ed access to oth­er data con­tained in the company’s office pro­duc­tiv­i­ty tools.

“The word­ing of the Solar­Winds 8K fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,” the Microsoft Secu­ri­ty Team wrote in a blog post Thurs­day.

SolarWinds’s inves­ti­ga­tion hasn’t iden­ti­fied a spe­cif­ic vul­ner­a­bil­i­ty in Office 365 that would have allowed the hack­ers to enter the company’s envi­ron­ment through Office 365, CEO Sud­hakar Ramakr­ish­na said Wednes­day. A day ear­li­er, he told The Wall Street Jour­nal one of sev­er­al the­o­ries the firm was pur­su­ing is hack­ers used an Office 365 account com­pro­mise [96] as the ini­tial point of entry into Solar­Winds.

Ramakr­ish­na said Wednes­day that Solar­Winds has con­firmed sus­pi­cious activ­i­ty relat­ed to its Office 365 envi­ron­ment, with a com­pa­ny email account com­pro­mised and used to access accounts of tar­get­ed Solar­Winds staff in busi­ness and tech­ni­cal roles. By com­pro­mis­ing the cre­den­tials of Solar­Winds staff, he said the hack­ers were able to gain access to and exploit the Solar­Winds devel­op­ment envi­ron­ment.

Although data host­ed in Microsoft ser­vices such as email was some­times tar­get­ed by the Solar­Winds hack­ers [101], Microsoft insists the attack­er gained priv­i­leged cre­den­tials in anoth­er way. The Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency (CISA) isn’t aware of cloud soft­ware oth­er than Microsoft’s tar­get­ed in the Solar­Winds attack, Act­ing Direc­tor Bran­don Wales told The Wall Street Jour­nal Jan. 29.

In many of their break-ins, the Solar­Winds hack­ers took advan­tage of known Microsoft con­fig­u­ra­tion issues [98] to trick sys­tems into giv­ing them access to emails and doc­u­ments stored on the cloud, The Wall Street Jour­nal said. Hack­ers can go from one cloud-com­put­ing account to anoth­er by tak­ing advan­tage of lit­tle-known idio­syn­crasies in the way soft­ware authen­ti­cates itself on the Microsoft ser­vice.

...

Reuters report­ed Dec. 17 that Microsoft was com­pro­mised via Solar­Winds [102], with sus­pect­ed Russ­ian hack­ers then using Microsoft’s own prod­ucts to fur­ther the attacks on oth­er vic­tims. Microsoft told CRN at the time that sources for the Reuters report are “mis­in­formed or mis­in­ter­pret­ing their infor­ma­tion,“ but acknowl­edged the soft­ware giant had ”detect­ed mali­cious Solar­Winds bina­ries” in its envi­ron­ment.

“No, it [the Reuters arti­cle] is not accu­rate,” the Microsoft Secu­ri­ty Team wrote in its blog post Thurs­day [103]. “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.”

Microsoft acknowl­edged Dec. 31 that a com­pa­ny account com­pro­mised by the Solar­Winds hack­ers had been used to view source code [104] in a num­ber of source code repos­i­to­ries. The com­pro­mised Microsoft account, how­ev­er, didn’t have per­mis­sions to mod­i­fy any code or engi­neer­ing sys­tems, and an inves­ti­ga­tion con­firmed no changes were made, Microsoft said at the time.

The com­pa­ny also respond­ed Thurs­day to crit­i­cism for not dis­clos­ing attack details as soon as Microsoft knew about them, say­ing that the com­pa­ny is restrict­ed from shar­ing details in cas­es where Microsoft is pro­vid­ing inves­tiga­tive sup­port to oth­er orga­ni­za­tions. In these types of engage­ments, Microsoft said the vic­tim orga­ni­za­tions have con­trol in decid­ing what details to dis­close and when to dis­close them.

Inves­ti­ga­tors can addi­tion­al­ly dis­cov­er ear­ly indi­ca­tors that require fur­ther research before they are action­able, Microsoft said. Tak­ing the time to thor­ough­ly inves­ti­gate inci­dents is nec­es­sary to pro­vide the best pos­si­ble guid­ance to cus­tomers, part­ners, and the broad­er secu­ri­ty com­mu­ni­ty, Microsoft said.

...

———–

“Microsoft: No Evi­dence Solar­Winds Was Hacked Via Office 365” by Michael Novin­son; CRN; 02/05/2021 [27]

““The word­ing of the Solar­Winds 8K fil­ing was unfor­tu­nate­ly ambigu­ous, lead­ing to erro­neous inter­pre­ta­tion and spec­u­la­tion, which is not sup­port­ed by the results of our inves­ti­ga­tion,” the Microsoft Secu­ri­ty Team wrote in a blog post Thurs­day.”

The denials can’t get any stronger. A day after Solar­Winds CEO Sud­hakar Ramakr­ish­na seem to more or less pub­lic con­firm that a vul­ner­a­bil­i­ty in Microsoft­’s Office 365 email played a direct role in the ini­tial attack, Microsoft reit­er­ates that all reports of Microsoft vul­ner­a­bil­i­ties play­ing any role in the Solar­Winds hack of unsub­stan­ti­at­ed and false. That’s the line.

And note how the com­pa­ny acknowl­edges its prod­ucts were hacked in many cas­es on the Solar­Winds vic­tims net­work as part of the sec­ond phase of the hack, but Microsoft insists that the gained priv­i­leged cre­den­tials in anoth­er way. Now, in fair­ness, it’s pos­si­ble Microsoft sys­tems could be hacked on client net­works for rea­sons that have noth­ing to do with vul­ner­a­bil­i­ties in Microsoft­’s code and are instead the fault of mis­con­fig­ured soft­ware on the client end. But that’s what Microsoft was insist­ing at that point in ear­ly Feb­ru­ary, a day after Solar­Wind­s’s CEO seemed to con­firm a Microsoft Office 365 email exploit was used to ini­ti­ate the hack and well after the US gov­ern­ment con­firmed the Solar­Winds hack­ers used a Microsoft Office 365 email exploit dur­ing its plun­der­ing of the Trea­sury Depart­men­t’s net­works. The plau­si­ble deni­a­bil­i­ty of Microsoft­’s insis­tence that client con­fig­u­ra­tion issues were the cause of the hacked Microsoft prod­ucts was rapid­ly dwin­dling. Microsoft­’s insis­tence held strong:

...
Although data host­ed in Microsoft ser­vices such as email was some­times tar­get­ed by the Solar­Winds hack­ers [101], Microsoft insists the attack­er gained priv­i­leged cre­den­tials in anoth­er way. The Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency (CISA) isn’t aware of cloud soft­ware oth­er than Microsoft’s tar­get­ed in the Solar­Winds attack, Act­ing Direc­tor Bran­don Wales told The Wall Street Jour­nal Jan. 29.

In many of their break-ins, the Solar­Winds hack­ers took advan­tage of known Microsoft con­fig­u­ra­tion issues [98] to trick sys­tems into giv­ing them access to emails and doc­u­ments stored on the cloud, The Wall Street Jour­nal said. Hack­ers can go from one cloud-com­put­ing account to anoth­er by tak­ing advan­tage of lit­tle-known idio­syn­crasies in the way soft­ware authen­ti­cates itself on the Microsoft ser­vice.

...

Reuters report­ed Dec. 17 that Microsoft was com­pro­mised via Solar­Winds [102], with sus­pect­ed Russ­ian hack­ers then using Microsoft’s own prod­ucts to fur­ther the attacks on oth­er vic­tims. Microsoft told CRN at the time that sources for the Reuters report are “mis­in­formed or mis­in­ter­pret­ing their infor­ma­tion,“ but acknowl­edged the soft­ware giant had ”detect­ed mali­cious Solar­Winds bina­ries” in its envi­ron­ment.

“No, it [the Reuters arti­cle] is not accu­rate,” the Microsoft Secu­ri­ty Team wrote in its blog post Thurs­day [103]. “As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.”

Microsoft acknowl­edged Dec. 31 that a com­pa­ny account com­pro­mised by the Solar­Winds hack­ers had been used to view source code [104] in a num­ber of source code repos­i­to­ries. The com­pro­mised Microsoft account, how­ev­er, didn’t have per­mis­sions to mod­i­fy any code or engi­neer­ing sys­tems, and an inves­ti­ga­tion con­firmed no changes were made, Microsoft said at the time.
...

“As we said at the time, and based upon all inves­ti­ga­tions since, we have found no indi­ca­tions that our sys­tems were used to attack oth­ers.” Have fun inter­pret­ing that one. But as a pub­lic state­ment, it sounds defin­i­tive. There were no Microsoft soft­ware vul­ner­a­bil­i­ties involved at all with the Solar­Winds hack. Peri­od. End of sto­ry.

Another Update from Microsoft: We Were Hacked and Our Source Code Was Viewed. Including for Microsoft Exchange. But Don’t Worry, Nothing was Compromised and Everything is Fine on Our End Now.

Two weeks lat­er, the sto­ry got anoth­er update. From Microsoft: the Solar­Winds hack­ers root­ed around in Microsoft­’s net­works through Jan­u­ary and man­aged to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. Again, keep in mind that Microsoft will be forced to dis­close the Microsoft Exchange mega-hack in a cou­ple of weeks fol­low­ing this update, and in that new mega-hack it was the self-host­ed non-cloud ver­sion of Microsoft Exchange that got hacked. So the hack­ers stole code pret­ty close­ly-relat­ed to the very sys­tem that got mega-hacked. We’re also going to learn that the Microsoft Exchange mega-hack appar­ent­ly start­ed in Jan­u­ary, the same month the Solar­Winds hack­ers were pre­sum­ably (hope­ful­ly) kicked out of Microsoft­’s net­works. And we’ve already seen that the Solar­Winds hack­ers have impres­sive nev­er-before-seen abil­i­ties to trick Microsoft­’s cre­den­tial sys­tems. That’s all part of what makes this lat­est update to the Solar­Winds sto­ry so omi­nous: It sure seems like it’s relat­ed to the Microsoft Exchange mega-hack that Microsoft will dis­close in March, even though Microsoft assures us it’s not and that’s a com­plete­ly sep­a­rate hack by dif­fer­ent Chi­nese hack­ers [29]:

CRN

Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary

The Solar­Winds hack­ers first viewed a file in a Microsoft source repos­i­to­ry in Novem­ber, and were able to down­load source code for its Azure, Exchange and Intune cloud-based prod­ucts.

By Michael Novin­son
Feb­ru­ary 19, 2021, 06:34 AM EST

The Solar­Winds hack­ers con­tin­ued efforts to infil­trate Microsoft until ear­ly Jan­u­ary, keep­ing up the assault even after Microsoft revealed its source code had been com­pro­mised [104].

The like­ly Russ­ian hack­ers first viewed a file in a Microsoft source repos­i­to­ry in late Novem­ber, and the Red­mond, Wash.-based soft­ware giant detect­ed unusu­al activ­i­ty in some inter­nal accounts the next month. The hack­ers lost source repos­i­to­ry access after Microsoft secured its com­pro­mised accounts, but the threat actor kept mak­ing unsuc­cess­ful attempts to regain access all the way until ear­ly Jan­u­ary.

“A con­cern­ing aspect of this attack is that secu­ri­ty com­pa­nies were a clear tar­get,” Vasu Jakkal, Microsoft’s cor­po­rate vice pres­i­dent of secu­ri­ty, com­pli­ance and iden­ti­ty, wrote in a blog post Thurs­day. “Microsoft, giv­en the expan­sive use of our pro­duc­tiv­i­ty tools and lead­er­ship in secu­ri­ty, of course was an ear­ly tar­get.”

Microsoft admit­ted the Solar­Winds hack­ers were able to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. The down­loaded Azure source code was for sub­sets of its ser­vice, secu­ri­ty and iden­ti­ty com­po­nents, accord­ing to Microsoft.

The search terms used by the Solar­Winds hack­ers indi­cates they were attempt­ing to find secrets such as API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code, accord­ing to Microsoft. But the com­pa­ny said it has a devel­op­ment pol­i­cy that pro­hibits stor­ing secrets in source code and runs auto­mat­ed tools to ver­i­fy com­pli­ance.

Microsoft said it sub­se­quent­ly con­firmed that both cur­rent and his­tor­i­cal branch­es of its source code repos­i­to­ries don’t con­tain any live pro­duc­tion cre­den­tials. For near­ly all the Microsoft code repos­i­to­ries accessed by the Solar­Winds hack­ers, only a few indi­vid­ual files were viewed as a result of a repos­i­to­ry search, accord­ing to the com­pa­ny.

...

Microsoft said the Solar­Winds hack­ers weren’t able to access its priv­i­leged cre­den­tials or lever­age Secu­ri­ty Access Markup Lan­guage (SAML) tech­niques against the company’s cor­po­rate domains. But out­side of Microsoft, U.S. inves­ti­ga­tors said one of the prin­ci­pal ways the hack­er has col­lect­ed vic­tim infor­ma­tion is by com­pro­mis­ing the SAML sign­ing cer­tifi­cate using esca­lat­ed Active Direc­to­ry priv­i­leges.

Orga­ni­za­tions that del­e­gate trust to on-premis­es com­po­nents in deploy­ments that con­nect on-premis­es infra­struc­ture and the cloud end up with an addi­tion­al seam they need to secure, the MSRC wrote. As a result, if an on-premis­es envi­ron­ment is com­pro­mised, Microsoft said there’s an oppor­tu­ni­ty for hack­ers to tar­get cloud ser­vices.

“When you rely on on-premis­es ser­vices, like authen­ti­ca­tion serv­er, it is up to a cus­tomer to pro­tect their iden­ti­ty infra­struc­ture,” Jakkal wrote in her blog post [105]. “With a cloud iden­ti­ty, like Azure Active Direc­to­ry, we pro­tect the iden­ti­ty infra­struc­ture from the cloud.”

At the same time, Jakkal said the Solar­Winds hack­ers took advan­tage of aban­doned app accounts with no mul­ti-fac­tor authen­ti­ca­tion to access cloud admin­is­tra­tive set­tings with high priv­i­lege. As orga­ni­za­tions tran­si­tion from implic­it trust to explic­it ver­i­fi­ca­tion, Jakkal said they first must focus on pro­tect­ing iden­ti­ties, espe­cial­ly priv­i­leged user accounts.

“Gaps in pro­tect­ing iden­ti­ties (or user cre­den­tials) like weak pass­words or lack of mul­ti­fac­tor authen­ti­ca­tion are oppor­tu­ni­ties for an actor to find their way into a sys­tem, ele­vate their sta­tus, and move lat­er­al­ly across the envi­ron­ments tar­get­ing email, source code, crit­i­cal data­bas­es and more,” Jakkal said.

The Solar­Winds hack­ers tried and failed to get into Crowd­Strike and read their emails via a Microsoft reseller’s Azure account that was respon­si­ble for man­ag­ing CrowdStrike’s Microsoft Office licens­es. If a cus­tomer buys a cloud ser­vice from a reseller and allows the reseller to retain admin­is­tra­tive access, then a com­pro­mise of reseller cre­den­tials would grant access to the customer’s ten­ant, Microsoft said.

But the abuse of admin­is­tra­tive access wouldn’t be a com­pro­mise of Microsoft’s ser­vices them­selves, the com­pa­ny told CRN on Dec. 24.

———–

“Solar­Winds Hack­ers Kept Going After Microsoft Until Jan­u­ary” by Michael Novin­son; CRN; 02/19/2021 [29]

Microsoft admit­ted the Solar­Winds hack­ers were able to down­load some source code for its Azure, Exchange and Intune cloud-based prod­ucts. The down­loaded Azure source code was for sub­sets of its ser­vice, secu­ri­ty and iden­ti­ty com­po­nents, accord­ing to Microsoft.”

It’s more than a lit­tle omi­nous. In Feb­ru­ary, weeks before the Microsoft Exchange mega-hack was dis­closed, the com­pa­ny gave us an update on its Solar­Winds inves­ti­ga­tion: source code was stolen. Source code involve the cloud-based ver­sions of Azure, Intune, and Exchange. Sure, it sounds like it was only the self-host­ed Exchange servers that got in the mega-hack, not the cloud-based Exchange sys­tems. But when Microsoft admits the Solar­Winds hack­ers obtained source code for Exchange’s cloud-based ser­vice, and then a cou­ple weeks lat­er we’re told the largest hack on record took place when vir­tu­al­ly all of Exchange’s self-host­ed servers got hacked in a zero-day exploit, it’s kind of hard to avoid sus­pi­cions the two events are relat­ed. And yet Microsoft assures us Solar­Winds was the work of ‘Cozy Bear’ and the Exchange hack was from pre­vi­ous­ly unknown state Chi­nese hack­ers. It’s all quite con­ve­nient for Microsoft. The kind of expla­na­tion that avoids a lot of messy ques­tions:

...
The search terms used by the Solar­Winds hack­ers indi­cates they were attempt­ing to find secrets such as API keys, cre­den­tials, and secu­ri­ty tokens that may have been embed­ded in the source code, accord­ing to Microsoft. But the com­pa­ny said it has a devel­op­ment pol­i­cy that pro­hibits stor­ing secrets in source code and runs auto­mat­ed tools to ver­i­fy com­pli­ance.

Microsoft said it sub­se­quent­ly con­firmed that both cur­rent and his­tor­i­cal branch­es of its source code repos­i­to­ries don’t con­tain any live pro­duc­tion cre­den­tials. For near­ly all the Microsoft code repos­i­to­ries accessed by the Solar­Winds hack­ers, only a few indi­vid­ual files were viewed as a result of a repos­i­to­ry search, accord­ing to the com­pa­ny.
...

But, again, keep in mind anoth­er major rea­son Microsoft might want to assure the world that it’s Russ­ian and Chi­nese state actors who car­ried out these mega-hacks: state actors are far more like­ly hack for espi­onage pur­pos­es. And when you hack for espi­onage pur­pos­es you prob­a­bly won’t sell the infor­ma­tion you hacked. Crim­i­nal actors, on the oth­er hand, have very dif­fer­ent moti­va­tions. So for the gen­er­al pub­lic, learn­ing that Rus­sia or Chi­na hacked into your orga­ni­za­tion is far less alarm­ing that learn­ing some crim­i­nal elite hack­er group did it. Although, as we’ll see, the hack­ers we’re told are Chi­nese state hack­ers actu­al­ly run their own per­son­al for-prof­it ran­som schemes.

A New(?) Mega-Hack is Upon Us: The Microsoft Exchange Mega-Hack. Which, Microsoft Promises, is Definitely Totally Unrelated to the SolarWinds Mega-Hack

Do you or your orga­ni­za­tion own a self-host­ed Microsoft Exchange email serv­er that was con­nect­ed to the inter­net between Jan­u­ary and March of this year? Con­grats! It was hacked. Basi­cal­ly all of them got hacked. A glob­al ran­sack­ing that was arguably larg­er than the Solar­Winds hack. And much like the Solar­Winds hack, these hack­ers had the poten­tial to seed vic­tim net­works with back­doors or worse. So it’s anoth­er mega-hack that sets the hack­ers up for even big­ger mega-hacks in the future. Anoth­er Microsoft mega-hack [31]:

Krebs on Secu­ri­ty

At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware

March 5, 2021

At least 30,000 orga­ni­za­tions across the Unit­ed States — includ­ing a sig­nif­i­cant num­ber of small busi­ness­es, towns, cities and local gov­ern­ments — have over the past few days been hacked by an unusu­al­ly aggres­sive Chi­nese cyber espi­onage unit that’s focused on steal­ing email from vic­tim orga­ni­za­tions, mul­ti­ple sources tell Kreb­sOn­Se­cu­ri­ty. The espi­onage group is exploit­ing four new­ly-dis­cov­ered flaws in Microsoft Exchange Serv­er email soft­ware, and has seed­ed hun­dreds of thou­sands of vic­tim orga­ni­za­tions world­wide with tools that give the attack­ers total, remote con­trol over affect­ed sys­tems.

On March 2, Microsoft released emer­gency secu­ri­ty updates [106] to plug four secu­ri­ty holes in Exchange Serv­er ver­sions 2013 through 2019 that hack­ers were active­ly using to siphon email com­mu­ni­ca­tions from Inter­net-fac­ing sys­tems run­ning Exchange.

Microsoft said the Exchange flaws are being tar­get­ed by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew it dubbed “Hafni­um [107],” and said the group had been con­duct­ing tar­get­ed attacks on email sys­tems used by a range of indus­try sec­tors, includ­ing infec­tious dis­ease researchers, law firms, high­er edu­ca­tion insti­tu­tions, defense con­trac­tors, pol­i­cy think tanks, and NGOs.

In the three days since then, secu­ri­ty experts say the same Chi­nese cyber espi­onage group has dra­mat­i­cal­ly stepped up attacks on any vul­ner­a­ble, unpatched Exchange servers world­wide.

In each inci­dent, the intrud­ers have left behind a “web shell,” an easy-to-use, pass­word-pro­tect­ed hack­ing tool that can be accessed over the Inter­net from any brows­er. The web shell gives the attack­ers admin­is­tra­tive access to the victim’s com­put­er servers.

Speak­ing on con­di­tion of anonymi­ty, two cyber­se­cu­ri­ty experts who’ve briefed U.S. nation­al secu­ri­ty advi­sors on the attack told Kreb­sOn­Se­cu­ri­ty the Chi­nese hack­ing group thought to be respon­si­ble has seized con­trol over “hun­dreds of thou­sands” of Microsoft Exchange Servers world­wide — with each vic­tim sys­tem rep­re­sent­ing approx­i­mate­ly one orga­ni­za­tion that uses Exchange to process email.

Microsoft’s ini­tial advi­so­ry about the Exchange flaws [108] cred­it­ed Reston, Va. based Volex­i­ty [109] for report­ing the vul­ner­a­bil­i­ties. Volex­i­ty Pres­i­dent Steven Adair said the com­pa­ny first saw attack­ers qui­et­ly exploit­ing the Exchange bugs on Jan. 6, 2021 [32], a day when most of the world was glued to tele­vi­sion cov­er­age of the the riot at the U.S. Capi­tol [110].

But Adair said that over the past few days the hack­ing group has shift­ed into high gear, mov­ing quick­ly to scan the Inter­net for Exchange servers that weren’t yet pro­tect­ed by the secu­ri­ty updates Microsoft released Tues­day.

“We’ve worked on dozens of cas­es so far where web shells were put on the vic­tim sys­tem back on Feb. 28 [before Microsoft announced its patch­es], all the way up to today,” Adair said. “Even if you patched the same day Microsoft pub­lished its patch­es, there’s still a high chance there is a web shell on your serv­er. The truth is, if you’re run­ning Exchange and you haven’t patched this yet, there’s a very high chance that your orga­ni­za­tion is already com­pro­mised.”

Reached for com­ment, Microsoft said it is work­ing close­ly with the U.S. Cyber­se­cu­ri­ty & Infra­struc­ture Secu­ri­ty Agency (CISA), oth­er gov­ern­ment agen­cies, and secu­ri­ty com­pa­nies, to ensure it is pro­vid­ing the best pos­si­ble guid­ance and mit­i­ga­tion for its cus­tomers.

“The best pro­tec­tion is to apply updates as soon as pos­si­ble across all impact­ed sys­tems,” a Microsoft spokesper­son said in a writ­ten state­ment. “We con­tin­ue to help cus­tomers by pro­vid­ing addi­tion­al inves­ti­ga­tion and mit­i­ga­tion guid­ance. Impact­ed cus­tomers should con­tact our sup­port teams for addi­tion­al help and resources.”

Mean­while, CISA has issued an emer­gency direc­tive [111] order­ing all fed­er­al civil­ian depart­ments and agen­cies run­ning vul­ner­a­ble Microsoft Exchange servers to either update the soft­ware or dis­con­nect the prod­ucts from their net­works.

Adair said he’s field­ed dozens of calls today from state and local gov­ern­ment agen­cies that have iden­ti­fied the back­doors in their Exchange servers and are plead­ing for help. The trou­ble is, patch­ing the flaws only blocks the four dif­fer­ent ways the hack­ers are using to get in. But it does noth­ing to undo the dam­age that may already have been done.

White House press sec­re­tary Jen Psa­ki told reporters today [112] the vul­ner­a­bil­i­ties found in Microsoft’s wide­ly used Exchange servers were “sig­nif­i­cant,” and “could have far-reach­ing impacts.”

“We’re con­cerned that there are a large num­ber of vic­tims,” Psa­ki said.

By all accounts, root­ing out these intrud­ers is going to require an unprece­dent­ed and urgent nation­wide clean-up effort. Adair and oth­ers say they’re wor­ried that the longer it takes for vic­tims to remove the back­doors, the more like­ly it is that the intrud­ers will fol­low up by installing addi­tion­al back­doors, and per­haps broad­en­ing the attack to include oth­er por­tions of the victim’s net­work infra­struc­ture.

Secu­ri­ty researchers have pub­lished sev­er­al tools for detect­ing vul­ner­a­ble servers. One of those tools, a script from Microsoft’s Kevin Beau­mont [113], is avail­able from Github [114].

Kreb­sOn­Se­cu­ri­ty has seen por­tions of a vic­tim list com­piled by run­ning such a tool, and it is not a pret­ty pic­ture. The back­door web shell is ver­i­fi­ably present on the net­works of thou­sands of U.S. orga­ni­za­tions, includ­ing banks, cred­it unions, non-prof­its, telecom­mu­ni­ca­tions providers, pub­lic util­i­ties and police, fire and res­cue units.

“It’s police depart­ments, hos­pi­tals, tons of city and state gov­ern­ments and cred­it unions,” said one source who’s work­ing close­ly with fed­er­al offi­cials on the mat­ter. “Just about every­one who’s run­ning self-host­ed Out­look Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”

Anoth­er gov­ern­ment cyber­se­cu­ri­ty expert who par­tic­i­pat­ed in a recent call with mul­ti­ple stake­hold­ers impact­ed by this hack­ing spree wor­ries the cleanup effort required is going to be Her­culean.

“On the call, many ques­tions were from school dis­tricts or local gov­ern­ments that all need help,” the source said, speak­ing on con­di­tion they were not iden­ti­fied by name. “If these num­bers are in the tens of thou­sands, how does inci­dent response get done? There are just not enough inci­dent response teams out there to do that quick­ly.”

When it released patch­es for the four Exchange Serv­er flaws on Tues­day, Microsoft empha­sized that the vul­ner­a­bil­i­ty did not affect cus­tomers run­ning its Exchange Online ser­vice (Microsoft’s cloud-host­ed email for busi­ness­es). But sources say the vast major­i­ty of the orga­ni­za­tions vic­tim­ized so far are run­ning some form of Inter­net-fac­ing Microsoft Out­look Web Access (OWA) email sys­tems in tan­dem with Exchange servers inter­nal­ly.

“It’s a ques­tion worth ask­ing, what’s Microsoft’s rec­om­men­da­tion going to be?,” the gov­ern­ment cyber­se­cu­ri­ty expert said. “They’ll say ‘Patch, but it’s bet­ter to go to the cloud.’ But how are they secur­ing their non-cloud prod­ucts? Let­ting them with­er on the vine.”

The gov­ern­ment cyber­se­cu­ri­ty expert said this most recent round of attacks is unchar­ac­ter­is­tic of the kinds of nation-state lev­el hack­ing typ­i­cal­ly attrib­uted to Chi­na, which tends to be fair­ly focused on com­pro­mis­ing spe­cif­ic strate­gic tar­gets.

“Its reck­less,” the source said. “It seems out of char­ac­ter for Chi­nese state actors to be this indis­crim­i­nate.”

Microsoft has said the incur­sions by Hafni­um on vul­ner­a­ble Exchange servers are in no way con­nect­ed to the sep­a­rate Solar­Winds-relat­ed attacks [115], in which a sus­pect­ed Russ­ian intel­li­gence group installed back­doors in net­work man­age­ment soft­ware used by more than 18,000 orga­ni­za­tions.

“We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices,” the com­pa­ny said.

Nev­er­the­less, the events of the past few days may well end up far eclips­ing the dam­age done by the Solar­Winds intrud­ers.

...

————-

“At Least 30,000 U.S. Orga­ni­za­tions New­ly Hacked Via Holes in Microsoft’s Email Soft­ware”; Krebs on Secu­ri­ty; 03/05/2021 [31]

“Microsoft said the Exchange flaws are being tar­get­ed by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew it dubbed “Hafni­um [107],” and said the group had been con­duct­ing tar­get­ed attacks on email sys­tems used by a range of indus­try sec­tors, includ­ing infec­tious dis­ease researchers, law firms, high­er edu­ca­tion insti­tu­tions, defense con­trac­tors, pol­i­cy think tanks, and NGOs.”

Some­how Microsoft deter­mined this hack was car­ried out by a pre­vi­ous­ly uniden­ti­fied Chi­nese hack­ing crew. Again, we have no idea how they know this group was Chi­nese or how they know it’s not the same group behind the Solar­Winds hack or all sorts of oth­er hacks. We just know Microsoft was very con­fi­dent­ly declar­ing this mega-hack with extreme par­al­lels to Solar­Winds was­n’t car­ried out by the same crew. Instead, we’re con­fi­dent­ly assured it’s a Chi­nese nation-state-backed hack­ing group that has unchar­ac­ter­is­ti­cal­ly decid­ed to car­ry out what may be the largest hack ever, even larg­er than Solar­Winds. We just have to trust Microsoft:

...
Speak­ing on con­di­tion of anonymi­ty, two cyber­se­cu­ri­ty experts who’ve briefed U.S. nation­al secu­ri­ty advi­sors on the attack told Kreb­sOn­Se­cu­ri­ty the Chi­nese hack­ing group thought to be respon­si­ble has seized con­trol over “hun­dreds of thou­sands” of Microsoft Exchange Servers world­wide — with each vic­tim sys­tem rep­re­sent­ing approx­i­mate­ly one orga­ni­za­tion that uses Exchange to process email.

...

The gov­ern­ment cyber­se­cu­ri­ty expert said this most recent round of attacks is unchar­ac­ter­is­tic of the kinds of nation-state lev­el hack­ing typ­i­cal­ly attrib­uted to Chi­na, which tends to be fair­ly focused on com­pro­mis­ing spe­cif­ic strate­gic tar­gets.

“Its reck­less,” the source said. “It seems out of char­ac­ter for Chi­nese state actors to be this indis­crim­i­nate.”
...

It’s also worth not­ing that Microsoft did­n’t catch this vul­ner­a­bil­i­ty. It was Volex­i­ty, which detect­ed the first major attack coin­cid­ing with the Jan­u­ary 6 far right insur­rec­tion. We are told that the Chi­nese hack­ers qui­et­ly first start­ed the hack dur­ing the insur­rec­tion but tran­si­tioned towards an open smash-and-grab a few days lat­er. So that’s some pret­ty inter­est­ing tim­ing, but Volex­i­ty had an update. They found signs cyber­op­er­a­tions with this zero-day exploit on Jan­u­ary 3, 2021 [32]. So the tim­ing with the Capi­tol insur­rec­tion isn’t quite as inter­est­ing as ear­ly report­ing indi­cates.

Also recall how Volex­i­ty was the first com­pa­ny to iden­ti­fy the Solar­Winds mal­ware on their clients’ net­works back in July of 2020. Their warn­ings were ignored but they were the first to find it, at least on record. Volex­i­ty is appar­ent­ly the one com­pa­ny capa­ble of find­ing these cur­rent mega back­door hacks:

...
Microsoft’s ini­tial advi­so­ry about the Exchange flaws [108] cred­it­ed Reston, Va. based Volex­i­ty [109] for report­ing the vul­ner­a­bil­i­ties. Volex­i­ty Pres­i­dent Steven Adair said the com­pa­ny first saw attack­ers qui­et­ly exploit­ing the Exchange bugs on Jan. 6, 2021 [32], a day when most of the world was glued to tele­vi­sion cov­er­age of the the riot at the U.S. Capi­tol [110].

But Adair said that over the past few days the hack­ing group has shift­ed into high gear, mov­ing quick­ly to scan the Inter­net for Exchange servers that weren’t yet pro­tect­ed by the secu­ri­ty updates Microsoft released Tues­day.
....

And in case the scale of the hack was­n’t clear, note how it appears to be vir­tu­al­ly every sin­gle self-host­ed Out­look Web Access (OWS) serv­er on the plan­et con­nect­ed to the inter­net. Every sin­gle one. It’s a glob­al dig­i­tal night­mare sce­nario:

...

“We’ve worked on dozens of cas­es so far where web shells were put on the vic­tim sys­tem back on Feb. 28 [before Microsoft announced its patch­es], all the way up to today,” Adair said. “Even if you patched the same day Microsoft pub­lished its patch­es, there’s still a high chance there is a web shell on your serv­er. The truth is, if you’re run­ning Exchange and you haven’t patched this yet, there’s a very high chance that your orga­ni­za­tion is already com­pro­mised.”

...

Adair said he’s field­ed dozens of calls today from state and local gov­ern­ment agen­cies that have iden­ti­fied the back­doors in their Exchange servers and are plead­ing for help. The trou­ble is, patch­ing the flaws only blocks the four dif­fer­ent ways the hack­ers are using to get in. But it does noth­ing to undo the dam­age that may already have been done.

...

By all accounts, root­ing out these intrud­ers is going to require an unprece­dent­ed and urgent nation­wide clean-up effort. Adair and oth­ers say they’re wor­ried that the longer it takes for vic­tims to remove the back­doors, the more like­ly it is that the intrud­ers will fol­low up by installing addi­tion­al back­doors, and per­haps broad­en­ing the attack to include oth­er por­tions of the victim’s net­work infra­struc­ture.

...

“It’s police depart­ments, hos­pi­tals, tons of city and state gov­ern­ments and cred­it unions,” said one source who’s work­ing close­ly with fed­er­al offi­cials on the mat­ter. “Just about every­one who’s run­ning self-host­ed Out­look Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
...

And final­ly, it’s hard to avoid mar­veling at the rather stun­ning assur­ances giv­en by Microsoft at this point regard­ing the Solar­Winds hack and the role Microsoft vul­ner­a­bil­i­ties played in that event: Microsoft tells us, “We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices.” This was what Microsoft was telling the pub­lic in March of 2021. As we saw in the pre­vi­ous arti­cle excerpt, which was pub­lished about 6 weeks lat­er, the exploita­tion of Microsoft prod­ucts was the defin­ing fea­ture of the sec­ond phase the Solar­Winds attack. First the Solar­Winds Ori­on soft­ware deployed back­doors on all of the Solar­Winds cus­tomer net­works. Then the hack­ers used those back­doors to roam the net­work, look­ing for valu­able infor­ma­tion to steal. And that meant exploit­ing Microsoft vul­ner­a­bil­i­ties, which they appar­ent­ly did with aban­don. To claim there was no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices just a lie. A lie that con­ve­nient­ly helped Microsoft avoid the uncom­fort­able ques­tions about whether or not this Microsoft Exchange mega-back­door and the Solar­Winds mega-back­door hack were part of some sort joint mega-back­door hack run by the same group of peo­ple:

...
Microsoft has said the incur­sions by Hafni­um on vul­ner­a­ble Exchange servers are in no way con­nect­ed to the sep­a­rate Solar­Winds-relat­ed attacks [115], in which a sus­pect­ed Russ­ian intel­li­gence group installed back­doors in net­work man­age­ment soft­ware used by more than 18,000 orga­ni­za­tions.

“We con­tin­ue to see no evi­dence that the actor behind Solar­Winds dis­cov­ered or exploit­ed any vul­ner­a­bil­i­ty in Microsoft prod­ucts and ser­vices,” the com­pa­ny said.

Nev­er­the­less, the events of the past few days may well end up far eclips­ing the dam­age done by the Solar­Winds intrud­ers.
...

And while Microsoft was aggre­sive­ly dis­tanc­ing itself and this hack from the Solar­Winds hack ear­ly on, with­in a week it was start­ing to look like Solar­Winds was the com­pa­ny that should be doing the dis­tanc­ing. Because this hack was look­ing much more than Solar­Winds. Like an automat­able Solar­Winds that was plun­dered to the full extent avail­able by a vari­ety of crim­i­nal actors. It was ‘Hafni­um’ who qui­et­ly and exclu­sive­ly used this zero-day exploit start­ing from Jan­u­ary 3 until the Microsoft announced the patch on March 2, at which point a crim­i­nal free-for-all that involved at least a half dozen oth­er hack­ing groups ensued to ran­sack any unpatched servers.

But per­haps the most scan­dalous aspect of all this is that zero-day exploit that enabled all this has appar­ent­ly been sit­ting in Microsoft­’s code for at least a decade. How much do you want to bet Jan 3 was­n’t the first time this exploit was exploit­ed? [35]:

Data Cen­ter Knowl­edge

Microsoft Exchange Hack Could Be Worse Than Solar­Winds

The mas­sive hack’s scope keeps grow­ing. Unlike the Solar­Winds exploit, this one can be auto­mat­ed.

Maria Korolov | Mar 10, 2021

The scope of dam­age from the new­ly pub­lic Microsoft Exchange vul­ner­a­bil­i­ty keeps grow­ing, with some experts say­ing that it is “worse than Solar­Winds.”

As of last count, more than 60,000 orga­ni­za­tions have fall­en vic­tim to the attack.

“The scale of the attack is the biggest threat at this time,” said Mark Good­win, man­ag­ing senior ana­lyst at secu­ri­ty con­sult­ing firm Bish­op Fox.

Gov­ern­ment insti­tu­tions have been attacked, large cor­po­ra­tions, and small local busi­ness­es, he told DCK. Accord­ing to the inter­net scan­ning tool Shodan, more than 250,000 servers are vul­ner­a­ble, he added.

Unlike the Solar­Winds breach [116], the Microsoft Exchange vul­ner­a­bil­i­ty can be exploit­ed in an auto­mat­ed way. If a data cen­ter has an Exchange serv­er acces­si­ble via the pub­lic inter­net, assume it’s been com­pro­mised, he said.

The prob­lem is so severe that Microsoft has released patch­es even for old­er servers that are no longer sup­port­ed, Good­win said.

And, unlike the Solar­Winds breach, which was pri­mar­i­ly exploit­ed by a sin­gle state-spon­sored group, report­ed­ly from Rus­sia, the Microsoft Exchange vul­ner­a­bil­i­ty is open to every­body. Orig­i­nal­ly asso­ci­at­ed with a Chi­nese state-spon­sored group, Hafni­um, at last count half a dozen dif­fer­ent groups are active­ly attack­ing orga­ni­za­tions with vul­ner­a­ble servers.

The Microsoft Exchange vul­ner­a­bil­i­ty gives hack­ers full access to Microsoft Exchange servers which in turn can be lever­aged to com­pro­mise Active Direc­to­ry servers.

“Once you com­pro­mise Active Direc­to­ry, you can go after any­thing you want,” said Srikant Vis­sam­set­ti, senior VP of engi­neer­ing at Atti­vo Net­works, a cyber­se­cu­ri­ty ven­dor. “You get the keys to the king­dom.”

The big prob­lem is that Microsoft Exchange is designed to be accessed by exter­nal users, which means servers can be acces­si­ble via the inter­net – and attack­ers can find them when they scan for vul­ner­a­bil­i­ties.

“There are ways to scan every­thing con­nect­ed to the inter­net to find vul­ner­a­ble sys­tems,” said Jethro Beek­man, tech­ni­cal direc­tor at cyber­se­cu­ri­ty firm For­t­anix. “This has an enor­mous threat of mis­use.”

As a result, the Depart­ment of Home­land Secu­ri­ty last week issued an emer­gency direc­tive [117] for fed­er­al agen­cies, warn­ing that the Microsoft Exchange vul­ner­a­bil­i­ty is being active­ly exploit­ed and order­ing them to take defen­sive action.

“This is a crazy huge hack,” said Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, in a Tweet on Fri­day. “The num­bers I’ve heard dwarf what’s report­ed.”

Also on Fri­day, secu­ri­ty firm Huntress released a report of its analy­sis of 3,000 servers, most of which had antivirus or end­point secu­ri­ty solu­tions installed. Of those, 800 were still not patched, and there were more than 350 mali­cious web­shells already installed by attack­ers.

“This has seem­ing­ly slipped past a major­i­ty of pre­ven­ta­tive secu­ri­ty prod­ucts,” said Huntress senior secu­ri­ty researcher John Ham­mond in a report [121].

The num­ber of affect­ed enter­pris­es is so much high­er with this attack than with Solar­Winds because this attack can be high­ly auto­mat­ed, Attivo’s Vis­sam­set­ti told DCK.

“With some­thing like this, attack­ers can mobi­lize with­in a day,” he said. “They can script the whole thing in just a few hours.”

Cleanup Will Be Messy

Patch­ing the Microsoft Exchange serv­er is not enough if an orga­ni­za­tion has been com­pro­mised.

Enter­pris­es can look for indi­ca­tors of com­pro­mise in log files, but smart attack­ers may erase those traces as well.

Then, attack­ers may have installed back doors or cre­at­ed accounts for them­selves with high lev­els of access, or even con­duct­ed a “gold­en tick­et” attack on Active Direc­to­ry.

“Once you have a gold­en tick­et attack, you pret­ty much have to start over,” said Vis­sam­set­ti. “Chang­ing pass­words is not suf­fi­cient. They’ve got a super admin.”

And the pos­si­bil­i­ties for dam­age are near­ly end­less, he added.

“It will be messy to clean up,” said Oliv­er Tavakoli, CTO at Vec­tra Net­works. “It will effec­tive­ly require back­ing up data, re-imag­ing the Exchange serv­er, scrub­bing the back­up of any accounts which should not be present, reset­ting all pass­words and secrets, and restor­ing the remain­ing back­up data.”

This is while secu­ri­ty teams are already stretched thin by the Solar­Winds attack, he added.

“This hack will com­pete for the same inves­tiga­tive and reme­di­a­tion resources,” he told DCK. “So, hav­ing two such broad attacks occur near the same time places exor­bi­tant strain on the resources.”

And even if the Exchange servers are patched, back doors shut down, and attack­ers ful­ly cleaned out, that’s not the end of it, said Adrien Gen­dre, chief prod­uct and ser­vices offi­cer at Vade Secure.

“Based on our knowl­edge of pri­or inci­dents,” he said, “expect to see a rise in spear phish­ing attacks in the com­ing weeks.”

The attack­ers will be able to use the infor­ma­tion they’ve col­lect­ed while in the sys­tem, such as emails and oth­er doc­u­ments, to craft extreme­ly tar­get­ed and cred­i­ble scam emails, he said.

Time to Ditch Microsoft Exchange

Experts rec­om­mend that com­pa­nies replace on-prem deploy­ments of Microsoft Exchange with cloud-based alter­na­tives like Office 365, which are not vul­ner­a­ble to the attack.

And if there is an attack, the SaaS ven­dor sim­ply installs the patch them­selves. There’s no need for every sin­gle cus­tomer to install their own patch­es, dra­mat­i­cal­ly sim­pli­fy­ing secu­ri­ty.

If that’s not an option, the Exchange servers can be put behind VPNs, For­t­anix’s Beek­man told DCK.

“And there are web appli­ca­tion fire­walls that you can insert between the serv­er and the inter­net,” he added.

Data cen­ter providers that offer man­aged servers to clients are par­tic­u­lar­ly vul­ner­a­ble, because if they them­selves use a vul­ner­a­ble Microsoft Exchange serv­er and their envi­ron­ment is com­pro­mised, client infra­struc­ture could poten­tial­ly be at risk, he added.

This is where secu­ri­ty approach­es like zero trust and micro seg­men­ta­tion can be used to restrict lat­er­al move­ment, he said.

...

The Time­line of the Microsoft Exchange Hack

Secu­ri­ty experts began notic­ing signs of com­pro­mise in ear­ly Jan­u­ary, with the first attacks [32] on Jan­u­ary 3, accord­ing to secu­ri­ty firm Volex­i­ty.

At first, these attacks, which exploit­ed a zero-day vul­ner­a­bil­i­ty, were lim­it­ed to Hafni­um.

Then, after Microsoft final­ly released patch­es [122] on March 2, oth­er crim­i­nal groups start­ed using it in a race to attack as many servers as pos­si­ble before they were patched.

But the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade, said Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny.

“One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box,” he told DCK.

...

———–

“Microsoft Exchange Hack Could Be Worse Than Solar­Winds” by Maria Korolov; Data Cen­ter Knowl­edge; 03/10/2021 [35]

Unlike the Solar­Winds breach [116], the Microsoft Exchange vul­ner­a­bil­i­ty can be exploit­ed in an auto­mat­ed way. If a data cen­ter has an Exchange serv­er acces­si­ble via the pub­lic inter­net, assume it’s been com­pro­mised, he said.”

Not only is this hack the kind of hack that any com­mon hack­er crim­i­nal is capa­ble of exe­cut­ing once they know the exploit, but it’s the kind of hack that a sin­gle hack­er could the­o­ret­i­cal­ly turn into a mega-hack with a sim­ple script because this is an automat­able hack. That’s why you should assume you got hit if you were exposed. Every­one exposed got hit because it was easy for any­one to hit every­one.

But every­one was­n’t hit at first. It was “Hafni­um” who qui­et­ly start­ed hack­ing tar­gets, with Volex­i­ty first detect­ing the usage of the zero-day exploit on Jan­u­ary 3 (not Jan 6 as ear­li­er indi­cat­ed). It was after Microsoft released the patch­es on March 2 that oth­er crim­i­nal groups went on a glob­al spree, hit­ting every remain­ing unpatched Exchange serv­er on the plan­et con­nect­ed to the inter­net. As we’re going to see, when the US and its West­ern allies all issue coor­di­nat­ed for­mal state­ments in mid-July, for­mal­ly accus­ing Chi­na of exe­cut­ing the hack, we are told by unnamed sources famil­iar with the inves­ti­ga­tion that it is sus­pect­ed that Hafni­um knew Microsoft was going to close the zero-day vul­ner­a­bil­i­ties (which were no-longer zero-days at that point) and at that point hand­ed the exploits over to crim­i­nals [60]. But we have no idea why that par­tic­u­lar sce­nario was sus­pect­ed, as opposed to Hafni­um being a crim­i­nal actor who sold their exploit to oth­er actors once the patch was released. Or anoth­er actor pre­tend­ing to be a Chi­nese state actor, although it’s unclear what if any ‘Chi­nese’ indi­ca­tors are being left by “Hafni­um”. Microsoft told us it was a nev­er-before Chi­nese state-backed group called Hafni­um and that dec­la­ra­tion alone is treat­ed as ade­quate evi­dence. As with the Solar­Winds hack, it’s faith-based pub­lic attri­bu­tions, which is a big part of the rea­son the read­ing-the-tea-leaves behind-the-scenes meth­ods of attri­bu­tion are so prob­lem­at­ic. That’s what we’re sup­posed to have faith in. Tea-leave-read­ing with huge con­flicts of inter­est:

...
And, unlike the Solar­Winds breach, which was pri­mar­i­ly exploit­ed by a sin­gle state-spon­sored group, report­ed­ly from Rus­sia, the Microsoft Exchange vul­ner­a­bil­i­ty is open to every­body. Orig­i­nal­ly asso­ci­at­ed with a Chi­nese state-spon­sored group, Hafni­um, at last count half a dozen dif­fer­ent groups are active­ly attack­ing orga­ni­za­tions with vul­ner­a­ble servers.

...

Secu­ri­ty experts began notic­ing signs of com­pro­mise in ear­ly Jan­u­ary, with the first attacks [32] on Jan­u­ary 3, accord­ing to secu­ri­ty firm Volex­i­ty.

At first, these attacks, which exploit­ed a zero-day vul­ner­a­bil­i­ty, were lim­it­ed to Hafni­um.

Then, after Microsoft final­ly released patch­es [122] on March 2, oth­er crim­i­nal groups start­ed using it in a race to attack as many servers as pos­si­ble before they were patched.
...

Also observ­er how Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, was try­ing to make sense of the incred­i­bly aggres­sive nature of this hack by ques­tion­ing on Twit­ter if this was the work of an out of con­trol cyber­crime gang or con­trac­tors gone wild. Krebs is gen­er­al­ly con­sid­ered a pret­ty cred­i­ble word on these mat­ters. So he was not ready to jump on board the Chi­na-did-it band­wag­on at this point when we were being assured by Microsoft and oth­ers that yes, Chi­na did it. Just take their word for it. Krebs was­n’t tak­ing their word:

...
“This is a crazy huge hack,” said Chris Krebs, the for­mer direc­tor of the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, in a Tweet on Fri­day. “The num­bers I’ve heard dwarf what’s report­ed.”

...

But it isn’t just the automat­able nature of this hack­ing tech­nique that makes it so scary. It’s also the fact that the hack­ers could lever­age the com­plete con­trol over the Exchange serv­er to com­pro­mise the Active Direc­to­ry servers and that poten­tial­ly gives you the oppor­tu­ni­ty to con­duct a “gold­en tick­et” attack on the Active Direc­to­ry and the hack­ers can give them­selves super-user priv­i­leges. That’s the high­est lev­el. This is a poten­tial­ly dev­as­tat­ing hack. Com­plete con­trol is an apt descrip­tion of what it can con­fer. Thanks in part to a lot of Microsoft exploits:

...
The Microsoft Exchange vul­ner­a­bil­i­ty gives hack­ers full access to Microsoft Exchange servers which in turn can be lever­aged to com­pro­mise Active Direc­to­ry servers.

Once you com­pro­mise Active Direc­to­ry, you can go after any­thing you want,” said Srikant Vis­sam­set­ti, senior VP of engi­neer­ing at Atti­vo Net­works, a cyber­se­cu­ri­ty ven­dor. “You get the keys to the king­dom.”

...

Patch­ing the Microsoft Exchange serv­er is not enough if an orga­ni­za­tion has been com­pro­mised.

Enter­pris­es can look for indi­ca­tors of com­pro­mise in log files, but smart attack­ers may erase those traces as well.

Then, attack­ers may have installed back doors or cre­at­ed accounts for them­selves with high lev­els of access, or even con­duct­ed a “gold­en tick­et” attack on Active Direc­to­ry.

“Once you have a gold­en tick­et attack, you pret­ty much have to start over,” said Vis­sam­set­ti. “Chang­ing pass­words is not suf­fi­cient. They’ve got a super admin.”

And the pos­si­bil­i­ties for dam­age are near­ly end­less, he added.
...

It’s also worth not­ing anoth­er poten­tial­ly dev­as­tat­ing aspect of this night­mare and the fact that super-user admin priv­i­leges can be obtained by the hack­ers: data cen­ters run­ning Microsoft Exchange servers may have those super-user admin priv­i­leges stolen too. And that poten­tial­ly threat­ens all the data in that data cen­ter:

...
Data cen­ter providers that offer man­aged servers to clients are par­tic­u­lar­ly vul­ner­a­ble, because if they them­selves use a vul­ner­a­ble Microsoft Exchange serv­er and their envi­ron­ment is com­pro­mised, client infra­struc­ture could poten­tial­ly be at risk, he added.

This is where secu­ri­ty approach­es like zero trust and micro seg­men­ta­tion can be used to restrict lat­er­al move­ment, he said.
...

Final­ly, and sig­nif­i­cant­ly, note how long this vul­ner­a­bil­i­ty has exist­ed in Microsoft­’s code: a decade! As one secu­ri­ty expert astute­ly asks, “One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box”:

...
But the vul­ner­a­bil­i­ty has been present in the Microsoft Exchange code­base for a decade, said Ed Hunter, CISO at Infoblox, a cyber­se­cu­ri­ty com­pa­ny.

“One has to won­der how long this vul­ner­a­bil­i­ty has been a close­ly held – and used – tool in this threat actor’s tool­box,” he told DCK.
...

For the last 10 years, any­one with access to that code could have poten­tial­ly spot­ted this vul­ner­a­bil­i­ty. Keep this in mind when Microsoft assures us that the theft of its code by the Solar­Winds hack­ers is of no con­se­quence.

SolarWinds Sanctions Arrive. Along With a Lesson in How Attribution Works By CrowdStrike’s Adam Meyers: Surprise! It’s a Hunt for “Cultural Artifacts” ‘Accidentally’ Left Behind

In the span of just four months the world was intro­duced to the two largest hacks on record. Quite a few lessons were hope­ful­ly learned. And if we lis­ten to Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike who led the Solar­Winds inves­ti­ga­tion, it was a mas­ter class in hack­ing. That’s what Mey­ers expressed in a high­ly reveal­ing NPR inter­view in April. A mas­ter class in how to obscure one’s tracks.

As we’ll see, Mey­ers gives us fur­ther con­fir­ma­tion of some­thing that has long been clear but is rare said out loud so clear­ly: con­tem­po­rary cyber­at­tri­bu­tion real­ly does rely heav­i­ly on ‘clues’ like Cyril­lic char­ac­ters or Man­darin in the code and such ‘clues’ are fre­quent­ly found. At least that’s how Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at Crowd­Strike, described his approach to deter­min­ing the iden­ti­ty of the Solar­Winds hack­ers. Mey­ers express­es dis­may at how thor­ough the hack­ers were. Thor­ough in the sense that there was no ‘cul­tur­al arti­fact’ like Cyril­lic or Man­darin. Mey­ers describe the lack of any­thing that a human might have inad­ver­tent­ly left behind as a clue as “mind-blow­ing”. His response to the tiny piece of mal­ware used in the ini­tial Solar­Winds hack — dis­trib­uted to all 18,000 clients via the Ori­on soft­ware — and it’s lack of clues as “the cra­zi­est f***ing thing I’d ever seen.” Take a moment to process that.

So this April update on the Solar­Winds inves­ti­ga­tion includes an update on the gen­er­al state of affairs in cyber­at­tri­bu­tion. A state of affairs where mal­ware that’s cleaned and lacks a ‘cul­tur­al arti­fact’ is “the cra­zi­est f***ing thing I’d ever seen.” And yet, as we saw, there was vir­tu­al­ly no hes­i­tan­cy in attribut­ing the hack to ‘Cozy Bear’/APT29/‘Nobelium’. This is a good time to recall that the sto­ry of the Shad­ow Bro­kers and the CIA’s hack­ing toolk­it that includ­ed fea­tures like leav­ing Cyril­lic or Man­darin char­ac­ters to leave a false lead [6] was con­firmed just four years ago.

Oh, and the US gov­ern­ment was ready to announce sanc­tions against Rus­sia for the hack. So at the same time sanc­tions were announced, we got an inter­view that fur­ther con­firmed the cyber­at­tri­bu­tion indus­try is pred­i­cat­ed on lunatic assump­tions. It real­ly does seem to be the case that every­one real­ly is play­ing dumb here. Dou­ble yikes. [7]:

Nation­al Pub­lic Radio

A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack

Dina Tem­ple-Ras­ton
April 16, 2021 10:05 AM ET

“This release includes bug fix­es, increased sta­bil­i­ty and per­for­mance improve­ments.”

The rou­tine soft­ware update may be one of the most famil­iar and least under­stood parts of our dig­i­tal lives. A pop-up win­dow announces its arrival and all that is required of us is to plug every­thing in before bed. The next morn­ing, rather like the shoe­mak­er and the elves, our soft­ware is mag­i­cal­ly trans­formed.

Last spring, a Texas-based com­pa­ny called Solar­Winds made one such soft­ware update avail­able to its cus­tomers. It was sup­posed to pro­vide the reg­u­lar fare — bug fix­es, per­for­mance enhance­ments — to the com­pa­ny’s pop­u­lar net­work man­age­ment sys­tem, a soft­ware pro­gram called Ori­on that keeps a watch­ful eye on all the var­i­ous com­po­nents in a com­pa­ny’s net­work. Cus­tomers sim­ply had to log into the com­pa­ny’s soft­ware devel­op­ment web­site, type a pass­word and then wait for the update to land seam­less­ly onto their servers.

The rou­tine update, it turns out, is no longer so rou­tine.

Hack­ers believed to be direct­ed by the Russ­ian intel­li­gence ser­vice, the SVR, used that rou­tine soft­ware update to slip mali­cious code into Ori­on’s soft­ware and then used it as a vehi­cle for a mas­sive cyber­at­tack against Amer­i­ca.

“Eigh­teen thou­sand [cus­tomers] was our best esti­mate of who may have down­loaded the code between March and June of 2020,” Sud­hakar Ramakr­ish­na, Solar­Winds pres­i­dent and CEO, told NPR. “If you then take 18,000 and start sift­ing through it, the actu­al num­ber of impact­ed cus­tomers is far less. We don’t know the exact num­bers. We are still con­duct­ing the inves­ti­ga­tion.”

On Thurs­day, the Biden admin­is­tra­tion announced a ros­ter of tough sanc­tions [123] against Rus­sia as part of what it char­ac­ter­ized as the “seen and unseen” response to the Solar­Winds breach.

NPR’s months-long exam­i­na­tion of that land­mark attack — based on inter­views with dozens of play­ers from com­pa­ny offi­cials to vic­tims to cyber foren­sics experts who inves­ti­gat­ed, and intel­li­gence offi­cials who are in the process of cal­i­brat­ing the Biden admin­is­tra­tion’s response — reveals a hack unlike any oth­er, launched by a sophis­ti­cat­ed adver­sary who took aim at a soft under­bel­ly of dig­i­tal life: the rou­tine soft­ware update.

By design, the hack appeared to work only under very spe­cif­ic cir­cum­stances. Its vic­tims had to down­load the taint­ed update and then actu­al­ly deploy it. That was the first con­di­tion. The sec­ond was that their com­pro­mised net­works need­ed to be con­nect­ed to the Inter­net, so the hack­ers could com­mu­ni­cate with their servers.

For that rea­son, Ramakr­ish­na fig­ures the Rus­sians suc­cess­ful­ly com­pro­mised about 100 com­pa­nies and about a dozen gov­ern­ment agen­cies. The com­pa­nies includ­ed Microsoft, Intel and Cis­co; the list of fed­er­al agen­cies so far includes the Trea­sury, Jus­tice and Ener­gy depart­ments and the Pen­ta­gon.

The hack­ers also found their way, rather embar­rass­ing­ly, into the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, or CISA — the office at the Depart­ment of Home­land Secu­ri­ty whose job it is to pro­tect fed­er­al com­put­er net­works from cyber­at­tacks.

The con­cern is that the same access that gives the Rus­sians the abil­i­ty to steal data could also allow them to alter or destroy it. “The speed with which an actor can move from espi­onage to degrad­ing or dis­rupt­ing a net­work is at the blink of an eye,” one senior admin­is­tra­tion said dur­ing a back­ground brief­ing from the White House on Thurs­day. “And a defend­er can­not move at that speed. And giv­en the his­to­ry of Rus­si­a’s mali­cious activ­i­ty in cyber­space and their reck­less behav­ior in cyber­space, that was a key con­cern.”

“The trade­craft was phe­nom­e­nal”

Net­work mon­i­tor­ing soft­ware is a key part of the back­room oper­a­tions we nev­er see. Pro­grams like Ori­on allow infor­ma­tion tech­nol­o­gy depart­ments to look on one screen and check their whole net­work: servers or fire­walls, or that print­er on the fifth floor that keeps going offline. By its very nature, it touch­es every­thing — which is why hack­ing it was genius.

“It’s real­ly your worst night­mare,” Tim Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, said recent­ly. “You feel a kind of hor­ror. This had the poten­tial to affect thou­sands of cus­tomers; this had the poten­tial to do a great deal of harm.”

When cyber­se­cu­ri­ty experts talk about harm, they’re think­ing about some­thing like what hap­pened in 2017, when the Russ­ian mil­i­tary launched a ran­somware attack known as Not­Petya. It, too, began with taint­ed soft­ware, but in that case the hack­ers were bent on destruc­tion. They plant­ed ran­somware that par­a­lyzed multi­na­tion­al com­pa­nies and per­ma­nent­ly locked peo­ple around the world out of tens of thou­sands of com­put­ers. Even this much lat­er, it is con­sid­ered the most destruc­tive and cost­ly cyber­at­tack [124] in his­to­ry.

Intel­li­gence offi­cials wor­ry that Solar­Winds might presage some­thing on that scale. Cer­tain­ly, the hack­ers had time to do dam­age. They roamed around Amer­i­can com­put­er net­works for nine months, and it is unclear whether they were just read­ing emails and doing the things spies typ­i­cal­ly do, or whether they were plant­i­ng some­thing more destruc­tive for use in the future.

“When there’s cyber-espi­onage con­duct­ed by nations, Fire­Eye is on the tar­get list,” Kevin Man­dia, CEO of the cyber­se­cu­ri­ty firm Fire­Eye, told NPR, but he believes there are oth­er less obvi­ous tar­gets that now might need more pro­tect­ing. “I think util­i­ties might be on that list. I think health care might be on that list. And you don’t nec­es­sar­i­ly want to be on the list of fair game for the most capa­ble offense to tar­get you.”

The Solar­Winds attack­ers ran a mas­ter class in nov­el hack­ing tech­niques. They mod­i­fied sealed soft­ware code, cre­at­ed a sys­tem that used domain names to select tar­gets and mim­ic­ked the Ori­on soft­ware com­mu­ni­ca­tion pro­to­cols so they could hide in plain sight. And then, they did what any good oper­a­tive would do: They cleaned the crime scene so thor­ough­ly inves­ti­ga­tors can’t prove defin­i­tive­ly who was behind it. The White House has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. Rus­sia, for its part, has denied any involve­ment.

“The trade­craft was phe­nom­e­nal,” said Adam Mey­ers, who led the cyber foren­sics team that pawed through that taint­ed update on behalf of Solar­Winds, pro­vid­ing details for the first time about what they found. The code was ele­gant and inno­v­a­tive, he said, and then added, “This was the cra­zi­est f***ing thing I’d ever seen.”

Like razor blades in peanut but­ter cups

Mey­ers is the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the com­pa­ny’s servers and released emails and first-run movies. A year lat­er, he was on the front lines when a sus­pect­ed Krem­lin-backed hack­ing team known as “Cozy Bear” stole, among oth­er things, a trove of emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee. Wik­iLeaks then released them in the runup to the 2016 elec­tion.

“We’re involved in all kinds of inci­dents around the globe every day,” Mey­ers said. Typ­i­cal­ly he directs teams, he does­n’t run them. But Solar­Winds was dif­fer­ent: “When I start­ed get­ting briefed up, I real­ized [this] was actu­al­ly quite a big deal.”

The attack began with a tiny strip of code. Mey­ers traced it back to Sept. 12, 2019. “This lit­tle snip­pet of code does­n’t do any­thing,” Mey­ers said. “It’s lit­er­al­ly just check­ing to see which proces­sor is run­ning on the com­put­er, if it is a 32- or 64-bit proces­sor and if it is one or the oth­er, it returns either a zero or a one.”

The code frag­ment, it turns out, was a proof of con­cept — a lit­tle tri­al bal­loon to see if it was pos­si­ble to mod­i­fy Solar­Winds’ signed-and-sealed soft­ware code, get it pub­lished and then lat­er see it in a down­loaded ver­sion. And they real­ized they could. “So at this point, they know that they can pull off a sup­ply chain attack,” Mey­ers said. “They know that they have that capa­bil­i­ty.”

After that ini­tial suc­cess, the hack­ers dis­ap­peared for five months. When they returned in Feb­ru­ary 2020, Mey­ers said, they came armed with an amaz­ing new implant that deliv­ered a back­door that went into the soft­ware itself before it was pub­lished.

To under­stand why that was remark­able, you need to know that fin­ished soft­ware code has a kind of dig­i­tal fac­to­ry seal. If you break that seal, some­one can see it and know that the code might have been tam­pered with. Mey­ers said the hack­ers essen­tial­ly found a way to get under that fac­to­ry seal.

They began by implant­i­ng code that told them any time some­one on the Solar­Winds devel­op­ment team was get­ting ready to build new soft­ware. They under­stood that the process of cre­at­ing soft­ware or an update typ­i­cal­ly begins with some­thing rou­tine such as check­ing a code out of a dig­i­tal repos­i­to­ry, sort of like check­ing a book out of the library.

Under nor­mal cir­cum­stances, devel­op­ers take the code out of the repos­i­to­ry, make changes and then check it back in. Once they fin­ish tin­ker­ing, they ini­ti­ate some­thing called the build process, which essen­tial­ly trans­lates the code a human can read to the code a com­put­er does. At that point, the code is clean and test­ed. What the hack­ers did after that was the trick.

They would cre­ate a tem­po­rary update file with the mali­cious code inside while the Solar­Winds code was com­pil­ing. The hack­ers’ mali­cious code told the machine to swap in their tem­po­rary file instead of the Solar­Winds ver­sion. “I think a lot of peo­ple prob­a­bly assume that it is the source code that’s been mod­i­fied,” Mey­ers said, but instead the hack­ers used a kind of bait-and-switch.

But this, Mey­ers said, was inter­est­ing, too. The hack­ers under­stood that com­pa­nies such as Solar­Winds typ­i­cal­ly audit code before they start build­ing an update, just to make sure every­thing is as it should be. So they made sure that the switch to the tem­po­rary file hap­pened at the last pos­si­ble sec­ond, when the updates went from source code (read­able by peo­ple) to exe­cutable code (which the com­put­er reads) to the soft­ware that goes out to cus­tomers.

The tech­nique remind­ed Mey­ers of old fears around trick-or-treat­ing. For decades, there had been an urban myth that kids could­n’t eat any Hal­loween can­dy before check­ing the wrap­per seal because bad peo­ple might have put razor blades inside. What the hack­ers did with the code, Mey­ers said, was a lit­tle like that.

“Imag­ine those Reese’s Peanut But­ter Cups going into the pack­age and just before the machine comes down and seals the pack­age, some oth­er thing comes in and slides a razor blade into your Reese’s Peanut But­ter Cup,” he said. Instead of a razor blade, the hack­ers swapped the files so “the pack­age gets sealed and it goes out the door to the store.”

The update that went out to Solar­Winds’ cus­tomers was the dan­ger­ous peanut but­ter cup — the mali­cious ver­sion of the soft­ware includ­ed code that would give the hack­ers unfet­tered, unde­tect­ed access to any Ori­on user who down­loaded and deployed the update and was con­nect­ed to the Inter­net.

But there was some­thing else about that code that both­ered Mey­ers: It was­n’t just for Solar­Winds. “When we looked at [it], it could have been recon­fig­ured for any num­ber of soft­ware prod­ucts,” Mey­ers said. In oth­er words, any num­ber of oth­er soft­ware devel­op­ers using the same com­pil­er may also be on the receiv­ing end of a cyber­at­tack, he said, and they just don’t know it yet.

Pick­ing and choos­ing tar­gets

Mey­ers said it’s hard not to admire just how much thought the hack­ers put into this oper­a­tion. Con­sid­er the way they iden­ti­fied tar­gets. The down­side of break­ing into so many cus­tomer net­works all at once is that it is hard to decide what to exploit first. So the hack­ers cre­at­ed a pas­sive domain name serv­er sys­tem that sent lit­tle mes­sages with not just an IP address, which is just a series of num­bers, but also with a thumb­nail pro­file of a poten­tial tar­get.

“So they could then say, ‘OK, we’re going to go after this dot gov tar­get or what­ev­er,’ ” Mey­ers said. “I think lat­er it became clear that there were a lot of gov­ern­ment tech­nol­o­gy com­pa­nies being tar­get­ed.”

The hack­ers also reverse-engi­neered the way Ori­on com­mu­ni­cat­ed with servers and built their own cod­ing instruc­tions mim­ic­k­ing Ori­on’s syn­tax and for­mats. What that did is allow the hack­ers to look like they were “speak­ing” Ori­on, so their mes­sage traf­fic looked like a nat­ur­al exten­sion of the soft­ware.

“So once they deter­mined that a tar­get was of inter­est, they could say, ‘OK, let’s go active, let’s manip­u­late files, let’s change some­thing,’ ” Mey­ers said, and then they would slip in unno­ticed through the back­door they had cre­at­ed. “And there is one oth­er thing I should men­tion: This back­door would wait up to two weeks before it actu­al­ly went active on the host. This was a very patient adver­sary.”

None of the trip­wires put in place by pri­vate com­pa­nies or the gov­ern­ment seems to have seen the attack com­ing. Christo­pher Krebs, who had been in charge of the office that pro­tect­ed gov­ern­ment net­works at DHS dur­ing the Trump admin­is­tra­tion, told NPR that DHS’ cur­rent sys­tem, some­thing known (with­out irony) as Ein­stein, only catch­es known threats. The Solar­Winds breach, he said, was just “too nov­el.”

“Upwards of 90[%] to 95% of threats are based on known tech­niques, known cyber­ac­tiv­i­ty,” Krebs explained. “And that’s not just crim­i­nal actors, that’s state actors, too, includ­ing the Russ­ian intel­li­gence agen­cies and the Russ­ian mil­i­tary. This was a pre­vi­ous­ly uniden­ti­fied tech­nique.”

And there is some­thing else that Ein­stein does­n’t do: It does­n’t scan soft­ware updates. So even if the hack­ers had used code that Ein­stein would have rec­og­nized as bad, the sys­tem might not have seen it because it was deliv­ered in one of those rou­tine soft­ware updates.

The Nation­al Secu­ri­ty Agency and the mil­i­tary’s U.S. Cyber Com­mand were also caught flat-foot­ed. Broad­ly speak­ing, their cyber oper­a­tors sit in for­eign net­works look­ing for signs of cyber­at­tacks before they hap­pen. They can see sus­pi­cious activ­i­ty in much the same way a satel­lite might see troops amass­ing on the bor­der. Crit­ics said they should have seen the hack­ers from the Russ­ian intel­li­gence ser­vice, the SVR, prepar­ing this attack.

“The SVR has a pret­ty good under­stand­ing that the NSA is look­ing out,” Krebs said. “What the SVR was able to do was make the tran­si­tion from wher­ev­er they were oper­at­ing from into the U.S. net­works. They move like ghosts. They are very hard to track.”

The hack­ers did­n’t do any­thing fan­cy to give them the domes­tic foot­print, offi­cials con­firmed. In fact, they just rent­ed servers from Ama­zon and GoDad­dy.

Ear­ly warn­ings

There were some indi­ca­tions, else­where, though, that some­thing was wrong.

In ear­ly July, Steven Adair, the founder of a Wash­ing­ton, D.C.-based cyber­se­cu­ri­ty com­pa­ny called Volex­i­ty, saw some sus­pi­cious activ­i­ty on a clien­t’s com­put­ers. “We traced it back, and we thought it might be relat­ed to a bad update with Solar­Winds,” Adair told NPR. “We addressed the prob­lem, made sure no one was in our cus­tomers’ sys­tems, and we left it at that.”

Adair said he did­n’t feel he had enough detail to report the prob­lem to Solar­Winds or the U.S. gov­ern­ment. “We thought we did­n’t have enough evi­dence to reach out,” he said.

That was the first missed sign.

The sec­ond came three months lat­er when a Cal­i­for­nia-based cyber­se­cu­ri­ty com­pa­ny called Palo Alto Net­works dis­cov­ered a mali­cious back­door that seemed to emanate from the Ori­on soft­ware.

In that case, accord­ing to Solar­Winds’ Ramakr­ish­na, the secu­ri­ty teams at Solar­Winds and Palo Alto worked togeth­er for three months to try to pick up the thread of the prob­lem and walk it back. “None of us could pin­point a sup­ply chain attack at that point,” Ramakr­ish­na told NPR. “The tick­et got closed as a result of that. If we had the ben­e­fit of hind­sight, we could have traced it back” to the hack.

Palo Alto Net­works had agreed to speak to NPR about the inci­dent last month and then can­celed the inter­view just an hour before it was sup­posed to take place. A spokesper­son declined to say why and sent a few blog posts [125] and wrote: “I’m afraid this is all we have to help at this time.”

“Just 3,500 lines long”

It was the cyber­se­cu­ri­ty firm Fire­Eye that final­ly dis­cov­ered the intru­sion. Man­dia, the com­pa­ny’s CEO, used to be in the U.S. Air Force Office of Spe­cial Inves­ti­ga­tions, so his spe­cial­ty was crim­i­nal cas­es and coun­ter­in­tel­li­gence. In the inter­ven­ing years, the kinds of pat­terns he learned to rec­og­nize in spe­cial inves­ti­ga­tions kept appear­ing in his cyber secu­ri­ty work.

The first indi­ca­tion that hack­ers had found their way into FireEye’s net­works came in an innocu­ous way. Some­one on the Fire­Eye secu­ri­ty team had noticed that an employ­ee appeared to have two phones reg­is­tered on his net­work, so she called him. “And that phone call is when we real­ized, hey, this isn’t our employ­ee reg­is­ter­ing that sec­ond phone, it was some­body else,” Man­dia said.

Man­dia had a secu­ri­ty brief­ing a short time lat­er and every­thing he heard remind­ed him of his pre­vi­ous work in the mil­i­tary. “There was a lot of pat­tern recog­ni­tion from me,” he told NPR. “I spent from 1996 to 1998 respond­ing to what I would equate to the Russ­ian For­eign Intel­li­gence Ser­vice, and there were some indi­ca­tors in the first brief­ing that were con­sis­tent with my expe­ri­ence in the Air Force.”

He called a board meet­ing the same day. “It just felt like the breach that I was always wor­ried about.”

What his team dis­cov­ered over the course of sev­er­al weeks was that not only was there an intrud­er in its net­work, but some­one had stolen the arse­nal of hack­ing tools Fire­Eye uses to test the secu­ri­ty of its own clients’ net­works. Fire­Eye called the FBI, put togeth­er a detailed report, and once it had deter­mined the Ori­on soft­ware was the source of the prob­lem, it called Solar­Winds.

Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, took the Sat­ur­day morn­ing phone call. “He said, ‘Essen­tial­ly, we’ve decom­piled your code. We found mali­cious code,’ ” Brown said. Fire­Eye was sure Solar­Winds “had shipped taint­ed code.”

The taint­ed code had allowed hack­ers into FireEye’s net­work, and there were bound to be oth­ers who were com­pro­mised, too. “We were hear­ing that dif­fer­ent reporters had the scoop already,” Man­dia said. “My phone actu­al­ly rang from a reporter and that per­son knew and I went, OK, we’re in a race.”

Man­dia thought they had about a day before the sto­ry would break.

After that, events seemed to speed up. Solar­Winds’ chief secu­ri­ty offi­cer, Brown, called Ron Ple­sco, a lawyer at the firm DLA Piper, and told him what had hap­pened. One of the first things com­pa­nies tend to do after cyber­at­tacks is hire lawyers, and they put them in charge of the inves­ti­ga­tion. They do this for a spe­cif­ic rea­son — it means every­thing they find is pro­tect­ed by attor­ney-client priv­i­lege and typ­i­cal­ly is not dis­cov­er­able in court.

Ple­sco, who has made cyber­crimes a spe­cial­ty of his prac­tice, knew that once the sto­ry broke it would be say­ing “to the world that, ready, set, go, come after it,” Ple­sco said. “So that puts you on an accel­er­at­ed time­line on two fronts: Fig­ure out what hap­pened if you can and get a fix out as soon as pos­si­ble.”

The com­pa­ny worked with DHS to craft a state­ment [126] that went out on Dec. 13.

To inves­ti­gate a hack, you have to secure a dig­i­tal crime scene. Just as detec­tives in the phys­i­cal world have to bag the evi­dence and dust for prints for the inves­ti­ga­tion lat­er, Solar­Winds had to pull togeth­er com­put­er logs, make copies of files, ensure there was a record­ed chain of cus­tody, all while try­ing to ensure the hack­ers weren’t inside its sys­tem watch­ing every­thing they did.

“I’ve been in sit­u­a­tions where, while you’re in there doing the inves­ti­ga­tion, they’re watch­ing your email, they’re com­pro­mis­ing your phone calls or your Zooms,” Ple­sco said. “So they’re lit­er­al­ly lis­ten­ing in on how you’re going to try to get rid of them.”

By mid-Jan­u­ary, Mey­ers and the Crowd­Strike team had iso­lat­ed what they thought was the attack­’s tiny beat­ing heart. It was an ele­gant, encrypt­ed lit­tle blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-writ­ten sen­tence. This lit­tle encrypt­ed strip, Mey­ers thought, might help them fig­ure out who was behind the attack.

Lit­tle blobs of clues

Think of foren­sic cyber teams as dig­i­tal detec­tives look­ing for pat­terns. Cod­ing tics can some­times help iden­ti­fy per­pe­tra­tors or some­times foren­sic teams find small cul­tur­al arti­facts — such as Per­sian script, or Kore­an hangul. When an elite Russ­ian hack­ing team took over the elec­tri­cal grid in Ukraine in 2015, it had more lit­er­ary aspi­ra­tions: It sprin­kled its mali­cious code with ref­er­ences to Frank Her­bert’s Dune nov­els. That’s why Crowd­Strike found that lit­tle blob of mali­cious code so intrigu­ing.

After weeks of work­ing with the code, Mey­ers con­vened a Zoom call with lead­ers at Solar­Winds and mem­bers of his team from around the world. He shared his screen so every­one could all watch the encryp­tion fall away in real time. He began walk­ing the spec­ta­tors through the code as it was revealed, like a play-by-play analy­sis of a game. Mey­ers kept watch­ing for the big reveal. “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing,” he said.

But as Crowd­Strike’s decryp­tion pro­gram chewed its way through the zeroes and ones, Mey­ers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Mey­ers said. “They’d cleaned it of any human arti­fact or tool mark. And that was kind of mind-blow­ing that [they] had the where­with­al to hide any­thing that a human might have inad­ver­tent­ly left behind as a clue.”

Holy s***, he thought to him­self, who does that?

...

Big­ger attacks

“It’s one of the most effec­tive cyber-espi­onage cam­paigns of all time,” said Alex Sta­mos, direc­tor of the Inter­net Obser­va­to­ry at Stan­ford Uni­ver­si­ty and the for­mer head of secu­ri­ty at Face­book. “In doing so, they demon­strat­ed not just tech­ni­cal acu­men, but the way they did this demon­strat­ed that they under­stand how tech com­pa­nies oper­ate, how soft­ware com­pa­nies oper­ate. ... This cer­tain­ly is going to change the way that large enter­pris­es think about the soft­ware they install and think about how they han­dle updates.”

Intel­li­gence ana­lysts, already years ahead of the rest of us, are paid to imag­ine the dark­est of sce­nar­ios. What if the hack­ers plant­ed the seeds of future attacks dur­ing that nine months they explored Solar­Winds’ cus­tomer net­works — did they hide code for back­doors that will allow them to come and go as they please at a time of their choos­ing? When hack­ers shut down the Ukraine’s pow­er grid in 2015 and dis­abled a Sau­di refin­ery with com­put­er code a year lat­er, they showed it was pos­si­ble to jump from a cor­po­rate net­work to sys­tem con­trols. Will we find out lat­er that the Solar­Winds hack set the stage for some­thing more sin­is­ter?

Even if this was just an espi­onage oper­a­tion, FireEye’s Man­dia said, the attack on Solar­Winds is an inflec­tion point. “We ... kind of mapped out the evo­lu­tion of threats and cyber,” he said. “And we would have land­ed at this day soon­er or lat­er, that at some point in time, soft­ware that many com­pa­nies depend on is going to get tar­get­ed and it’s going to lead to exact­ly what it led to,” Man­dia said. “But to see it hap­pen, that’s where you have a lit­tle bit of shock and sur­prise. OK, it’s here now, nations are tar­get­ing [the] pri­vate sec­tor, there’s no mag­ic wand you can shake. ... It’s a real com­plex issue to solve.”

...

“This was an intel­li­gence col­lec­tion oper­a­tion meant to steal infor­ma­tion, and it’s not the last time that’s going to hap­pen,” Crowd­Strike’s Mey­ers warned. “This is going to hap­pen every day. ... And I think there’s a lot that we all need to do to work togeth­er to stop this from hap­pen­ing.”

———–

“A ‘Worst Night­mare’ Cyber­at­tack: The Untold Sto­ry Of The Solar­Winds Hack” by Dina Tem­ple-Ras­ton; Nation­al Pub­lic Radio; 04/16/2021 [7]

“The Solar­Winds attack­ers ran a mas­ter class in nov­el hack­ing tech­niques. They mod­i­fied sealed soft­ware code, cre­at­ed a sys­tem that used domain names to select tar­gets and mim­ic­ked the Ori­on soft­ware com­mu­ni­ca­tion pro­to­cols so they could hide in plain sight. And then, they did what any good oper­a­tive would do: They cleaned the crime scene so thor­ough­ly inves­ti­ga­tors can’t prove defin­i­tive­ly who was behind it. The White House has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. Rus­sia, for its part, has denied any involve­ment.”

A hack­er mas­ter class. They were so smooth they wiped the crime scene of any evi­dence that could def­i­nite­ly prove who did it. The US gov­ern­ment nonethe­less has said unequiv­o­cal­ly that Russ­ian intel­li­gence was behind the hack. With­out delay. Fun­ny how that works.

And with that unequiv­o­cal attri­bu­tion came new US sanc­tions against Rus­sia in retal­i­a­tion for a hack that was so mas­sive even the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency got hacked:

...
On Thurs­day, the Biden admin­is­tra­tion announced a ros­ter of tough sanc­tions [123] against Rus­sia as part of what it char­ac­ter­ized as the “seen and unseen” response to the Solar­Winds breach.

...

For that rea­son, Ramakr­ish­na fig­ures the Rus­sians suc­cess­ful­ly com­pro­mised about 100 com­pa­nies and about a dozen gov­ern­ment agen­cies. The com­pa­nies includ­ed Microsoft, Intel and Cis­co; the list of fed­er­al agen­cies so far includes the Trea­sury, Jus­tice and Ener­gy depart­ments and the Pen­ta­gon.

The hack­ers also found their way, rather embar­rass­ing­ly, into the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency, or CISA — the office at the Depart­ment of Home­land Secu­ri­ty whose job it is to pro­tect fed­er­al com­put­er net­works from cyber­at­tacks.
...

And note who led this inves­ti­ga­tion into the Solar­Winds hack: Adam Mey­ers, the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike. Our under­stand­ing of the Solar­Winds hack is large­ly con­trolled by Crowd­Strike, the firm that pio­neered the con­tem­po­rary “pat­tern recog­ni­tion” cyber­at­tri­bu­tion par­a­digm [1]. It’s one of the many clues that this inves­ti­ga­tion is com­pro­mised:

...
Net­work mon­i­tor­ing soft­ware is a key part of the back­room oper­a­tions we nev­er see. Pro­grams like Ori­on allow infor­ma­tion tech­nol­o­gy depart­ments to look on one screen and check their whole net­work: servers or fire­walls, or that print­er on the fifth floor that keeps going offline. By its very nature, it touch­es every­thing — which is why hack­ing it was genius.

“It’s real­ly your worst night­mare,” Tim Brown, vice pres­i­dent of secu­ri­ty at Solar­Winds, said recent­ly. “You feel a kind of hor­ror. This had the poten­tial to affect thou­sands of cus­tomers; this had the poten­tial to do a great deal of harm.”

...

“The trade­craft was phe­nom­e­nal,” said Adam Mey­ers, who led the cyber foren­sics team that pawed through that taint­ed update on behalf of Solar­Winds, pro­vid­ing details for the first time about what they found. The code was ele­gant and inno­v­a­tive, he said, and then added, “This was the cra­zi­est f***ing thing I’d ever seen.”

Like razor blades in peanut but­ter cups

Mey­ers is the vice pres­i­dent for threat intel­li­gence at the cyber­se­cu­ri­ty firm Crowd­Strike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the com­pa­ny’s servers and released emails and first-run movies. A year lat­er, he was on the front lines when a sus­pect­ed Krem­lin-backed hack­ing team known as “Cozy Bear” stole, among oth­er things, a trove of emails from the Demo­c­ra­t­ic Nation­al Com­mit­tee. Wik­iLeaks then released them in the runup to the 2016 elec­tion.

“We’re involved in all kinds of inci­dents around the globe every day,” Mey­ers said. Typ­i­cal­ly he directs teams, he does­n’t run them. But Solar­Winds was dif­fer­ent: “When I start­ed get­ting briefed up, I real­ized [this] was actu­al­ly quite a big deal.”
...

So what kind of evi­dence would have revealed the iden­ti­ties of these hack­ers that Mey­ers and the oth­er peo­ple work­ing on this case were look­ing for but nev­er found? This is the part of the arti­cle where we get con­fir­ma­tion that it’s as stu­pid as we should have sus­pect­ed. Because in the worlds of Mey­ers, a big part of what they found real­ly frus­trat­ing — and shock­ing — about this case was the lack of ‘a big reveal’ that sud­den­ly makes clear who was behind it. What kind of ‘big reveal’? As Mey­ers put it, “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing.” That’s con­sid­ered to be a ‘big reveal’ from the Crowd­Strike fig­ure lead­ing the inves­ti­ga­tion. The most obvi­ous, eas­i­ly plant­ed ‘clues’. That’s what they were keen­ly look­ing out for to con­fi­dent­ly make an attri­bu­tion. But these devi­ous super-hack­ers man­aged to ‘wash the code’ of any human arti­fact, a move described as “mind-blow­ing” by Mey­ers. It’s that stu­pid.

It’s also the kind of anec­dote that does­n’t just raise mas­sive ques­tions about the verac­i­ty of the Solar­Winds inves­ti­ga­tion but basi­cal­ly every oth­er cyber inves­ti­ga­tion tak­ing place these days. Could the entire indus­try be oper­at­ing in this man­ner? Mak­ing con­clu­sion based on a Cyril­lic or Man­darin ‘big reveal’? Even after the Vault7 leak in 2017 demon­strat­ed to the world that the CIA uses hack­ing tools built to leave ‘clues’ like Cyril­lic and Man­darin char­ac­ters [6]. It real­ly is play­ing dumb pro­fes­sion­al­ly.

Don’t for­get that busi­ness­es like Crowd­Strike and Fire­Eye aren’t just paid to remove mal­ware and pro­tect net­works. They’re paid to name cul­prits too, ide­al­ly. Keep that in mind when assess­ing the cred­i­bil­i­ty of this inves­ti­ga­tion. But also keep in mind that it was Crowd­Strike that blazed the trail in the cyber­at­tri­bu­tion indus­try over the last decade of sim­ply nam­ing nation-states like Chi­na or Rus­sia as the cul­prit for hacks with­out evi­dence as a means of address­ing the fact that hacks are the type of crime that crim­i­nals can, in the­o­ry, exe­cute in a fool-proof man­ner with­out leav­ing evi­dence [1]. Con­fi­dent­ly declar­ing a geopo­lit­i­cal adver­sary like Russ­ian, Chi­na, or North Korea were behind a hack based on ‘pat­tern recog­ni­tion’ and ‘edu­cat­ed guess­es’ is as good a ser­vice as the cyber­se­cu­ri­ty indus­try can pro­vide. Cyber­at­tri­bu­tions are a real geopo­lit­i­cal tool/weapon and these com­pa­nies offer those attri­bu­tions as a com­mer­cial ser­vice. So that’s the ser­vice the world is get­ting: Edu­cat­ed guess­es passed off as con­fi­dent attri­bu­tions based on ‘big reveal’ clues like Man­darin or Cyril­lic in the code. Yes, that stu­pid. Pro­fes­sion­al­ly.

Also keep in mind that when Crowd­Strike’s Adam Mey­ers was mar­veled at how these hack­ers left no trace of Cyril­lic or Man­darin, he was mar­veling over that inten­tion­al­ly-com­pact 3,500 line piece of code. Like they’re going to have the ‘big reveal’ in their ultra-com­pact code. It rais­es the ques­tion of how often these cyber­se­cu­ri­ty com­pa­nies like Crowd­Strike or Fire­Eye real­ly do find a ‘big reveal’ like Cyril­lic or Man­darin in the code of mal­ware they’re inves­ti­gat­ing. Because it would­n’t be sur­prised if hack­ers just rou­tine­ly slip that in their at this point. Why not? It’s like a sure fire way to ensure your hack will get blamed on Rus­sia or Chi­na. Maybe Iran if you use Per­sian. The folks at Crowd­Strike will clear­ly be swayed by your ‘big reveal’ clues:

...
It was the cyber­se­cu­ri­ty firm Fire­Eye that final­ly dis­cov­ered the intru­sion. Man­dia, the com­pa­ny’s CEO, used to be in the U.S. Air Force Office of Spe­cial Inves­ti­ga­tions, so his spe­cial­ty was crim­i­nal cas­es and coun­ter­in­tel­li­gence. In the inter­ven­ing years, the kinds of pat­terns he learned to rec­og­nize in spe­cial inves­ti­ga­tions kept appear­ing in his cyber secu­ri­ty work.

The first indi­ca­tion that hack­ers had found their way into FireEye’s net­works came in an innocu­ous way. Some­one on the Fire­Eye secu­ri­ty team had noticed that an employ­ee appeared to have two phones reg­is­tered on his net­work, so she called him. “And that phone call is when we real­ized, hey, this isn’t our employ­ee reg­is­ter­ing that sec­ond phone, it was some­body else,” Man­dia said.

Man­dia had a secu­ri­ty brief­ing a short time lat­er and every­thing he heard remind­ed him of his pre­vi­ous work in the mil­i­tary. “There was a lot of pat­tern recog­ni­tion from me,” he told NPR. “I spent from 1996 to 1998 respond­ing to what I would equate to the Russ­ian For­eign Intel­li­gence Ser­vice, and there were some indi­ca­tors in the first brief­ing that were con­sis­tent with my expe­ri­ence in the Air Force.”

He called a board meet­ing the same day. “It just felt like the breach that I was always wor­ried about.”

...

By mid-Jan­u­ary, Mey­ers and the Crowd­Strike team had iso­lat­ed what they thought was the attack­’s tiny beat­ing heart. It was an ele­gant, encrypt­ed lit­tle blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-writ­ten sen­tence. This lit­tle encrypt­ed strip, Mey­ers thought, might help them fig­ure out who was behind the attack.

Lit­tle blobs of clues

Think of foren­sic cyber teams as dig­i­tal detec­tives look­ing for pat­terns. Cod­ing tics can some­times help iden­ti­fy per­pe­tra­tors or some­times foren­sic teams find small cul­tur­al arti­facts — such as Per­sian script, or Kore­an hangul. When an elite Russ­ian hack­ing team took over the elec­tri­cal grid in Ukraine in 2015, it had more lit­er­ary aspi­ra­tions: It sprin­kled its mali­cious code with ref­er­ences to Frank Her­bert’s Dune nov­els. That’s why Crowd­Strike found that lit­tle blob of mali­cious code so intrigu­ing.

After weeks of work­ing with the code, Mey­ers con­vened a Zoom call with lead­ers at Solar­Winds and mem­bers of his team from around the world. He shared his screen so every­one could all watch the encryp­tion fall away in real time. He began walk­ing the spec­ta­tors through the code as it was revealed, like a play-by-play analy­sis of a game. Mey­ers kept watch­ing for the big reveal. “We’re hop­ing it’s going to have, you know, vari­able names or maybe some com­ments in Cyril­lic or Man­darin to give us some clue who wrote this thing,” he said.

But as Crowd­Strike’s decryp­tion pro­gram chewed its way through the zeroes and ones, Mey­ers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Mey­ers said. “They’d cleaned it of any human arti­fact or tool mark. And that was kind of mind-blow­ing that [they] had the where­with­al to hide any­thing that a human might have inad­ver­tent­ly left behind as a clue.”

Holy s***, he thought to him­self, who does that?
...

Now, it’s worth point­ing out that there has actu­al­ly been some Russ­ian-lan­guage arti­facts appar­ent­ly left by the Solar­Winds hack­ers. That was in a report pub­lished by cyber­se­cu­ri­ty com­pa­ny Prodaft, which ana­lyzed a com­mand-and-con­trol (C&C) serv­er used in the Solar­Winds hack. On that serv­er they found an orga­ni­za­tion man­age­ment forum used by the teams of hack­ers where var­i­ous hacked tar­gets were dis­cussed for their poten­tial val­ue. Keep in mind they hacked like 18,000 orga­ni­za­tions at once with the hack so who­ev­er pulled this off prob­a­bly real­ly did have to have teams of hack­ers coor­di­nat­ing their efforts some­where. In that report, where they call the group “Sil­ver­Fish” instead of Nobeli­um, they state: “When tak­ing its first look inside the C&C serv­er, the PTI Team observed that main dash­board of the Sil­ver­Fish C&C pan­el fea­tures a sec­tion named ”Active Teams”, involv­ing sev­er­al com­ments entered by dif­fer­ent user groups such as Team 301, Team 302, etc. Such a design indi­cates that this infra­struc­ture is meant for mul­ti­ple teams. Most com­ments entered by attack­ers for each vic­tim are most­ly in Eng­lish and Russ­ian and include urban slang.” [127] So we can actu­al­ly state that the hack­ers did leave behind Eng­lish and Russ­ian in their team orga­ni­za­tion soft­ware. And giv­en how impor­tant these kinds of ‘clues’ are in mak­ing attri­bu­tions it would­n’t be sur­pris­ing if those Russ­ian com­ments on that serv­er are a major part of what the ‘Rus­sia did it’ attri­bu­tion is based on. But it was the kind of evi­dence the hack­ers had to real­ize was left out in the open, at least once the serv­er is seized by author­i­ties, a sce­nario they had to real­ize was very pos­si­ble. It hap­pened, after all. Keep in mind this was the biggest hack ever and these are clear­ly expe­ri­enced hack­ers. They must real­ize com­mand-and-con­trol servers might be found by inves­ti­ga­tors which means com­ments made on that forum are going to be done with the real­iza­tion that arti­facts like the lan­guage used to make the com­ments could be used lat­er for attri­bu­tion pur­pos­es. These kinds of ‘clues’ play a huge role in mod­ern cyber­at­tri­bu­tion, as Mey­ers made abun­dant­ly clear with his dis­may at the lack of a ‘cul­tur­al arti­fact’ to make his attri­bu­tion on. And as the CIA’s hack­ing tool-kit, with its Russ­ian and Chi­nese lan­guage arti­fact-leav­ing fea­tures, exposed by the Shad­ow­Bro­ker leak made abun­dant­ly clear [128]. These lit­tle lan­guage clues are stu­pid­ly tak­en very seri­ous­ly and the cyber­at­tri­bu­tion indus­try does­n’t even hide it. So did the super sophis­ti­cat­ed hack­ing group that pull off the biggest hack ever leave their Russ­ian lan­guage clues con­scious­ly or with­out real­iz­ing it? That’s what we are being asked to believe, although it’s not actu­al­ly clear if the Russ­ian lan­guage com­ments left in this com­mand-and-con­trol forum were the pri­ma­ry basis for the attri­bu­tion of the Solar­Winds hack to Rus­sia (as opposed to Chi­na) because we still have no idea what the attri­bu­tion was ulti­mate­ly based on. It’s faith-based.

But there are tech­ni­cal details about that attack that are more than just spec­u­la­tion: We are told that the attack effec­tive began on Sept 12, 2019, when some­one appeared to exe­cute a proof-of-con­cept tri­al run of the plan that mere­ly inject­ed an innocu­ous snip­pet of code into the Solar­Winds update pack­age. The hack­ers were test­ing whether or not the code could be insert­ed into the next Solar­Winds update and dis­trib­uted to its cus­tomer net­works with­out Solar­Winds detect­ing it and they accom­plished this feat by inject­ing the code at the very last oppor­tu­ni­ty — dur­ing the com­pi­la­tion process — which effec­tive­ly bypassed all of the stan­dard secu­ri­ty mea­sures deployed by Solar­Winds to ensure only the intend­ed code is deliv­ered to its thou­sands of cus­tomers. It was a suc­cess­ful proof-of-con­cept test. The innocu­ous update was deliv­ered to Solar­Wind­s’s clients around the world. Five months lat­er, in Feb­ru­ary of 2020, the hack­ers returned to repeat the trick with mali­cious code that insert­ed a com­pact 3,500 line pay­load that intro­duced a back­door into the Solar­Winds soft­ware itself on the clients’ sys­tems. A back­door that could be remote­ly accessed. That’s how the hack­ers turned the hack of Solar­Winds into the mega-hack of the thou­sands of cor­po­ra­tions and gov­ern­ment agen­cies. The only thing hold­ing back the hack­ers was the abun­dance of oppor­tu­ni­ty and lim­i­ta­tions of time.

So we have a decent under­stand­ing of how this attack worked tech­ni­cal­ly and when it hap­pened but no clue who did it. No ‘big reveal’ clue was left in the code and they some­how man­aged to avoid leav­ing any Cyril­lic or Man­darin else­where on the Solar­Winds net­work dur­ing this long peri­od of time when the hack­ers clear­ly had deep access. But despite all that, they’re pret­ty sure it was Rus­sia. It’s how cyber­at­tri­bu­tion works in the mod­ern age. Gut feel­ings about the cul­prit. Read­ing the dig­i­tal tea leaves and arriv­ing at a gut feel­ing about the cul­prit and then con­fi­dent­ly declar­ing it to the world. Or just mak­ing it up and con­fi­dent­ly declar­ing it to the world. Con­fi­dent dec­la­ra­tions are the impor­tant part. The under­ly­ing facts the dec­la­ra­tions are based not so much:

...
The attack began with a tiny strip of code. Mey­ers traced it back to Sept. 12, 2019. “This lit­tle snip­pet of code does­n’t do any­thing,” Mey­ers said. “It’s lit­er­al­ly just check­ing to see which proces­sor is run­ning on the com­put­er, if it is a 32- or 64-bit proces­sor and if it is one or the oth­er, it returns either a zero or a one.”

The code frag­ment, it turns out, was a proof of con­cept — a lit­tle tri­al bal­loon to see if it was pos­si­ble to mod­i­fy Solar­Winds’ signed-and-sealed soft­ware code, get it pub­lished and then lat­er see it in a down­loaded ver­sion. And they real­ized they could. “So at this point, they know that they can pull off a sup­ply chain attack,” Mey­ers said. “They know that they have that capa­bil­i­ty.”

After that ini­tial suc­cess, the hack­ers dis­ap­peared for five months. When they returned in Feb­ru­ary 2020, Mey­ers said, they came armed with an amaz­ing new implant that deliv­ered a back­door that went into the soft­ware itself before it was pub­lished.

To under­stand why that was remark­able, you need to know that fin­ished soft­ware code has a kind of dig­i­tal fac­to­ry seal. If you break that seal, some­one can see it and know that the code might have been tam­pered with. Mey­ers said the hack­ers essen­tial­ly found a way to get under that fac­to­ry seal.

They began by implant­i­ng code that told them any time some­one on the Solar­Winds devel­op­ment team was get­ting ready to build new soft­ware. They under­stood that the process of cre­at­ing soft­ware or an update typ­i­cal­ly begins with some­thing rou­tine such as check­ing a code out of a dig­i­tal repos­i­to­ry, sort of like check­ing a book out of the library.

Under nor­mal cir­cum­stances, devel­op­ers take the code out of the repos­i­to­ry, make changes and then check it back in. Once they fin­ish tin­ker­ing, they ini­ti­ate some­thing called the build process, which essen­tial­ly trans­lates the code a human can read to the code a com­put­er does. At that point, the code is clean and test­ed. What the hack­ers did after that was the trick.

They would cre­ate a tem­po­rary update file with the mali­cious code inside while the Solar­Winds code was com­pil­ing. The hack­ers’ mali­cious code told the machine to swap in their tem­po­rary file instead of the Solar­Winds ver­sion. “I think a lot of peo­ple prob­a­bly assume that it is the source code that’s been mod­i­fied,” Mey­ers said, but instead the hack­ers used a kind of bait-and-switch.

But this, Mey­ers said, was inter­est­ing, too. The hack­ers under­stood that com­pa­nies such as Solar­Winds typ­i­cal­ly audit code before they start build­ing an update, just to make sure every­thing is as it should be. So they made sure that the switch to the tem­po­rary file hap­pened at the last pos­si­ble sec­ond, when the updates went from source code (read­able by peo­ple) to exe­cutable code (which the com­put­er reads) to the soft­ware that goes out to cus­tomers.
...

Then there’s the omi­nous obser­va­tion they made about the mal­ware that sur­rep­ti­tious­ly slipped the back­door mal­ware into the Ori­on client update soft­ware: the mal­ware that added the back­door at the last moment dur­ing the com­pi­la­tion process “could have been recon­fig­ured for any num­ber of soft­ware prod­ucts” that rely on the same com­pil­er, rais­ing the dis­tinct pos­si­bil­i­ty of this same attack being used against oth­er soft­ware devel­op­ers. All the hack­ers would need is access to the devel­op­ers’ com­put­ers when they’re com­pil­ing the code. And what did they gain from the Solar­Winds hack? Back­doors onto the net­work of every Solar­Winds client. In oth­er words, not only can the hack­ers use this same com­pil­er trick to embed back­doors in oth­er devel­op­ers soft­ware but they gained the incred­i­ble oppor­tu­ni­ty to do exact­ly that from the Solar­Winds hack. Thou­sands of Solar­Winds clients were undoubt­ed­ly devel­op­ing their own soft­ware using the same com­pil­er and the hack­ers could have deployed the same trick. Maybe they embed a back­door. Maybe some­thing else. It’s an omi­nous obser­va­tion and part of the rea­son the iden­ti­ties of the real hack­ers real­ly is a seri­ous glob­al con­cern. Who­ev­er did this had the oppor­tu­ni­ty to plant the seeds from some­thing orders of mag­ni­tude more dev­as­tat­ing involv­ing a wide array of dif­fer­ent soft­ware tools being devel­oped around the world:

...
But there was some­thing else about that code that both­ered Mey­ers: It was­n’t just for Solar­Winds. “When we looked at [it], it could have been recon­fig­ured for any num­ber of soft­ware prod­ucts,” Mey­ers said. In oth­er words, any num­ber of oth­er soft­ware devel­op­ers using the same com­pil­er may also be on the receiv­ing end of a cyber­at­tack, he said, and they just don’t know it yet.

...

The hack­ers also reverse-engi­neered the way Ori­on com­mu­ni­cat­ed with servers and built their own cod­ing instruc­tions mim­ic­k­ing Ori­on’s syn­tax and for­mats. What that did is allow the hack­ers to look like they were “speak­ing” Ori­on, so their mes­sage traf­fic looked like a nat­ur­al exten­sion of the soft­ware.

“So once they deter­mined that a tar­get was of inter­est, they could say, ‘OK, let’s go active, let’s manip­u­late files, let’s change some­thing,’ ” Mey­ers said, and then they would slip in unno­ticed through the back­door they had cre­at­ed. “And there is one oth­er thing I should men­tion: This back­door would wait up to two weeks before it actu­al­ly went active on the host. This was a very patient adver­sary.”

None of the trip­wires put in place by pri­vate com­pa­nies or the gov­ern­ment seems to have seen the attack com­ing. Christo­pher Krebs, who had been in charge of the office that pro­tect­ed gov­ern­ment net­works at DHS dur­ing the Trump admin­is­tra­tion, told NPR that DHS’ cur­rent sys­tem, some­thing known (with­out irony) as Ein­stein, only catch­es known threats. The Solar­Winds breach, he said, was just “too nov­el.”
...

And note the tim­ing here in the lead up to the Decem­ber 13, 2020, pub­lic announce­ment by Solar­Winds about acknowl­eg­ing the hack: We are told that the first clue some­thing was up took place in ear­ly July 2020, when Volex­i­ty found sus­pi­cious activ­i­ty on a clien­t’s com­put­er traced back to an update with Solar­Winds. We’re then told the sec­ond clue came sev­er­al months lat­er when Palo Alto Net­works con­tact­ed Solar­Winds about a mali­cious back door that appeared to be ema­nat­ing from the Ori­on soft­ware. Solar­Winds then tells us the com­pa­ny work with Palo Alto Net­works for sev­er­al months before giv­ing up and clos­ing the tick­et. If that’s all true, that tick­et must have been closed just days before Fire­Eye con­tact­ed Solar­Winds about its omi­nous dis­cov­ery. Because if the first call from Palo Alto Net­works came ‘sev­er­al months’ after an ‘ear­ly July’ first tip from Volex­i­ty, that call would have had to be around mid-to-late Sep­tem­ber to ear­ly Octo­ber if we inter­pret ‘sev­er­al months’ to be 10–13 weeks. And if Palo Alto Net­works and Solar­Winds then spent anoth­er ‘sev­er­al months’ study­ing the prob­lem before giv­ing up, that would put the ‘giv­ing up’ point at ear­ly Decem­ber at the ear­li­est. So when exact­ly did that tick­et get closed in rela­tion to FireEye’s tip about the larg­er hack? Solar­Winds did­n’t tell us and Palo Alto Net­works isn’t talk­ing:

...
In ear­ly July, Steven Adair, the founder of a Wash­ing­ton, D.C.-based cyber­se­cu­ri­ty com­pa­ny called Volex­i­ty, saw some sus­pi­cious activ­i­ty on a clien­t’s com­put­ers. “We traced it back, and we thought it might be relat­ed to a bad update with Solar­Winds,” Adair told NPR. “We addressed the prob­lem, made sure no one was in our cus­tomers’ sys­tems, and we left it at that.”

Adair said he did­n’t feel he had enough detail to report the prob­lem to Solar­Winds or the U.S. gov­ern­ment. “We thought we did­n’t have enough evi­dence to reach out,” he said.

That was the first missed sign.

The sec­ond came three months lat­er when a Cal­i­for­nia-based cyber­se­cu­ri­ty com­pa­ny called Palo Alto Net­works dis­cov­ered a mali­cious back­door that seemed to emanate from the Ori­on soft­ware.

In that case, accord­ing to Solar­Winds’ Ramakr­ish­na, the secu­ri­ty teams at Solar­Winds and Palo Alto worked togeth­er for three months to try to pick up the thread of the prob­lem and walk it back. “None of us could pin­point a sup­ply chain attack at that point,” Ramakr­ish­na told NPR. “The tick­et got closed as a result of that. If we had the ben­e­fit of hind­sight, we could have traced it back” to the hack.

Palo Alto Net­works had agreed to speak to NPR about the inci­dent last month and then can­celed the inter­view just an hour before it was sup­posed to take place. A spokesper­son declined to say why and sent a few blog posts [125] and wrote: “I’m afraid this is all we have to help at this time.”
...

All in all, it’s hard to say that NPR piece should make read­er’s feel con­fi­dent hacks like this aren’t going to hap­pen again. Even when the hack was detect­ed on client sys­tems and inves­ti­ga­tions were start­ed they still could­n’t find it. Only Fire­Eye, itself a top tier secu­ri­ty firm, was able to detect it on its own sys­tems and all indi­ca­tions are the hack would be ongo­ing today had Fire­Eye not found it.

The Atlantic Council Confirms The SolarWinds Hackers Could Spoof Microsoft Credentials. Microsoft Blames Clients

And just a week after that NPR piece, we got anoth­er big reminder that the Solar­Winds hack was­n’t just a giant hack of the Solar­Winds com­pa­ny. It was a giant hack of Microsoft­’s prod­ucts. That was the mes­sage in a new report put out by The Atlantic Coun­cil, which appeared to con­firm what Microsoft had long been deny­ing: Once the hack­ers used those back­doors to gain access to vic­tims’ net­works they con­tin­ued to exploit more vul­ner­a­bil­i­ties. In par­tic­u­lar Microsoft vul­ner­a­bil­i­ties involv­ing how Microsoft prod­ucts val­i­date user iden­ti­ties. Now, part of the rea­son Microsoft vul­ner­a­bil­i­ties were heav­i­ly tar­get­ed was because, well, these vul­ner­a­bil­i­ties exist. But as the report notes, the oth­er big rea­son Microsoft was tar­get­ed so heav­i­ly is that Microsoft has more than 85% of the mar­ket share for gov­ern­ment and indus­try. In oth­er words, the juici­est tar­gets — espe­cial­ly gov­ern­ment agen­cies — were almost all run­ning Microsoft tools on their net­works.

So what was Microsoft­’s response to the Atlantic Coun­cil report? Microsoft con­tin­ued to deflect blame, sug­gest­ing poor­ly con­fig­ured soft­ware by the clients was the cause. But accord­ing to Sen­a­tor Ron Wyden, the soft­ware Microsoft sup­plies to US fed­er­al agen­cies is itself poor­ly con­fig­ured with default log set­tings that won’t cap­ture the infor­ma­tion need­ed to catch attacks while they’re in progress. As we can see, the Solar­Winds blame game is increas­ing­ly becom­ing Microsoft vs the World [38]:

Asso­ci­at­ed Press

Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat

By FRANK BAJAK
April 23, 2021

BOSTON (AP) — The sprawl­ing hack­ing cam­paign [129] deemed a grave threat to U.S. nation­al secu­ri­ty came to be known as Solar­Winds, for the com­pa­ny whose soft­ware update was seed­ed by Russ­ian intel­li­gence agents with mal­ware to pen­e­trate sen­si­tive gov­ern­ment and pri­vate net­works.

Yet it was Microsoft whose code the cyber spies per­sis­tent­ly abused in the campaign’s sec­ond stage, rifling through emails and oth­er files of such high-val­ue tar­gets as then-act­ing Home­land Secu­ri­ty chief Chad Wolf — and hop­ping unde­tect­ed among vic­tim net­works.

This has put the world’s third-most valu­able com­pa­ny in the hot seat. Because its prod­ucts are a de fac­to mono­cul­ture in gov­ern­ment and indus­try — with more than 85% mar­ket share — fed­er­al law­mak­ers are insist­ing that Microsoft swift­ly upgrade secu­ri­ty to what they say it should have pro­vid­ed in the first place, and with­out fleec­ing tax­pay­ers.

Seek­ing to assuage con­cerns, Microsoft this past week offered all fed­er­al agen­cies a year of “advanced” secu­ri­ty fea­tures at no extra charge. But it also seeks to deflect blame, say­ing it is cus­tomers who do not always make secu­ri­ty a pri­or­i­ty.

Risks in Microsoft’s for­eign deal­ings also came into relief when the Biden admin­is­tra­tion imposed sanc­tions [130] Thurs­day on a half-dozen Russ­ian IT com­pa­nies it said sup­port Krem­lin hack­ing. Most promi­nent was Pos­i­tive Tech­nolo­gies, which was among more than 80 com­pa­nies that Microsoft has sup­plied with ear­ly access to data on vul­ner­a­bil­i­ties detect­ed in its prod­ucts. Fol­low­ing the sanc­tions announce­ment, Microsoft said Pos­i­tive Tech was no longer in the pro­gram and removed its name from a list of par­tic­i­pants on its web­site.

The Solar­Winds hack­ers took full advan­tage of what George Kurtz, CEO of top cyber­se­cu­ri­ty firm Crowd­Strike, called “sys­tem­at­ic weak­ness­es” in key ele­ments of Microsoft code to mine at least nine U.S. gov­ern­ment agen­cies — the depart­ments of Jus­tice and Trea­sury, among them — and more than 100 pri­vate com­pa­nies and think tanks, includ­ing soft­ware and telecom­mu­ni­ca­tions providers.

The Solar­Winds hack­ers’ abuse of Microsoft’s iden­ti­ty and access archi­tec­ture [131] — which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data — did the most dra­mat­ic harm, the non­par­ti­san Atlantic Coun­cil think tank said in a report. [132] That set the hack apart as “a wide­spread intel­li­gence coup.” In near­ly every case of post-intru­sion mis­chief, the intrud­ers “silent­ly moved through Microsoft prod­ucts “vac­u­um­ing up emails and files from dozens of orga­ni­za­tions.”

Thanks in part to the carte blanche that vic­tim net­works grant­ed the infect­ed Solar­winds net­work man­age­ment soft­ware in the form of admin­is­tra­tive priv­i­leges, the intrud­ers could move lat­er­al­ly across them, even jump among orga­ni­za­tions. They used it to sneak into the cyber­se­cu­ri­ty firm Mal­ware­bytes and to tar­get cus­tomers of Mime­cast, [133] an email secu­ri­ty com­pa­ny.

The campaign’s “hall­mark” was the intrud­ers’ abil­i­ty to imper­son­ate legit­i­mate users and cre­ate coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office, the act­ing direc­tor of the Cyber­se­cu­ri­ty Infra­struc­ture and Secu­ri­ty Agency, Bran­don Wales, told a mid-March con­gres­sion­al hear­ing. “It was all because they com­pro­mised those sys­tems that man­age trust and iden­ti­ty on net­works,” he said.

Microsoft Pres­i­dent Brad Smith told a Feb­ru­ary con­gres­sion­al hear­ing that just 15% of vic­tims were com­pro­mised through an authen­ti­ca­tion vul­ner­a­bil­i­ty first iden­ti­fied in 2017 [134] — allow­ing the intrud­ers to imper­son­ate autho­rized users by mint­ing the rough equiv­a­lent of coun­ter­feit pass­ports.

Microsoft offi­cials stress that the Solar­Winds update was not always the entry point; intrud­ers some­times took advan­tage of vul­ner­a­bil­i­ties such as weak pass­words and vic­tims’ lack of mul­ti-fac­tor authen­ti­ca­tion. But crit­ics say the com­pa­ny took secu­ri­ty too light­ly. Sen. Ron Wyden, D‑Ore., ver­bal­ly pum­meled Microsoft for not sup­ply­ing fed­er­al agen­cies with a lev­el of “event log­ging” that, if it had not detect­ed the Solar­Winds hack­ing in progress, would at least have pro­vid­ed respon­ders with a record of where the intrud­ers were and what they saw and removed.

“Microsoft choos­es the default set­tings in the soft­ware it sells, and even though the com­pa­ny knew for years about the hack­ing tech­nique used against U.S. gov­ern­ment agen­cies, the com­pa­ny did not set default log­ging set­tings to cap­ture infor­ma­tion nec­es­sary to spot hacks in progress,” Wyden said. He was not the only fed­er­al law­mak­er who com­plained.

When Microsoft on Wednes­day announced a year of free secu­ri­ty log­ging for fed­er­al agen­cies, [135] for which it nor­mal­ly charges a pre­mi­um, Wyden was not appeased.

“This move is far short of what’s need­ed to make up for Microsoft’s recent fail­ures,” he said in a state­ment. “The gov­ern­ment still won’t have access to impor­tant secu­ri­ty fea­tures with­out hand­ing over even more mon­ey to the same com­pa­ny that cre­at­ed this cyber­se­cu­ri­ty sink­hole.”

...

Even the high­est lev­el of log­ging doesn’t pre­vent break-ins, though. It only makes it eas­i­er to detect them.

And remem­ber, many secu­ri­ty pro­fes­sion­als note, Microsoft was itself com­pro­mised [136] by the Solar­Winds intrud­ers, who got access to some of its source code — its crown jew­els. Microsoft’s full suite of secu­ri­ty prod­ucts — and some of the industry’s most skilled cyber-defense prac­ti­tion­ers — had failed to detect the ghost in the net­work. Not until alert­ed to the hack­ing cam­paign by Fire­Eye, the cyber­se­cu­ri­ty firm that detect­ed it in mid-Decem­ber, did Microsoft respon­ders dis­cov­er the relat­ed breach of their sys­tems.

The intrud­ers in the unre­lat­ed hack of Microsoft Exchange email servers dis­closed in March — blamed on Chi­nese spies — used whol­ly dif­fer­ent infec­tion meth­ods. But they gained imme­di­ate high-lev­el access to users’ email and oth­er info.

Across the indus­try, Microsoft’s invest­ments in secu­ri­ty are wide­ly acknowl­edged. It is often first to iden­ti­fy major cyber­se­cu­ri­ty threats, its vis­i­bil­i­ty into net­works is so great. But many argue that as the chief sup­pli­er of secu­ri­ty solu­tions for its prod­ucts, it needs to be more mind­ful about how much it should prof­it off defense.

“The crux of it is that Microsoft is sell­ing you the dis­ease and the cure,” said Marc Maiffret, a cyber­se­cu­ri­ty vet­er­an who built a career find­ing vul­ner­a­bil­i­ties in Microsoft prod­ucts and has a new start­up in the works called Bin­Mave.

Last month, Reuters report­ed that a $150 mil­lion pay­ment to Microsoft for a “secure cloud plat­form” was includ­ed in a draft out­line for spend­ing the $650 mil­lion appro­pri­at­ed for the Cyber­se­cu­ri­ty and Infra­struc­ture Secu­ri­ty Agency in last month’s $1.9 tril­lion pan­dem­ic relief act.

A Microsoft spokesper­son would not say how much, if any, of that mon­ey it would be get­ting, refer­ring the ques­tion to the cyber­se­cu­ri­ty agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn’t think a final deci­sion has been made.

In the bud­get year end­ing in Sep­tem­ber, the fed­er­al gov­ern­ment spent more than half a bil­lion dol­lars on Microsoft soft­ware and ser­vices.

Many secu­ri­ty experts believe Microsoft’s sin­gle sign-on mod­el, empha­siz­ing user con­ve­nience over secu­ri­ty, is ripe for retool­ing to reflect a world where state-backed hack­ers now rou­tine­ly run roughshod over U.S. net­works.

Alex Wein­ert, Microsoft’s direc­tor of iden­ti­ty secu­ri­ty, said it offers var­i­ous ways for cus­tomers to strict­ly lim­it users’ access [137] to what they need to do their jobs. But get­ting cus­tomers to go along can be dif­fi­cult because it often means aban­don­ing three decades of IT habit and dis­rupt­ing busi­ness. Cus­tomers tend to con­fig­ure too many accounts with the broad glob­al admin­is­tra­tive priv­i­leges that allowed the Solar­Winds cam­paign abus­es, he said. “It’s not the only way they can do it, that’s for sure.”

In 2014–2015, lax restric­tions on access helped Chi­nese spies steal sen­si­tive per­son­al data on more than 21 mil­lion cur­rent, for­mer and prospec­tive fed­er­al employ­ees from the Office of Per­son­nel Man­age­ment. [138]

Cur­tis Dukes was the Nation­al Secu­ri­ty Agency’s head of infor­ma­tion assur­ance at the time.

The OPM shared data across mul­ti­ple agen­cies using Microsoft’s authen­ti­ca­tion archi­tec­ture, grant­i­ng access to more users than it safe­ly should have, said Dukes, now the man­ag­ing direc­tor for the non­prof­it Cen­ter for Inter­net Secu­ri­ty.

“Peo­ple took their eye off the ball.”

———–

“Solar­Winds hack­ing cam­paign puts Microsoft in the hot seat” by FRANK BAJAK; Asso­ci­at­ed Press; 04/23/2021 [38]

This has put the world’s third-most valu­able com­pa­ny in the hot seat. Because its prod­ucts are a de fac­to mono­cul­ture in gov­ern­ment and indus­try — with more than 85% mar­ket share — fed­er­al law­mak­ers are insist­ing that Microsoft swift­ly upgrade secu­ri­ty to what they say it should have pro­vid­ed in the first place, and with­out fleec­ing tax­pay­ers.”

If you want to hack the US gov­ern­ment, be ready to hack Microsoft prod­ucts. That’s the unde­ni­able real­i­ty. Microsoft is basi­cal­ly the soft­ware sup­pli­er for the US gov­ern­ment and oth­er gov­ern­ments around the world. So it should come as no sur­prise to learn that the sec­ond phase of the Solar­Winds hack was basi­cal­ly the exploita­tion of Microsoft prod­uct weak­ness­es after the hack­ers gained access to client net­works. In par­tic­u­lar, vul­ner­a­bil­i­ties in Microsoft­’s iden­ti­ty and access archi­tec­ture which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data. The Solar­Winds hack­ers were repeat­ed­ly imper­son­at­ing legit­i­mate users and cre­at­ing coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office. So the Solar­Winds hack did­n’t just involve the pil­fer­ing of vic­tims’ net­works but also the data stored remote­ly acces­si­ble through Microsoft Office. Those sound like some mas­sive vul­ner­a­bil­i­ties. The Solar­Winds hack was­n’t just the cre­ation and exploita­tion of back­doors placed on 18,000 client net­works. It was the exploita­tion of the infor­ma­tion stored remote­ly via Microsoft Office for those clients too:

...
The Solar­Winds hack­ers took full advan­tage of what George Kurtz, CEO of top cyber­se­cu­ri­ty firm Crowd­Strike, called “sys­tem­at­ic weak­ness­es” in key ele­ments of Microsoft code to mine at least nine U.S. gov­ern­ment agen­cies — the depart­ments of Jus­tice and Trea­sury, among them — and more than 100 pri­vate com­pa­nies and think tanks, includ­ing soft­ware and telecom­mu­ni­ca­tions providers.

The Solar­Winds hack­ers’ abuse of Microsoft’s iden­ti­ty and access archi­tec­ture [131] — which val­i­dates users’ iden­ti­ties and grants them access to email, doc­u­ments and oth­er data — did the most dra­mat­ic harm, the non­par­ti­san Atlantic Coun­cil think tank said in a report. [132] That set the hack apart as “a wide­spread intel­li­gence coup.” In near­ly every case of post-intru­sion mis­chief, the intrud­ers “silent­ly moved through Microsoft prod­ucts “vac­u­um­ing up emails and files from dozens of orga­ni­za­tions.”

Thanks in part to the carte blanche that vic­tim net­works grant­ed the infect­ed Solar­winds net­work man­age­ment soft­ware in the form of admin­is­tra­tive priv­i­leges, the intrud­ers could move lat­er­al­ly across them, even jump among orga­ni­za­tions. They used it to sneak into the cyber­se­cu­ri­ty firm Mal­ware­bytes and to tar­get cus­tomers of Mime­cast, [133] an email secu­ri­ty com­pa­ny.

The campaign’s “hall­mark” was the intrud­ers’ abil­i­ty to imper­son­ate legit­i­mate users and cre­ate coun­ter­feit cre­den­tials that let them grab data stored remote­ly by Microsoft Office, the act­ing direc­tor of the Cyber­se­cu­ri­ty Infra­struc­ture and Secu­ri­ty Agency, Bran­don Wales, told a mid-March con­gres­sion­al hear­ing. “It was all because they com­pro­mised those sys­tems that man­age trust and iden­ti­ty on net­works,” he said.
...

But it gets worse for Microsoft because the hack­ers did­n’t sim­ply exploit vul­ner­a­bil­i­ties in Microsoft­’s prod­ucts. They also rifled through Microsoft­’s trea­sured source code look­ing for the code that valideates users’ iden­ti­ties and grants them access to email, doc­u­ments, and oth­er data. So these super-hack­ers like­ly learned hack to become even more super. At least more super against Microsoft:

...
And remem­ber, many secu­ri­ty pro­fes­sion­als note, Microsoft was itself com­pro­mised [136] by the Solar­Winds intrud­ers, who got access to some of its source code — its crown jew­els. Microsoft’s full suite of secu­ri­ty prod­ucts — and some of the industry’s most skilled cyber-defense prac­ti­tion­ers — had failed to detect the ghost in the net­work. Not until alert­ed to the hack­ing cam­paign by Fire­Eye, the cyber­se­cu­ri­ty firm that detect­ed it in mid-Decem­ber, did Microsoft respon­ders dis­cov­er the relat­ed breach of their sys­tems.
...

But per­haps worst of all is how long these secu­ri­ty defi­cien­cies have been plagu­ing Microsoft. This isn’t a new prob­lem. Which is why it’s so prob­lem­at­ic and scan­dalous that, as Sen­a­tor Wyden angri­ly point­ed out dur­ing a recent con­gres­sion­al hear­ing, that Microsoft has been pro­vid­ing the US gov­ern­ing with prod­ucts that have the default “event log­ging” set­tings turned off. So by default, the US fed­er­al gov­ern­ment does­n’t log these hacks when they hap­pen. That’s appar­ent­ly the case, accord­ing to Sen­a­tor Wyden. The US gov­ern­men­t’s cyber-defens­es have to been fly­ing blind by default thanks to Microsoft:

...
Microsoft offi­cials stress that the Solar­Winds update was not always the entry point; intrud­ers some­times took advan­tage of vul­ner­a­bil­i­ties such as weak pass­words and vic­tims’ lack of mul­ti-fac­tor authen­ti­ca­tion. But crit­ics say the com­pa­ny took secu­ri­ty too light­ly. Sen. Ron Wyden, D‑Ore., ver­bal­ly pum­meled Microsoft for not sup­ply­ing fed­er­al agen­cies with a lev­el of “event log­ging” that, if it had not detect­ed the Solar­Winds hack­ing in progress, would at least have pro­vid­ed respon­ders with a record of where the intrud­ers were and what they saw and removed.

“Microsoft choos­es the default set­tings in the soft­ware it sells, and even though the com­pa­ny knew for years about the hack­ing tech­nique used against U.S. gov­ern­ment agen­cies, the com­pa­ny did not set default log­ging set­tings to cap­ture infor­ma­tion nec­es­sary to spot hacks in progress,” Wyden said. He was not the only fed­er­al law­mak­er who com­plained.

...

Even the high­est lev­el of log­ging doesn’t pre­vent break-ins, though. It only makes it eas­i­er to detect them.
...

Of course, keep in mind that a big advan­tage for the vic­tims of hacks when of no event-log­ging was employed: the less infor­ma­tion you have about what actu­al­ly hap­pened, the more you’re forced to spec­u­late about what hap­pened and the eas­i­er it is to just say it was prob­a­bly Rus­sia or Chi­na or who­ev­er you want to blame. Igno­rance can be both a cud­gel and shield when cyber­at­tri­bu­tion is wield­ed as a weapon.

Final­ly note how we are told the ‘Chi­nese hack­ers’ behind the Microsoft Exchange hack used whol­ly dif­fer­ent infec­tion meth­ods. Now, tech­ni­cal­ly, yes, they may have used a dif­fer­ent zero-day exploit tar­get dif­fer­ent Microsoft prod­ucts. As we’ve seen, it was report­ed­ly an Office 365 email exploit that the hack­ers used to ini­ti­ate the hack on Solar­Wind­s’s net­work and the US Trea­sury Depart­ment con­firmed that an Office 365 email exploit was used after the hack­ers infil­trat­ed their net­works via the back­door. Where­as in the Microsoft Exchange hack, it ws some sort of vul­ner­a­bil­i­ty in the Exchange soft­ware that was exploit­ed. So yes, these are two dif­fer­ent infec­tion meth­ods. But they both relied on manip­u­lat­ing Microsoft­’s cre­den­tial­ing sys­tems. From that per­spec­tive, it’s kind of the same under­ly­ing method:

...
The intrud­ers in the unre­lat­ed hack of Microsoft Exchange email servers dis­closed in March — blamed on Chi­nese spies — used whol­ly dif­fer­ent infec­tion meth­ods. But they gained imme­di­ate high-lev­el access to users’ email and oth­er info.
...

Keep in mind that point­ing out the dif­fer­ent attack meth­ods used in the Solar­Winds and Microsoft Exchange hacks, and cit­ing that as evi­dence of it being dif­fer­ent hack­ing groups, is anoth­er exam­ple of how vague tech­ni­cal ‘dig­i­tal fin­ger­prints’ like the par­tic­u­lar type of mal­ware or exploit used in a hack are used for cyber­at­tri­bu­tion pur­pos­es. It’s the kind of cyber­at­tri­bu­tion phe­nom­e­na that assumes the “com­mer­cial sur­veil­lance” indus­try isn’t sup­ply­ing incred­i­ble zero-day attacks to dozens of gov­ern­ments around the world simul­ta­ne­ous­ly.

The SolarWinds Hackers(?) Go Phishing. With USAID as the Bait.

The mul­ti­fac­eted abil­i­ty of the Solar­Winds hack­ers was on dis­play again with a new announce from Microsoft at the end of May: Remem­ber those warn­ings fol­low­ing the Microsoft Exchange hack about high­ly sophis­ti­cat­ed and tar­get­ed phish­ing cam­paigns emerg­ing from all the infor­ma­tion the hack­ers were able to extract from all those stolen emails? Well, a new high­ly sophis­ti­cat­ed and tar­get phish­ing cam­paign was indeed unleashed. But we are told “Nobeli­um” — the name Microsoft gave to Cozy Bear/APT29 — was the cul­prit. Approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions in 24 dif­fer­ent coun­tries received emails seem­ing­ly from the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID), encour­ag­ing vic­tims to down­load a file about elec­tion fraud. The hack­ers car­ried out the hack by break­ing into an email mar­ket­ing account for Con­stant Con­tact [41], which is used by USAID for offi­cial com­mu­ni­ca­tions. From there, they launched the phish­ing attacks.

Microsoft assures us that no exploits of Microsoft prod­ucts were involved with this phish­ing attempt. At the same time, we’re told noth­ing about how this Con­stant Con­tact email mar­ket­ing account was bro­ken into in the first place. In fact, it’s not actu­al­ly clear at all what ties this phish­ing attack to the Solar­Winds hack. And yet are assured by Microsoft, with high con­fi­dence, that Rus­si­a’s SVR is behind it and that it appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts. And since the SVR is also blamed for the Solar­Winds hack, it’s there­fore behind this phish­ing attempt. That appears to be the ‘log­ic’ at work here.

Now, if we view the Microsoft blog post on this hack, there is one tech­ni­cal fact that relates back to the Solar­Winds hack: the use of zero-day exploits. Vic­tims who fell for the phish­ing emails had four zero-day pieces of mal­ware deployed on their com­put­ers [42] accord­ing to a sec­ond Microsoft blog post about the attack. So the tech­ni­cal traits shared between this phish­ing attack in the ear­li­er Solar­Winds hack are the use of mul­ti­ple zero-day exploits. But dif­fer­ent exploits. The Microsoft blog post describ­ing this USAID phish­ing scheme [41] explic­it­ly states that this new attack bears very lit­tle tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the dis­cov­ery of the Solar­Winds hack. So the pos­ses­sion of mul­ti­ple zero-day exploits is appar­ent­ly being used as a tech­ni­cal indi­ca­tor for attri­bu­tions. If a hack­er is sport­ing lots of zero-day exploits, it’s assumed to be the same hack­er who ran the last hack with lots of zero-day exploits. And since zero-day exploits are wide­ly assumed to large­ly be the exclu­sive prop­er­ty of well-financed nations (the US, Russ­ian, Chi­na, Israel, etc), when a hack involved lots of zero-day exploits the list of sus­pects gets nar­rowed down to that list. That appears to be the pat­tern play­ing out here. A pat­tern that ignores the exis­tence of a robust indus­try sell­ing zero-day exploits to dozens of gov­ern­ments around the world.

But also keep in mind that the Microsoft Exchange mega-hack announced in March also uti­lized zero-day exploits and this hack start­ed with the com­pro­mise of USAID’s Con­stant Con­tac­t’s email account. Is there an Exchange serv­er involved with this ser­vice? It was be nice to know but, again, we aren’t told how the hack start­ed. So how was Microsoft able to deduce that it was the Solar­Winds hacks and no the Exchange hack­ers or some oth­er group? We have no idea, but we are assured that Microsoft fig­ured it all out. We’ll just have to blind­ly trust them on this. As always [40]:

Reuters
Tech­nol­o­gy

Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs

Raphael Sat­ter, Kan­ish­ka Singh
May 28, 2021 12:53 PM CDT Updat­ed

May 28 (Reuters) — The group behind the Solar­Winds (SWI.N) cyber attack iden­ti­fied late last year is now tar­get­ing gov­ern­ment agen­cies, think tanks, con­sul­tants, and non-gov­ern­men­tal orga­ni­za­tions, Microsoft Corp (MSFT.O) said on Thurs­day.

“This week we observed cyber­at­tacks by the threat actor Nobeli­um tar­get­ing gov­ern­ment agen­cies, think tanks, con­sul­tants, and non-gov­ern­men­tal orga­ni­za­tions”, Microsoft said in a blog [139].

Nobeli­um, orig­i­nat­ing from Rus­sia, is the same actor behind the attacks on Solar­Winds cus­tomers in 2020, accord­ing to Microsoft.

The com­ments come weeks after a May 7 ran­somware attack on Colo­nial Pipeline shut the Unit­ed States’ largest fuel pipeline net­work for sev­er­al days, dis­rupt­ing the coun­try’s sup­ply.

“This wave of attacks tar­get­ed approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions”, Microsoft said on Thurs­day.

While organ­i­sa­tions in the Unit­ed States received the largest share of attacks, tar­get­ed vic­tims came from at least 24 coun­tries, Microsoft said.

At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work, Microsoft said in the blog.

Nobeli­um launched this week’s attacks by break­ing into an email mar­ket­ing account used by the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID) and from there launch­ing phish­ing attacks on many oth­er organ­i­sa­tions, Microsoft said.

In state­ments issued Fri­day, the Depart­ment of Home­land Secu­ri­ty and USAID both said they were aware of the hack­ing and were inves­ti­gat­ing.

The hack of infor­ma­tion tech­nol­o­gy com­pa­ny Solar­Winds, which was iden­ti­fied in Decem­ber, gave access to thou­sands of com­pa­nies and gov­ern­ment offices that used its prod­ucts. Microsoft Pres­i­dent Brad Smith described the attack as “the largest and most sophis­ti­cat­ed attack the world has ever seen”. read more [140]

...

The Unit­ed States and Britain have blamed Rus­si­a’s For­eign Intel­li­gence Ser­vice (SVR), suc­ces­sor to the for­eign spy­ing oper­a­tions of the KGB, for the hack which com­pro­mised nine U.S. fed­er­al agen­cies and hun­dreds of pri­vate sec­tor com­pa­nies.

The attacks dis­closed by Microsoft on Thurs­day appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts, Microsoft said.

The com­pa­ny said it was in the process of noti­fy­ing all of its tar­get­ed cus­tomers and had “no rea­son to believe” these attacks involved any exploita­tion or vul­ner­a­bil­i­ty in Microsoft­’s prod­ucts or ser­vices.
————–

“Microsoft says group behind Solar­Winds hack now tar­get­ing gov­ern­ment agen­cies, NGOs” by Raphael Sat­ter and Kan­ish­ka Singh; Reuters; 05/28/2021 [40]

“Nobeli­um launched this week’s attacks by break­ing into an email mar­ket­ing account used by the Unit­ed States Agency For Inter­na­tion­al Devel­op­ment (USAID) and from there launch­ing phish­ing attacks on many oth­er organ­i­sa­tions, Microsoft said.”

As Microsoft announced in May, the Solar­Winds attacks con­tin­ue. Sort of. This was­n’t an exten­sion of the Solar­Winds attack. At least we aren’t told so. Instead, we’re told that the same hack­ers, Nobeli­um, who car­ried out the Solar­Winds attack also car­ried out this new attack tar­get­ing the email mar­ket­ing firm, , that han­dles the emails for USAID. Some­how, the hack­ers were able to send out emails to 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions that looked like they came from USAID, and if vic­tims clicked on the links in the emails they received sophis­ti­cat­ed mal­ware like was deployed in the Solar­Winds attack. Again, Nobeli­um is Microsoft­’s name for APT29/Cozy Bear, the group accused of the 2015 DNC hack (the first DNC hack of the 2016 elec­tion sea­sons).

Now how did the Microsoft arrive at the con­clu­sion that this phish­ing attack was car­ried out by the same “Nobeli­um” Solar­Winds hack­ers? As we should expect, it’s entire­ly unclear. Microsoft first dubbed the Solar­Winds hack­ers “Nobeli­um” back in March of 2020 in a blog post describ­ing the comand-and-con­trol mal­ware from the Solar­Winds hack. ‘Zero-day’ Mal­ware that had nev­er been seen before, adding to the per­ceived sophis­ti­ca­tion of the hack­er [141]. Of course, as we’re going to see with the NSO Group sto­ry, ultra-sophis­ti­cat­ed ‘zero-day’ hacks that have ‘nev­er been seen before’ are effec­tive­ly for sale to gov­ern­ments around world. Any gov­ern­ment with per­mis­sion to buy this soft­ware would sud­den­ly become an ultra-sophis­ti­cat­ed actor with an armory of zero-day exploits nev­er seen before.

So were more zero-day exploits found in this lat­est USAID phish­ing hack? Yes, there were four zero-day pieces of mal­ware deployed [42] accord­ing to a sec­ond Microsoft blog post about the attack. So the tech­ni­cal traits shared between this phish­ing attack in the ear­li­er Solar­Winds hack are the use of mul­ti­ple zero-day exploits. But dif­fer­ent exploits. The Microsoft blog post describ­ing this USAID phish­ing scheme [41] explic­it­ly states that this new attack bears very lit­tle tech­ni­cal sim­i­lar­i­ties to the Solar­Winds hack and sug­gests the hack­ers inten­tion­al­ly changed their tac­tics after the dis­cov­ery of the Solar­Winds hack. So the pos­ses­sion of mul­ti­ple zero-day exploits is appar­ent­ly being used as a tech­ni­cal indi­ca­tor for attri­bu­tions. If a hack­er is sport­ing lots of zero-day exploits, it’s assumed to be the same hack­er who ran the last hack with lots of zero-day exploits. And since zero-day exploits are wide­ly assumed to large­ly be the exclu­sive prop­er­ty of well-financed nations (the US, Russ­ian, Chi­na, Israel, etc), when a hack involved lots of zero-day exploits the list of sus­pects gets nar­rowed down to that list. That appears to be the pat­tern play­ing out here. A pat­tern that ignores the exis­tence of a robust indus­try sell­ing zero-day exploits to dozens of gov­ern­ments around the world.

And note how, while this attack clear­ly involves USAID, it’s not actu­al­ly tar­get­ing USAID. It was an attack that used USAID’s per­sona to tar­get­ing 150 dif­fer­ent orga­ni­za­tions in at least 24 coun­tries. And only around a quar­ter of those tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work. And yet Microsoft con­fi­dent­ly tells us this hack is a con­tin­u­a­tion of an SVR espi­onage cam­paign tar­get­ing gov­ern­ment agen­cies involved in for­eign pol­i­cy. It’s a remark­ably cher­ry-picked assess­ment:

...
“This wave of attacks tar­get­ed approx­i­mate­ly 3,000 email accounts at more than 150 dif­fer­ent orga­ni­za­tions”, Microsoft said on Thurs­day.

While organ­i­sa­tions in the Unit­ed States received the largest share of attacks, tar­get­ed vic­tims came from at least 24 coun­tries, Microsoft said.

At least a quar­ter of the tar­get­ed organ­i­sa­tions were involved in inter­na­tion­al devel­op­ment, human­i­tar­i­an issues and human rights work, Microsoft said in the blog.

...

The Unit­ed States and Britain have blamed Rus­si­a’s For­eign Intel­li­gence Ser­vice (SVR), suc­ces­sor to the for­eign spy­ing oper­a­tions of the KGB, for the hack which com­pro­mised nine U.S. fed­er­al agen­cies and hun­dreds of pri­vate sec­tor com­pa­nies.

The attacks dis­closed by Microsoft on Thurs­day appeared to be a con­tin­u­a­tion of mul­ti­ple efforts to tar­get gov­ern­ment agen­cies involved in for­eign pol­i­cy as part of intel­li­gence gath­er­ing efforts, Microsoft said.
...

So we have the Solar­Winds mega-hack dis­cov­ered in Decem­ber 2020 ini­tial­ly attrib­uted to a pre­vi­ous­ly unknown group — that gov­ern­ments nonethe­less assure us are the SVR — but lat­er attrib­uted to Cozy Bear/APT29 aka Nobeli­um. Then a May 2021 phish­ing cam­paign that does­n’t actu­al­ly share any of the tech­ni­cal traits of the Solar­Winds hack oth­er than the use of dif­fer­ent zero-day exploits is also attrib­uted to Cozy Bear. Why exact­ly it’s been deter­mined that these two sep­a­rate attacks were done by the same group is nev­er explained, let alone why they’ve deter­mined that group is Rus­si­a’s SVR.

The SolarWinds Hackers(?) Can’t Stop, Won’t Stop...Hacking Microsoft

It’s always a ‘trust us’ nar­ra­tive. A nar­ra­tive that sounds awful­ly sim­i­lar to the sto­ry we got a month lat­er in the last week of June, when Microsoft announced a new Nobelium/Cozy Bear attack. Although it’s more like an update on the May phish­ing attack. Like with the May phish­ing attack report, Microsoft assured us that this new attack is unre­lat­ed to the Solar­Winds hack. And yet Microsoft also assured us that the same group was behind it, Nobeli­um. The rea­son for this attri­bu­tion to Nobeli­um is nev­er giv­en. It’s anoth­er phish­ing attack that isn’t tech­ni­cal­ly relat­ed to the Solar­Winds hack but they’re still sure it’s the same group. The rea­sons nev­er giv­en. Sound­ing famil­iar yet?

But this June attack appears to dif­fer from the May phish­ing attack in a poten­tial­ly sig­nif­i­cant way: one of Microsoft­’s own agents was hacked and cus­tomer infor­ma­tion about Microsoft ser­vices were stolen, allow­ing for tai­lored phish­ing attacks. So who­ev­er pulled this off demon­strat­ed an eeri­ly sim­i­lar abil­i­ty to exploit pre­vi­ous­ly unknown Microsoft vul­ner­a­bil­i­ties. An abil­i­ty demon­strat­ed by both the Solar­Winds and Exchange hack­ers.

Microsoft did­n’t answer ques­tions of whether or not its agent was hacked dur­ing the ini­tial Solar­Winds hack. But we are told that Microsoft dis­cov­ered this phish­ing cam­paign and the hack­ing of its agent as a result of its inves­ti­ga­tion into the ear­li­er Solar­Winds hacks. Part of the rea­son this is poten­tial­ly sig­nif­i­cant is that it once again rais­es the ques­tion of whether or not this new hack of the Microsoft agent — where cus­tomer ser­vice infor­ma­tion was some­how accessed and used to tai­lor phish­ing emails — was exe­cut­ed with some sort of exploit tar­get­ing Microsoft sys­tems. And if that’s the case, we have to ask why these are nec­es­sar­i­ly the Solar­Winds hack­ers and not the Exchange hack­ers. Both pos­sessed Microsoft zero-day exploits.

But beyond the poten­tial rela­tion­ship between the Solar­Winds and Exchange hack­ers, it’s hard to ignore the sto­ry of NSO Group, Can­diru, and the exis­tence of the pri­vate indus­try that cre­ates and sells cut­ting edge mal­ware bristling with zero-day exploits — includ­ing zero-day exploits tar­get­ing Microsoft prod­ucts — that are sold to dozens of gov­ern­ments around the world. And yet ignor­ing the exis­tence of this pri­vate indus­try that makes cut­ting edge zero-day exploits avail­able to dozens of gov­ern­ments around the world is exact­ly what we are asked to do. Over and over. Every time there’s a new hack that shows a rea­son­able degree of sophis­ti­ca­tion or that hits a gov­ern­ment agency (even if many more non-gov­ern­ment agen­cies are hit too), it’s treat­ed as if the only pos­si­ble actors in the world who could have pulled off the hack were Rus­sia, Chi­na, Iran or North Korea. It is sys­tem­at­i­cal­ly ignored that dozens of gov­ern­ments around the world can and do buy the nec­es­sary ‘zero-day’ mal­ware toolk­its to pull off these hacks. Would Sau­di Ara­bia attempt a Solar­Winds-style mega-hack if if they new it was going to be blamed on Rus­sia or Chi­na? There’s no way to respon­si­bly avoid ask­ing these kind of ques­tions when we know Sau­di Ara­bia and dozens of oth­er coun­tries have already pur­chased the abil­i­ty to do so.

So we have a sec­ond phish­ing attack attrib­uted to Nobelium/Cozy Bear. But unlike the pre­vi­ous phish­ing attack, where Microsoft acknowl­edged there was no appar­ent tech­ni­cal link back to the ear­li­er Solar­Winds hack, this phish­ing attack appears to have employed some sort of vul­ner­a­bil­i­ty in Microsoft­’s prod­ucts. And at the same time Microsoft assures us this was­n’t tech­ni­cal­ly relat­ed to the Solar­Winds hack, Microsoft also reminds of us of what was dis­closed months agao: that data and insights were stolen from Microsoft dur­ing the ini­tial Solar­Winds attack, includ­ing soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties. Were any of those stolen vul­ner­a­bil­i­ties used in this hack? Microsoft isn’t say­ing. And that’s a big part of the larg­er sto­ry here: extreme­ly seri­ous alle­ga­tions about who was behind these cyber­at­tacks are being made — with all fin­gers point­ing towards the Russ­ian or Chi­nese gov­ern­ments — with almost no infor­ma­tion being released regard­ing why and how those attri­bu­tions are made. The entire cyber­at­tri­bu­tion indus­try is root­ed in a ‘just trust us on this’ ethos [44]:

Reuters

Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers

Joseph Menn
June 25, 2021 8:59 PM CDT Updat­ed

SAN FRANCISCO, June 25 (Reuters) — Microsoft (MSFT.O) said on Fri­day an attack­er had won access to one of its cus­tomer-ser­vice agents and then used infor­ma­tion from that to launch hack­ing attempts against cus­tomers.

The com­pa­ny said it had found the com­pro­mise dur­ing its response to hacks by a team it iden­ti­fies as respon­si­ble for ear­li­er major breach­es at Solar­Winds (SWI.N) and Microsoft.

Microsoft said it had warned the affect­ed cus­tomers. A copy of one warn­ing seen by Reuters said the attack­er belonged to the group Microsoft calls Nobeli­um and that it had access dur­ing the sec­ond half of May.

“A sophis­ti­cat­ed Nation-State asso­ci­at­ed actor that Microsoft iden­ti­fies as NOBELLIUM accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion regard­ing your Microsoft Ser­vices sub­scrip­tions,” the warn­ing reads in part. The U.S. gov­ern­ment has pub­licly attrib­uted the ear­li­er attacks to the Russ­ian gov­ern­ment, which denies involve­ment.

When Reuters asked about that warn­ing, Microsoft announced the breach pub­licly.

After com­ment­ing on a broad­er phish­ing cam­paign it said had com­pro­mised a small num­ber of enti­ties, Microsoft said it had also found the breach of its own agent, who it said had lim­it­ed pow­ers.

The agent could see billing con­tact infor­ma­tion and what ser­vices the cus­tomers pay for, among oth­er things.

“The actor used this infor­ma­tion in some cas­es to launch high­ly-tar­get­ed attacks as part of their broad­er cam­paign,” Microsoft said.

Microsoft warned affect­ed cus­tomers to be care­ful about com­mu­ni­ca­tions to their billing con­tacts and con­sid­er chang­ing those user­names and email address­es, as well as bar­ring old user­names from log­ging in.

Microsoft said it was aware of three enti­ties that had been com­pro­mised in the phish­ing cam­paign.

It did not imme­di­ate­ly clar­i­fy whether any had been among those whose data was viewed through the sup­port agent, or if the agent had been tricked by the broad­er cam­paign.

Microsoft did not say whether the agent was at a con­trac­tor or a direct employ­ee.

A spokesman said the lat­est breach by the threat actor was not part of Nobeli­um’s pre­vi­ous suc­cess­ful attack on Microsoft, in which it obtained some source code.

In the Solar­Winds attack, the group altered code at that com­pa­ny to access Solar­Winds cus­tomers, includ­ing nine U.S. fed­er­al agen­cies.

At the Solar­Winds cus­tomers and oth­ers, the attack­ers also took advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured, accord­ing to the Depart­ment of Home­land Secu­ri­ty.

Microsoft lat­er said the group had com­pro­mised its own employ­ee accounts and tak­en soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties.

A White House offi­cial said the lat­est intru­sion and phish­ing cam­paign was far less seri­ous than the Solar­Winds fias­co.

“This appears to be large­ly unsuc­cess­ful, run-of-the-mill espi­onage,” the offi­cial said.

...

————

“Microsoft says new breach dis­cov­ered in probe of sus­pect­ed Solar­Winds hack­ers” by Joseph Menn; Reuters; 06/25/2021 [44]

““A sophis­ti­cat­ed Nation-State asso­ci­at­ed actor that Microsoft iden­ti­fies as NOBELLIUM accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion regard­ing your Microsoft Ser­vices sub­scrip­tions,” the warn­ing reads in part. The U.S. gov­ern­ment has pub­licly attrib­uted the ear­li­er attacks to the Russ­ian gov­ern­ment, which denies involve­ment.”

Nobeli­um “accessed Microsoft cus­tomer sup­port tools to review infor­ma­tion.” That’s the lan­guage used by Microsoft to describe the hack­ing of its agent and use of the obtained infor­ma­tion to run tar­get­ed phish­ing cam­paigns. That’s what we know. What we don’t know is how the agent got hacked in the first place. Was is sim­ply exploit­ing a back­door cre­at­ed by the Solar­Winds hack? Microsoft isn’t say­ing. But we know Microsoft has pre­vi­ous­ly dis­closed that ‘Nobeli­um’ stole code involv­ing Microsoft­’s user ver­i­fi­ca­tion. And DHS tells us these same hack­ers are tak­ing advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured. A lot of arrows are point­ing in the direc­tion of anoth­er Microsoft vul­ner­a­bil­i­ty being exploit­ed but as always we’re forced to guess:

...
A spokesman said the lat­est breach by the threat actor was not part of Nobeli­um’s pre­vi­ous suc­cess­ful attack on Microsoft, in which it obtained some source code.

...

At the Solar­Winds cus­tomers and oth­ers, the attack­ers also took advan­tage of weak­ness­es in the way Microsoft pro­grams were con­fig­ured, accord­ing to the Depart­ment of Home­land Secu­ri­ty.

Microsoft lat­er said the group had com­pro­mised its own employ­ee accounts and tak­en soft­ware instruc­tions gov­ern­ing how Microsoft ver­i­fies user iden­ti­ties.
...

The bad news sto­ries just keep pil­ing up. What’s next?

Backdoors aren’t Just Backdoors. They’re Digital Bombs Too.

What might be next is the ques­tion omi­nous­ly answered in a CBS News piece from July 4 that includes com­men­tary from Jon Miller, a for­mer hack­er who now runs a com­pa­ny called Bold­end tjat designs and sells cut­ting-edge cyber weapons to US intel­li­gence agen­cies. Accord­ing to Miller, what stood out for him in the Solar­Winds hack was­n’t the sophis­ti­ca­tion mal­ware. Miller claims to cre­ate much more sophis­ti­cat­ed mal­ware in his own work. What sur­prised him was the scope of the attack. Who­ev­er did this did­n’t even both­er try­ing to hide it and seemed to exe­cute it with no regard to the dam­age caused or poten­tial con­se­quences.

And then Miller drops the bomb: when asked if the hack­ers were capa­ble of doing more dam­age than they did and, for exam­ple, destroy all the com­put­ers on the net­work, Miller tells us that not only would that be pos­si­ble but it would be triv­ial. A few dozen addi­tion­al lines of code. So if the Solar­Winds hacks — or Microsoft Exchange hack­ers — want­ed to destroy the com­put­er sys­tems of orga­ni­za­tions around the world, they could have done so. Eas­i­ly.

The piece also include an inter­view of Brad Smith, pres­i­dent of Microsoft. Smith points to the numer­ous gov­ern­ment agen­cies to make the case that it must be a for­eign intel­li­gence operation‑, an obser­va­tion that sys­tem­at­i­cal­ly ignores all the non-gov­ern­ment com­mer­cial vic­tims that also got hit. Smith goes on to make an inter­est­ing defense of the US gov­ern­men­t’s inabil­i­ty to detect and stop the Solar­Winds hack: because the hack­ers launched the hack from US-based servers the NSA was­n’t legal­ly allowed to observe and pre­vent it. Domes­tic net­work secu­ri­ty in the US is the respon­si­bil­i­ty of the pri­vate sec­tor. How those poli­cies change in response to these mega-hacks will be some­thing to watch [142].

Then Smith issues a warn­ing that, when com­bined with Miller’s warn­ings about dig­i­tal bombs, should send chills down the spines of sys­tem admin­is­tra­tors every­where: Smith warns that its almost cer­tain the Solar­Winds hack­ers plant­ed addi­tion­al back­doors and spread to oth­er net­works. Keep in mind that Microsoft has been one of the lead inves­ti­ga­tors on this, so when Microsoft tells us the Solar­Winds hack­ers are prob­a­bly still resid­ing on these hacked net­works and spread to oth­ers that’s the kind of warn­ing we should take seri­ous­ly. So if you were hop­ing the dis­cov­ery of the Solar­Winds hack meant the clos­ing of all these back­doors on the net­works of thou­sands orga­ni­za­tions around the world your hopes should be dashed by now. Microsoft was basi­cal­ly telling us they don’t think they can real­is­ti­cal­ly expel the hack­ers from all these net­works. So if these hack­ers do decide to actu­al­ly destroy tens of thou­sands of hacked net­works around the world, or con­duct a glob­al ran­somware attack, they could prob­a­bly still do so [46]:

CBS News

Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments

Bill Whitak­er reports on how Russ­ian spies used a pop­u­lar piece of soft­ware to unleash a virus that spread to 18,000 gov­ern­ment and pri­vate com­put­er net­works.

Cor­re­spon­dent Bill Whitak­er
2021 Jul 04

When Pres­i­dents Biden and Putin met in Gene­va last month – it was the first time that the threat of cyber war eclipsed that of nuclear war between the two old super-pow­ers… and “Solar­Winds” was one big rea­son why. Last year, in per­haps the most auda­cious cyber attack in his­to­ry, Russ­ian mil­i­tary hack­ers sab­o­taged a tiny piece of com­put­er code buried in a pop­u­lar piece of soft­ware called Solar­Winds. As we first report­ed in Feb­ru­ary, the hid­den virus spread to 18,000 gov­ern­ment and pri­vate com­put­er net­works by way of one of those soft­ware updates we all take for grant­ed. After it was installed, Russ­ian agents went rum­mag­ing through the dig­i­tal files of the U.S. depart­ments of Jus­tice, State, Trea­sury, Ener­gy, and Com­merce –among others—and for nine months, they had unfet­tered access to top-lev­el com­mu­ni­ca­tions, court doc­u­ments, even nuclear secrets.

Brad Smith: I think from a soft­ware engi­neer­ing per­spec­tive, it’s prob­a­bly fair to say that this is the largest and most sophis­ti­cat­ed attack the world has ever seen.

Brad Smith is pres­i­dent of Microsoft. He learned about the hack after the pres­i­den­tial elec­tion this past Novem­ber. By that time, the stealthy intrud­ers had spread through­out the tech giants’ com­put­er net­work and stolen some of its pro­pri­etary source code used to build its soft­ware prod­ucts. More alarm­ing: how the hack­ers got in… pig­gy-back­ing on a piece of third par­ty soft­ware used to con­nect, man­age and mon­i­tor com­put­er net­works.

Bill Whitak­er: What makes this so momen­tous?

Brad Smith: One of the real­ly dis­con­cert­ing aspects of this attack was the wide­spread and indis­crim­i­nate nature of it. What this attack­er did was iden­ti­fy net­work man­age­ment soft­ware from a com­pa­ny called Solar­Winds. They installed mal­ware into an update for a Solar­Winds prod­uct. When that update went out to 18,000 orga­ni­za­tions around the world, so did this mal­ware.

“Solar­Winds Ori­on” is one of the most ubiq­ui­tous soft­ware prod­ucts you prob­a­bly nev­er heard of, but to thou­sands of I.T. depart­ments world­wide, it’s indis­pens­able. It’s made up of mil­lions of lines of com­put­er code. 4,032 of them were clan­des­tine­ly re-writ­ten and dis­trib­uted to cus­tomers in a rou­tine update, open­ing up a secret back­door to the 18,000 infect­ed net­works. Microsoft has assigned 500 engi­neers to dig in to the attack. One com­pared it to a Rem­brandt paint­ing, the clos­er they looked, the more details emerged.

Brad Smith: When we ana­lyzed every­thing that we saw at Microsoft, we asked our­selves how many engi­neers have prob­a­bly worked on these attacks. And the answer we came to was, well, cer­tain­ly more than 1,000.

Bill Whitak­er: You guys are Microsoft. How did Microsoft miss this?

Brad Smith: I think that when you look at the sophis­ti­ca­tion of this attack­er there’s an asym­met­ric advan­tage for some­body play­ing offense.

Bill Whitak­er: Is it still going on?

Brad Smith: Almost cer­tain­ly, these attacks are con­tin­u­ing.

The world still might not know about the hack if not for Fire­Eye, a three-and-a-half bil­lion dol­lar cyber­se­cu­ri­ty com­pa­ny run by Kevin Man­dia, a for­mer Air Force intel­li­gence offi­cer.

...

They dis­cov­ered the mal­ware inside Solar­Winds and on Decem­ber 13 informed the world of the brazen attack.

Much of the dam­age had already been done. The U.S. Jus­tice Depart­ment acknowl­edged the Rus­sians spent months inside their com­put­ers access­ing email traf­fic – but the depart­ment won’t tell us exact­ly what was tak­en. It’s the same at Trea­sury, Com­merce, the NIH, Ener­gy. Even the agency that pro­tects and trans­ports our nuclear arse­nal. The hack­ers also hit the biggest names in high tech.

Bill Whitak­er: So, what does that tar­get list tell you?

Brad Smith: I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency. It expos­es the secrets poten­tial­ly of the Unit­ed States and oth­er gov­ern­ments as well as pri­vate com­pa­nies. I don’t think any­one knows for cer­tain how all of this infor­ma­tion will be used. But we do know this: It is in the wrong hands.

And Microsoft­’s Brad Smith told us it’s almost cer­tain the hack­ers cre­at­ed addi­tion­al back­doors and spread to oth­er net­works.

The rev­e­la­tion this past Decem­ber came at a fraught time in the U.S. Pres­i­dent Trump was dis­put­ing the elec­tion, and tweet­ed Chi­na might be respon­si­ble for the hack. With­in hours he was con­tra­dict­ed by his own sec­re­tary of state and attor­ney gen­er­al. They blamed Rus­sia. The Depart­ment of Home­land Secu­ri­ty, FBI and intel­li­gence agen­cies con­curred. The prime sus­pect: the SVR, one of sev­er­al Russ­ian spy agen­cies the U.S. labels “advanced per­sis­tent threats.” Rus­sia denies it was involved.

Brad Smith: I do think this was an act of reck­less­ness. The world runs on soft­ware. It runs on infor­ma­tion tech­nol­o­gy. But it can’t run with con­fi­dence if major gov­ern­ments are dis­rupt­ing and attack­ing the soft­ware sup­ply chain in this way.

Bill Whitak­er: That almost sounds like you think that they went in to foment chaos?

Brad Smith: What we are see­ing is the first use of this sup­ply chain dis­rup­tion tac­tic against the Unit­ed States. But it’s not the first time we’ve wit­nessed it. The Russ­ian gov­ern­ment real­ly devel­oped this tac­tic in Ukraine.

...

Bill Whitak­er: It’s hard to down­play the sever­i­ty of this.

Chris Inglis: It is hard to down­play the sever­i­ty of this. Because it’s only a stone’s throw from a com­put­er net­work attack.

Chris Inglis spent 28 years com­mand­ing the nation’s best cyber war­riors at the Nation­al Secu­ri­ty Agency – sev­en as its deputy direc­tor – and now sits on the Cyber­space Solar­i­um Com­mis­sion – cre­at­ed by Con­gress to come up with new ideas to defend our dig­i­tal domain.

Bill Whitak­er: Why did­n’t the gov­ern­ment detect this?

Chris Inglis: The gov­ern­ment is not look­ing on pri­vate sec­tor net­works. It does­n’t sur­veil pri­vate sec­tor net­works. That’s a respon­si­bil­i­ty that’s giv­en over to the pri­vate sec­tor. Fire­Eye found it on theirs, many oth­ers did not. The gov­ern­ment did not find it on their net­work, so that’s a dis­ap­point­ment.

Dis­ap­point­ment is an under­state­ment. The Depart­ment of Home­land Secu­ri­ty spent bil­lions on a pro­gram called “Ein­stein” to detect cyber attacks on gov­ern­ment agen­cies. The Rus­sians out­smart­ed it. They cir­cum­vent­ed the NSA, which gath­ers intel­li­gence over­seas, but is pro­hib­it­ed from sur­veilling U.S. com­put­er net­works. So the Rus­sians launched their attacks from servers set up anony­mous­ly in the Unit­ed States.

Bill Whitak­er: This hack hap­pened on Amer­i­can soil. It went through net­works based in the Unit­ed States. Are our defense capa­bil­i­ties con­strained?

Chris Inglis: U.S. Intel­li­gence Com­mu­ni­ty, U.S. Depart­ment of Defense, can sug­gest what the inten­tions of oth­er nations are based upon what they learn in their right­ful work over­seas. But they can’t turn around and focus their unblink­ing eye on the domes­tic infra­struc­ture. That winds up mak­ing it more dif­fi­cult for us.

...

It’s not every­day you meet some­one who builds cyber weapons as com­plex as those deployed by Russ­ian intel­li­gence. But Jon Miller, who start­ed off as a hack­er and now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies.

Jon Miller: I build things much more sophis­ti­cat­ed than this. What’s impres­sive is the scope of it. This is a water­shed style attack. I would nev­er do some­thing like this. It cre­ates too much dam­age.

Miller says with the Solar­Winds attack, Rus­sia has demon­strat­ed that none of the soft­ware we take for grant­ed is tru­ly safe, includ­ing the apps on our tele­phones, lap­tops, and tablets. These days, he says, any device can be sab­o­taged.

Jon Miller: When you buy some­thing from a tech com­pa­ny, a new phone or a lap­top, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the abil­i­ty to com­pro­mise those sup­ply chains and manip­u­late what­ev­er they want. Whether it’s finan­cial data, source code, the func­tion­al­i­ty of these prod­ucts. They can take con­trol.

Bill Whitak­er: So, for instance, they could destroy all the com­put­ers on a net­work?

Jon Miller: Oh, eas­i­ly. The mal­ware that they deployed off of Solar­Winds, it did­n’t have the func­tion­al­i­ty in it to do that. But to do that is triv­ial. Cou­ple dozen lines of code.

...

———–

“Solar­Winds: How Russ­ian spies hacked the Jus­tice, State, Trea­sury, Ener­gy and Com­merce Depart­ments” by Bill Whitak­er; CBS News; 07/04/2021 [46]

“Much of the dam­age had already been done. The U.S. Jus­tice Depart­ment acknowl­edged the Rus­sians spent months inside their com­put­ers access­ing email traf­fic – but the depart­ment won’t tell us exact­ly what was tak­en. It’s the same at Trea­sury, Com­merce, the NIH, Ener­gy. Even the agency that pro­tects and trans­ports our nuclear arse­nal. The hack­ers also hit the biggest names in high tech.”

The Solar­Wind hack­ers spent months inside numer­ous US gov­ern­ment agency net­works. Pre­sum­ably from Feb­ru­ary 2020 until Decem­ber 2020. 10 or so months of emails. That’s a lot of gov­ern­ment emails. It makes the “Hillary’s emails” sto­ries sound like a sweet lul­la­by of yes­ter­year.

But the Solar­Winds hack was obvi­ous­ly not just tar­get­ing the US gov­ern­ment. Thou­sands of com­pa­nies were hit too. And yet, when asked, the Pres­i­dent of Microsoft insists, “I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency”. It’s what it looks like when every­one plays dumb pro­fes­sion­al­ly:

...
Bill Whitak­er: So, what does that tar­get list tell you?

Brad Smith: I think this tar­get list tells us that this is clear­ly a for­eign intel­li­gence agency. It expos­es the secrets poten­tial­ly of the Unit­ed States and oth­er gov­ern­ments as well as pri­vate com­pa­nies. I don’t think any­one knows for cer­tain how all of this infor­ma­tion will be used. But we do know this: It is in the wrong hands.

And Microsoft­’s Brad Smith told us it’s almost cer­tain the hack­ers cre­at­ed addi­tion­al back­doors and spread to oth­er net­works.

The rev­e­la­tion this past Decem­ber came at a fraught time in the U.S. Pres­i­dent Trump was dis­put­ing the elec­tion, and tweet­ed Chi­na might be respon­si­ble for the hack. With­in hours he was con­tra­dict­ed by his own sec­re­tary of state and attor­ney gen­er­al. They blamed Rus­sia. The Depart­ment of Home­land Secu­ri­ty, FBI and intel­li­gence agen­cies con­curred. The prime sus­pect: the SVR, one of sev­er­al Russ­ian spy agen­cies the U.S. labels “advanced per­sis­tent threats.” Rus­sia denies it was involved.
...

Also note how the fact that the Solar­Winds hack was con­duct­ed with US-based servers, and the fact that the NSA isn’t man­dat­ed with mon­i­tor­ing US net­works, is turn­ing into an argu­ment for giv­ing the NSA author­i­ty to mon­i­tor US net­works. This is a good to recall the sto­ry from ear­li­er this year about the DARPA projects involv­ing the cre­ation of autonomous anti-virus soft­ware that can tra­verse net­works that sound awful­ly sim­i­lar to the “Project TURBINE” plan for mass auto­mat­ed mal­ware implan­ta­tion [143]. Auto­mat­ed ‘anti-mal­ware’ deliv­ered by good­ware. As ques­tions about the con­sti­tu­ion­al­i­ty of NSA mon­i­tor­ing of domes­tic net­works get raised, don’t be sur­prised if auto­mat­ed ‘good­ware’ solu­tions are offered:

...
Chris Inglis spent 28 years com­mand­ing the nation’s best cyber war­riors at the Nation­al Secu­ri­ty Agency – sev­en as its deputy direc­tor – and now sits on the Cyber­space Solar­i­um Com­mis­sion – cre­at­ed by Con­gress to come up with new ideas to defend our dig­i­tal domain.

Bill Whitak­er: Why did­n’t the gov­ern­ment detect this?

Chris Inglis: The gov­ern­ment is not look­ing on pri­vate sec­tor net­works. It does­n’t sur­veil pri­vate sec­tor net­works. That’s a respon­si­bil­i­ty that’s giv­en over to the pri­vate sec­tor. Fire­Eye found it on theirs, many oth­ers did not. The gov­ern­ment did not find it on their net­work, so that’s a dis­ap­point­ment.

Dis­ap­point­ment is an under­state­ment. The Depart­ment of Home­land Secu­ri­ty spent bil­lions on a pro­gram called “Ein­stein” to detect cyber attacks on gov­ern­ment agen­cies. The Rus­sians out­smart­ed it. They cir­cum­vent­ed the NSA, which gath­ers intel­li­gence over­seas, but is pro­hib­it­ed from sur­veilling U.S. com­put­er net­works. So the Rus­sians launched their attacks from servers set up anony­mous­ly in the Unit­ed States.

Bill Whitak­er: This hack hap­pened on Amer­i­can soil. It went through net­works based in the Unit­ed States. Are our defense capa­bil­i­ties con­strained?

Chris Inglis: U.S. Intel­li­gence Com­mu­ni­ty, U.S. Depart­ment of Defense, can sug­gest what the inten­tions of oth­er nations are based upon what they learn in their right­ful work over­seas. But they can’t turn around and focus their unblink­ing eye on the domes­tic infra­struc­ture. That winds up mak­ing it more dif­fi­cult for us.
...

Final­ly note the assess­ment about the rel­a­tive sophis­ti­ca­tion of the Solar­Winds source code by Jon Miller, the for­mer hack­er who now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies. Miller was­n’t impressed by the sophis­ti­ca­tion. He admits to build­ing things much more sophis­ti­cat­ed (that is pre­sum­ably sold to US intel­li­gence agen­cies). What sur­prised Miller was the scale of the attack and that some­one actu­al­ly did some­thing that cre­at­ed so much dam­age. It’s the kind of response from an indus­try pro­fes­sion­al (who isn’t play­ing dumb pro­fes­sion­al­ly) that points towards a real­i­ty where large scale hacks of this nature have long been pos­si­ble, but assumed to be too inflam­ma­to­ry to exe­cute with­out incit­ing invit­ing seri­ous reper­cus­sions. As Miller point­ed out, this attack poten­tial­ly taint­ed the entire glob­al soft­ware sup­ply chain. The same com­pil­er attack that snuck the back­door into Solar­Wind­s’s Ori­on client tool could be reap­plied to the soft­ware being devel­oped by the tens of thou­sands of Solar­Winds cor­po­rate and gov­ern­ment clients. It real­ly was a mas­sive attack. But he’s not sur­prised some­one was able to pull it off tech­ni­cal­ly. He’s sur­prised some­one actu­al­ly did it. It’s an impor­tant dis­tinc­tion to keep in mind when assess­ing the nature of this attack. Thank­ful­ly, anoth­er pos­si­ble night­mare sce­nario was­n’t exe­cut­ed. That being a sce­nario where mal­ware is deployed that actu­al­ly caus­es these net­works to phys­i­cal­ly destroy them­selves. But it they could have if they want­ed to:

...
It’s not every­day you meet some­one who builds cyber weapons as com­plex as those deployed by Russ­ian intel­li­gence. But Jon Miller, who start­ed off as a hack­er and now runs a com­pa­ny called Bold­end, designs and sells cut­ting-edge cyber weapons to U.S. intel­li­gence agen­cies.

Jon Miller: I build things much more sophis­ti­cat­ed than this. What’s impres­sive is the scope of it. This is a water­shed style attack. I would nev­er do some­thing like this. It cre­ates too much dam­age.

Miller says with the Solar­Winds attack, Rus­sia has demon­strat­ed that none of the soft­ware we take for grant­ed is tru­ly safe, includ­ing the apps on our tele­phones, lap­tops, and tablets. These days, he says, any device can be sab­o­taged.

Jon Miller: When you buy some­thing from a tech com­pa­ny, a new phone or a lap­top, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the abil­i­ty to com­pro­mise those sup­ply chains and manip­u­late what­ev­er they want. Whether it’s finan­cial data, source code, the func­tion­al­i­ty of these prod­ucts. They can take con­trol.

Bill Whitak­er: So, for instance, they could destroy all the com­put­ers on a net­work?

Jon Miller: Oh, eas­i­ly. The mal­ware that they deployed off of Solar­Winds, it did­n’t have the func­tion­al­i­ty in it to do that. But to do that is triv­ial. Cou­ple dozen lines of code.
...

Miller is absolute­ly cor­rect. Solar­Winds was­n’t just the mega-hack of Solar­Winds and its thou­sands of clients. It was poten­tial­ly the hack of the glob­al tech­no­log­i­cal sup­ply chain. Some­one exe­cut­ed a very very big hack.

CitizenLab Issues a Warning to the World: Someone is Hacking the Sh*t Out of Microsoft. Legally. Meet Candiru

It was the mid­dle of July this year when the sto­ries of the mega-hacks took a sud­den turn. After months of dis­clos­ing (and deny­ing) one hack after anoth­er involv­ing a Microsoft vul­ner­a­bil­i­ty, Cit­i­zen­Lab had a dra­mat­ic, and the­mat­i­cal­ly appro­pri­ate, new secu­ri­ty warn­ing: a mer­ce­nary spy­ware com­pa­ny has been sell­ing an exploit used against Win­dows users in sev­er­al coun­tries, includ­ing Iran, Lebanon, Spain and the Unit­ed King­dom. Beyond that, the mal­ware has been found tar­get­ing activists, which isn’t par­tic­u­lar­ly sur­pris­ing giv­en the fact that Can­diru’s clients are gov­ern­ments. Can­diru’s exploits aren’t sole­ly against Microsoft prod­ucts. Google’s pop­u­lar Chrome brows­er is also a tar­get. But it sounds like Can­diru spe­cial­izes Microsoft prod­ucts.

Microsoft fixed the vul­ner­a­bil­i­ties iden­ti­fied in Cit­i­zen­Lab’s report. Curi­ous­ly, in its report on the fix, Microsoft nev­er refers to Can­diru by name. Instead, it refers to it as an “Israel-based pri­vate sec­tor offen­sive actor” which the com­pa­ny code­named Sour­gum. Google also issued a report on Can­diru’s tar­get­ing of activists and the zero-day exploits dis­cov­ered used against activists. Google also did­n’t refer to Can­diru by name.

So at least one Can­diru cus­tomer — but per­haps more than one — was run­ning around using zero-day exploits against activists and they got caught. Because it was blamed on Can­diru it could­n’t be attrib­uted to Rus­sia or Chi­na. So who got blamed for these dis­cov­ered hacks against activists? No one [48]:

Reuters
Tech­nol­o­gy

Microsoft says Israeli group sold tools to hack Win­dows

Christo­pher Bing
July 15, 2021 4:45 PM CDT
Updat­ed

July 15 (Reuters) — An Israeli group sold a tool to hack into Microsoft Win­dows, Microsoft and tech­nol­o­gy human rights group Cit­i­zen Lab said on Thurs­day, shed­ding light on the grow­ing busi­ness of find­ing and sell­ing tools to hack wide­ly used soft­ware.

The hack­ing tool ven­dor, named Can­diru, cre­at­ed and sold a soft­ware exploit that can pen­e­trate Win­dows, one of many intel­li­gence prod­ucts sold by a secre­tive indus­try that finds flaws in com­mon soft­ware plat­forms for their clients, said a report by Cit­i­zen Lab.

Tech­ni­cal analy­sis by secu­ri­ty researchers details how Can­diru’s hack­ing tool spread around the globe to numer­ous unnamed cus­tomers, where it was then used to tar­get var­i­ous civ­il soci­ety orga­ni­za­tions, includ­ing a Sau­di dis­si­dent group and a left-lean­ing Indone­sian news out­let, the reports by Cit­i­zen Lab and Microsoft show.

...

Evi­dence of the exploit recov­ered by Microsoft Corp (MSFT.O) sug­gest­ed it was deployed against users in sev­er­al coun­tries, includ­ing Iran, Lebanon, Spain and the Unit­ed King­dom, accord­ing to the Cit­i­zen Lab report.

“Can­diru’s grow­ing pres­ence, and the use of its sur­veil­lance tech­nol­o­gy against glob­al civ­il soci­ety, is a potent reminder that the mer­ce­nary spy­ware indus­try con­tains many play­ers and is prone to wide­spread abuse,” Cit­i­zen Lab said in its report.

Microsoft fixed the dis­cov­ered flaws on Tues­day through a soft­ware update. Microsoft did not direct­ly attribute the exploits to Can­diru, instead refer­ring to it as an “Israel-based pri­vate sec­tor offen­sive actor” under the code­name Sour­gum.

“Sour­gum gen­er­al­ly sells cyber­weapons that enable its cus­tomers, often gov­ern­ment agen­cies around the world, to hack into their tar­gets’ com­put­ers, phones, net­work infra­struc­ture, and inter­net-con­nect­ed devices,” Microsoft wrote in a blog post. “These agen­cies then choose who to tar­get and run the actu­al oper­a­tions them­selves.”

Can­diru’s tools also exploit­ed weak­ness­es in oth­er com­mon soft­ware prod­ucts, like Google’s Chrome brows­er.

On Wednes­day, Google (GOOGL.O) released a blog post where it dis­closed two Chrome soft­ware flaws that Cit­i­zen Lab found con­nect­ed to Can­diru. Google also did not refer to Can­diru by name, but described it as a “com­mer­cial sur­veil­lance com­pa­ny.” Google patched the two vul­ner­a­bil­i­ties ear­li­er this year.

Cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits that can reli­ably break into com­put­ers remote­ly with­out a tar­get’s knowl­edge, com­put­er secu­ri­ty experts say.

Those types of covert sys­tems cost mil­lions of dol­lars and are often sold on a sub­scrip­tion basis, mak­ing it nec­es­sary for cus­tomers to repeat­ed­ly pay a provider for con­tin­ued access, peo­ple famil­iar with the cyber arms indus­try told Reuters.

“No longer do groups need to have the tech­ni­cal exper­tise, now they just need resources,” Google wrote in its blog post.

———–

“Microsoft says Israeli group sold tools to hack Win­dows” by Christo­pher Bing; Reuters; 07/15/2021 [48]

“No longer do groups need to have the tech­ni­cal exper­tise, now they just need resources,” Google wrote in its blog post.”

Are you a gov­ern­ment with cash to burn? Wel­come to the world of elite hack­ers. Just be sure to main­tain your sub­scrip­tion fees.

Google’s researchers weren’t exag­ger­at­ing. It real­ly is just a mat­ter of hav­ing the resources — and per­mis­sion from the Israeli (and US?) government(s?) — for a gov­ern­ment to go from hav­ing vir­tu­al­ly no cyber capa­bil­i­ties to hav­ing a suite of zero-day exploits capa­ble of defeat­ing the top tech­nol­o­gy firms in the world.

And yet it’s kind of inter­est­ing that both Google and Microsoft did­n’t actu­al­ly name Can­diru in their reports. Microsoft refers to Can­diru with its own made up code­name Sour­gum. Although Microsoft does point out in its report that Cit­i­zen Lab iden­ti­fied the Sour­gum as Can­diru [144]. But that’s the only ref­er­ence to Can­diru in the report. And Google’s report on Can­diru just refers to a “com­mer­cial sur­veil­lance com­pa­ny.” Recall that this is the same lan­guage Google used in its report on the three zero-day exploits dis­cov­ered tar­get­ing Arme­nia activists [52]. So Google and Microsoft appear to go out of their way to avoid nam­ing names in its reports when the cul­prit is a pri­vate com­pa­ny:

...
Microsoft fixed the dis­cov­ered flaws on Tues­day through a soft­ware update. Microsoft did not direct­ly attribute the exploits to Can­diru, instead refer­ring to it as an “Israel-based pri­vate sec­tor offen­sive actor” under the code­name Sour­gum.

“Sour­gum gen­er­al­ly sells cyber­weapons that enable its cus­tomers, often gov­ern­ment agen­cies around the world, to hack into their tar­gets’ com­put­ers, phones, net­work infra­struc­ture, and inter­net-con­nect­ed devices,” Microsoft wrote in a blog post. “These agen­cies then choose who to tar­get and run the actu­al oper­a­tions them­selves.”

...

On Wednes­day, Google (GOOGL.O) released a blog post where it dis­closed two Chrome soft­ware flaws that Cit­i­zen Lab found con­nect­ed to Can­diru. Google also did not refer to Can­diru by name, but described it as a “com­mer­cial sur­veil­lance com­pa­ny.” Google patched the two vul­ner­a­bil­i­ties ear­li­er this year.
...

Also note how Can­diru’s toolk­it does­n’t just include an array of Microsoft exploits. It also hits oth­er com­mon non-Microsoft apps like Google’s Chrome. And as the arti­cle notes, cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits. In oth­er words, these toolk­its have to con­sists of numer­ous zero-day exploits. That’s the under­ly­ing prod­uct these com­pa­nies are sell­ing: toolk­its that chain togeth­er mulit­ple zero-day exploits:

...
Can­diru’s tools also exploit­ed weak­ness­es in oth­er com­mon soft­ware prod­ucts, like Google’s Chrome brows­er.

...

Cyber arms deal­ers like Can­diru often chain mul­ti­ple soft­ware vul­ner­a­bil­i­ties togeth­er to cre­ate effec­tive exploits that can reli­ably break into com­put­ers remote­ly with­out a tar­get’s knowl­edge, com­put­er secu­ri­ty experts say.
...

Days after Microsoft was forced to patch these vul­ner­a­bil­i­ties, the com­pa­ny issued an update on the actions it was tak­ing against Can­diru’s mal­ware as well as the scope of the use of this mal­ware: Microsoft claimed it blocked tools used to spy on more than 100 peo­ple around the world, includ­ing politi­cians, human rights activists, jour­nal­ists, aca­d­e­mics and polit­i­cal dis­si­dents. Politi­cians got hit too. It’s not sur­pris­ing, but a notable admis­sion. Pre­ci­sion attacks were iden­ti­fied in the Pales­tin­ian ter­ri­to­ry, Israel, Iran, Lebanon, Yemen, Spain, the Unit­ed King­dom, Turkey, Arme­nia, and Sin­ga­pore.

Intrigul­ing, Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter. So the next time you hear about a Black Lives Mat­ter web­site and it’s auto­mat­i­cal­ly attrib­uted to Russ­ian and the Inter­net Research Agency, keep this ‘fea­ture’ in mind. Can­diru was sell­ing tools specif­i­cal­ly to mim­ic left-wing orga­ni­za­tions. Also keep in mind that it’s Amnesty Inter­na­tion­al that releas­es a big NSO Group expose days after Can­diru’s mal­ware is revealed, so there’s prob­a­bly quite a few peo­ple in the cyber­se­cu­ri­ty indus­try itself with an inter­est in spy­ing on peo­ple affil­i­at­ed with Amnesty Inter­na­tion­al [50]:

Asso­ci­at­ed Press

Microsoft says it blocked spy­ing on rights activists, oth­ers

By ALAN SUDERMAN
July 15, 2021

RICHMOND, Va. (AP) — Microsoft said Thurs­day it has blocked tools [144] devel­oped by an Israeli hack­er-for-hire com­pa­ny that were used to spy on more than 100 peo­ple around the world, includ­ing politi­cians, human rights activists, jour­nal­ists, aca­d­e­mics and polit­i­cal dis­si­dents.

Microsoft issued a soft­ware update and worked with the Cit­i­zen Lab [145] at the Uni­ver­si­ty of Toron­to to inves­ti­gate the secre­tive Israeli com­pa­ny behind the hack­ing efforts. Cit­i­zen Lab said the com­pa­ny goes by sev­er­al names includ­ing Can­diru, which accord­ing to leg­end is a par­a­sitic fish found in the Ama­zon that attacks human pri­vate parts.

Microsoft said peo­ple tar­get­ed in “pre­ci­sion attacks” by the spy­ware were locat­ed in the Pales­tin­ian ter­ri­to­ry, Israel, Iran, Lebanon, Yemen, Spain, the Unit­ed King­dom, Turkey, Arme­nia, and Sin­ga­pore. Microsoft did not name the tar­gets but described them gen­er­al­ly by cat­e­go­ry.

Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.

The reports by Microsoft and Cit­i­zen Lab shine new light on an opaque and lucra­tive indus­try of sell­ing sophis­ti­cat­ed hack­ing tools to gov­ern­ments and law enforce­ment agen­cies. Crit­ics say such tools are often mis­used by author­i­tar­i­an gov­ern­ments against inno­cent peo­ple.

“A world where pri­vate sec­tor com­pa­nies man­u­fac­ture and sell cyber­weapons is more dan­ger­ous for con­sumers, busi­ness­es of all sizes and gov­ern­ments,” Microsoft said in a blog post.

...

Microsoft said the busi­ness mod­el for com­pa­nies such as Can­diru is to sell its ser­vices to gov­ern­ment agen­cies, which then like­ly choose the tar­gets and run the oper­a­tions them­selves.

Cit­i­zen Lab pub­lished parts of what it said were a leaked pro­pos­al by Can­diru for hack­ing ser­vices that offered a la carte hack­ing options. For 16 mil­lion euros ($18.9 mil­lion), the com­pa­ny would allow the cus­tomer to mon­i­tor 10 devices simul­ta­ne­ous­ly in a sin­gle coun­try. For an extra 5.5 mil­lion euros ($6.5 mil­lion), 25 addi­tion­al devices could be mon­i­tored in five more coun­tries.

Cit­i­zen Lab said Candiru’s spy­ware tar­gets com­put­ers, mobile devices and cloud accounts.

Thursday’s dis­clo­sure by Microsoft was part of what the com­pa­ny said was a broad­er effort to “address the dan­gers” caused by hack­er-for-hire com­pa­nies. Microsoft is sup­port­ing Face­book in its law­suit [146] against NSO Group, which is also based in Israel and is per­haps the most promi­nent pri­vate offen­sive spy­ware com­pa­ny.

Face­book filed a fed­er­al civ­il suit in 2019 alleged­ly that NSO Group tar­get­ed some 1,400 users of Facebook’s encrypt­ed mes­sag­ing ser­vice What­sApp with high­ly sophis­ti­cat­ed spy­ware.

————-

“Microsoft says it blocked spy­ing on rights activists, oth­ers” by ALAN SUDERMAN; Asso­ci­at­ed Press; 07/15/2021 [50]

“Microsoft issued a soft­ware update and worked with the Cit­i­zen Lab [145] at the Uni­ver­si­ty of Toron­to to inves­ti­gate the secre­tive Israeli com­pa­ny behind the hack­ing efforts. Cit­i­zen Lab said the com­pa­ny goes by sev­er­al names includ­ing Can­diru, which accord­ing to leg­end is a par­a­sitic fish found in the Ama­zon that attacks human pri­vate parts.”

Can­diru is so secre­tive it uses secret iden­ti­ties. Secre­cy that’s prob­a­bly dri­ven, in part, by the fact that it’s craft­ing the dig­i­tal infra­struc­ture gov­ern­ments are using to hack civ­il soci­ety. Orga­ni­za­tions like Black LIves Mat­ter and Amnesty Inter­na­tion­al. That’s the kind of activ­i­ty one might hide from. Pre­sum­ably the util­i­ty of these fake web­sites is to direct peo­ple there to deliv­er the mal­ware which implies the tar­gets of this mal­ware were at least sym­pa­thet­ic to Black Lives Mat­ter and Amnesty Inter­na­tion­al. Just think about how many schemes tar­get­ing Black Lives Mat­ter attrib­uted to Russ­ian since 2016 [147] that were actu­al­ly a prod­uct of Can­diru’s ready-to-use toolk­it. Or some oth­er “com­mer­cial sur­veil­lance ven­dor” sell­ing sim­i­lar tools:

...
Cit­i­zen Lab said Candiru’s spy­ware infra­struc­ture includ­ed web­sites “mas­querad­ing as advo­ca­cy orga­ni­za­tions” such as Amnesty Inter­na­tion­al and Black Lives Mat­ter.
...

And note the price. Yeah, your aver­age per­son can’t han­dle these kinds of sub­scrip­tion fees. But basi­cal­ly every gov­ern­ment on the plan­et can. Eas­i­ly:

...
Cit­i­zen Lab pub­lished parts of what it said were a leaked pro­pos­al by Can­diru for hack­ing ser­vices that offered a la carte hack­ing options. For 16 mil­lion euros ($18.9 mil­lion), the com­pa­ny would allow the cus­tomer to mon­i­tor 10 devices simul­ta­ne­ous­ly in a sin­gle coun­try. For an extra 5.5 mil­lion euros ($6.5 mil­lion), 25 addi­tion­al devices could be mon­i­tored in five more coun­tries.

Cit­i­zen Lab said Candiru’s spy­ware tar­gets com­put­ers, mobile devices and cloud accounts.
...

It’s too bad Cit­i­zen­Lab could­n’t get the actu­al sub­scrip­tion infor­ma­tion for Can­diru’s many clients to see just how many devices gov­ern­ments are pay­ing to hack. It’s almost $2 mil­lion per hacked device. That’s prob­a­bly a lot of peo­ple. And a lot of prof­it for Can­diru’s investors.

2021: Year of the Zero-Day

Just how much mon­ey is being made by this mer­ce­nary spy­ware indus­try? We’ll obvi­ous­ly nev­er know. But if the dis­cov­ery of new zero-day exploits are any indi­ca­tion of the indus­try’s work, we can say 2021 has been a robust year for the indus­try. As the fol­low­ing Threat­post piece from July 15 describes, there were 33 zero-day exploits report­ed by that date this year com­pared to 22 zero-day exploits in 2021 in total. At this point, 2021 will have triple the num­ber of zero-day exploits of 2020, and 2020 was a record year. There’s sim­ply been an explo­sion of dis­cov­ered zero-days. For exam­ple, at the same time Google issued its own mid-July report on Can­diru’s mal­ware being used against activist, it also dis­closed a new zero-day flaw against the iOS Safari brows­er that was tar­get­ing West­ern Euro­pean gov­ern­ment offi­cials. They note in the report that ‘Russ­ian-lan­guage actors’ were using the exploit at the same time ‘Nobeli­um’ was tar­get­ing users on Win­dows devices to deliv­er Cobalt Strike, sug­gest­ing the two are relat­ed.

Putting aside the already addressed prob­lems with plac­ing an empha­sis on the ‘cul­tur­al arti­fact’ lan­guage clues hack­ers leave, it’s worth not­ing that the Nobeli­um hack tar­get­ing users on Win­dows devices was a ref­er­ence to the USAID phish­ing attack. As we saw, Microsoft report­ed mul­ti­ple zero-day pieces of mal­ware deployed on the vic­tims’ net­works from the USAID attack [42]. But Microsoft also report­ed the deploy­ment of Cobalt Strike in its ini­tial post about the phish­ing attack a day ear­li­er [42]. Which should come as no sur­prise. Cobalt Strike, a legit­i­mate secu­ri­ty tool that finds vul­ner­a­bil­i­ties in net­works, has explod­ed in pop­u­lar­i­ty and gone main­stream among crim­i­nals [148]. In oth­er words, we can’t infer much from the fact that both this iOS Safari hack and a hack attrib­uted to Nobeli­um both deployed Cobalt Strike. Cobalt Strike is what savvy cyber­crim­i­nals use these days, and there­fore not a trade­mark indi­ca­tor of a par­tic­u­lar actor. What is a notable coin­ci­dence between the USAID phish­ing hacks and the Safari hack is that both involve zero-day exploits. That’s the pri­ma­ry mean­ing­ful tech­ni­cal indi­ca­tor shared between all of the hacks we are dis­cussing here: Zero-day exploits were deployed. And yet, we can only infer so much. We don’t know who is devel­op­ing or deploy­ing all these zero-days. We just know it could be a much broad­er range of actors than just Russ­ian and Chi­na [52]:

Threat­post

Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign

Author: Eliz­a­beth Mon­tal­bano
July 15, 2021 7:04 am

Researchers shed light on how attack­ers exploit­ed Apple web brows­er vul­ner­a­bil­i­ties to tar­get gov­ern­ment offi­cials in West­ern Europe.

Threat actors used a Safari zero-day flaw to send mali­cious links to gov­ern­ment offi­cials in West­ern Europe via LinkedIn before researchers from Google dis­cov­ered and report­ed the vul­ner­a­bil­i­ty.

That’s the word from researchers from Google Threat Analy­sis Group (TAG) and Google Project Zero, who Wednes­day post­ed a blog [149] shed­ding more light on sev­er­al zero-day flaws that they dis­cov­ered so far this year. Researchers in par­tic­u­lar detailed how attack­ers exploit­ed the vulnerabilities—the preva­lence of which are on the rise–before they were addressed by their respec­tive ven­dors.

TAG researchers dis­cov­ered the Safari WebKit flaw, tracked as CVE-?2021–1879 [150], on March 19. The vul­ner­a­bil­i­ty allowed for the pro­cess­ing of mali­cious­ly craft­ed web con­tent for uni­ver­sal cross site script­ing and was addressed by Apple in an update [151] lat­er that month.

Before the fix, researchers assert Russ­ian-lan­guage threat actors were exploit­ing the vul­ner­a­bil­i­ty in the wild by using LinkedIn Mes­sag­ing to send gov­ern­ment offi­cials from West­ern Euro­pean coun­tries mali­cious links that could col­lect web­site-authen­ti­ca­tion cook­ies, accord­ing to the post by Mad­die Stone and Clement Lecigne from Google TAG.

“If the tar­get vis­it­ed the link from an iOS device, they would be redi­rect­ed to an attack­er-con­trolled domain that served the next-stage pay­loads,” they wrote.

The exploit, which tar­get­ed iOS ver­sions 12.4 through 13.7, would turn off Same-Ori­gin-Pol­i­cy [152] pro­tec­tions on an infect­ed device to col­lect authen­ti­ca­tion cook­ies from sev­er­al pop­u­lar websites–including Google, Microsoft, LinkedIn, Face­book and Yahoo–and then send them via Web­Sock­et to an attack­er-con­trolled IP, researchers wrote. The vic­tim would need to have a ses­sion open on these web­sites from Safari for cook­ies to be suc­cess­ful­ly exfil­trat­ed.

More­over, the cam­paign tar­get­ing iOS devices coin­cid­ed with oth­ers from the same threat actor—which Microsoft has iden­ti­fied as Nobelium–targeting users on Win­dows devices to deliv­er Cobalt Strike, researchers wrote. Secu­ri­ty firm Volex­i­ty described one of these attacks in a report [153] post­ed online in May, the researchers added.

...

Oth­er Zero-Day Attacks

Google researchers also linked three addi­tion­al zero-day flaws they iden­ti­fied this year to a com­mer­cial sur­veil­lance ven­dor, accord­ing to Google TAG’s Shane Hunt­ley [154]. Two of those vul­ner­a­bil­i­ties–CVE-2021–21166 [155] and CVE-2021–30551 [156]—were found in Chrome, and one, tracked as CVE-2021–33742 [157], in Inter­net Explor­er.

CVE-2021–21166 and CVE-2021–30551, two Chrome ren­dered remote-code exe­cu­tion (RCE) flaws, were iden­ti­fied sep­a­rate­ly but lat­er believed to be used by the same actor, researchers wrote in the blog. Google researchers dis­cov­ered the for­mer in Feb­ru­ary and the lat­ter in June.

“Both of these 0‑days were deliv­ered as one-time links sent by email to the tar­gets, all of whom we believe were in Arme­nia,” Stone and Lecigne wrote. “The links led to attack­er-con­trolled domains that mim­ic­ked legit­i­mate web­sites relat­ed to the tar­get­ed users.”

When prospec­tive vic­tims clicked the link, they were redi­rect­ed to a web­page that would fin­ger­print their device, col­lect sys­tem infor­ma­tion about the client, and gen­er­ate ECDH keys to encrypt the exploits, researchers wrote. This info—which includ­ed screen res­o­lu­tion, time­zone, lan­guages, brows­er plu­g­ins, and avail­able MIME types—would then be sent back to the exploit serv­er and used by attack­ers to decide whether or not an exploit should be deliv­ered to the tar­get, they said.

Researchers also iden­ti­fied a sep­a­rate cam­paigned in April that also tar­get­ed Armen­ian users by lever­ag­ing CVE-2021–26411, an RCE bug found in Inter­net Explor­er (IE). The cam­paign loaded web con­tent with­in IE that con­tained mali­cious Office doc­u­ments, researchers wrote.

“This hap­pened by either embed­ding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawn­ing an Inter­net Explor­er process via VBA macros to nav­i­gate to a web page,” Stone and Lecigne explained.

At the time, researchers said they were unable to recov­er the next-stage pay­load, but suc­cess­ful­ly recov­ered the exploit after dis­cov­er­ing an ear­ly June cam­paign from the same actors. Microsoft patched the flaw lat­er that month, they said.

Why There is an Increase in Zero-Days?

All in all, secu­ri­ty researchers have iden­ti­fied 33 zero-day flaws [158] so far in 2021, which is 11 more than the total num­ber from 2020, accord­ing to the post.

While that trend reflects an increase in the num­ber of these types of vul­ner­a­bil­i­ties that exist, Google researchers “believe greater detec­tion and dis­clo­sure efforts are also con­tribut­ing to the upward trend,” they wrote.

Still, it’s high­ly pos­si­ble that attack­ers are indeed using more zero-day exploits [159] for a few rea­sons, researchers not­ed. One is that the increase and mat­u­ra­tion of secu­ri­ty tech­nolo­gies and fea­tures means attack­ers also have to lev­el up, which in turn requires more zero-day vul­ner­a­bil­i­ties [160] for func­tion­al attack chains, they said.

The growth of mobile plat­forms also has result­ed in an increase in the num­ber of prod­ucts that threat actors want to target—hence more rea­son to use zero-day exploits, researchers observed. Per­haps inspired by this increase in demand, com­mer­cial ven­dors also are sell­ing more access to zero-days than in the ear­ly 2010s, they said.

Final­ly, the mat­u­ra­tion of secu­ri­ty pro­tec­tions and strate­gies also inspires sophis­ti­ca­tion on the part of attack­ers as well, boost­ing the need for them to use zero-day flaws to con­vince vic­tims to install mal­ware, researchers not­ed.

“Due to advance­ments in secu­ri­ty, these actors now more often have to use 0‑day exploits to accom­plish their goals,” Stone and Lecigne wrote.

———-

“Safari Zero-Day Used in Mali­cious LinkedIn Cam­paign” by Eliz­a­beth Mon­tal­bano; Threat­post; 07/15/2021 [52]

“Before the fix, researchers assert Russ­ian-lan­guage threat actors were exploit­ing the vul­ner­a­bil­i­ty in the wild by using LinkedIn Mes­sag­ing to send gov­ern­ment offi­cials from West­ern Euro­pean coun­tries mali­cious links that could col­lect web­site-authen­ti­ca­tion cook­ies, accord­ing to the post by Mad­die Stone and Clement Lecigne from Google TAG.”

Russ­ian-lan­guage threat actors are behind the big vul­ner­a­bil­i­ty found in Safari tar­get­ing iPhones, accord­ing to Google’s Threat Assess­ment Group (TAG). Mali­cious links were sent via the LinkedIn Mes­sag­ing app to West­ern Euro­pean gov­ern­ment offi­cials that, when clicked, stole the authen­ti­ca­tion cre­den­tials for sites like Google, Microsoft, LinkedIn, Face­book and Yahoo. The kind of hack that opens the vic­tims up to more hacks, along with any orga­ni­za­tions they work for. And based on the tim­ing of this hack­ing cam­paign, and the fact that it coin­cid­ed with the ‘Nobeli­um’ USAID phish­ing cam­paign in May against Win­dows sys­tems that deliv­ered Cobalt Strike, sug­gests it’s the same actor behind both attacks.

But there’s a more sig­nif­i­cant tech­ni­cal link between the Safari hack­ing cam­paign tar­get­ing West­ern gov­ern­ment offi­cials and the USAID phish­ing cam­paign: both deployed zero-days. Microsoft report­ed the deploy­ment of Cobalt Strike in its ini­tial post about the hack [42] but lat­er report­ed mul­ti­ple zero-day pieces of mal­ware deployed on the vic­tims’ net­works from the USAID attack [42]. That’s the real ‘clue’ tying these two hacks. It was some­one sophis­ti­cat­ed enough to have an abun­dance of zero-day hacks. Except, with it’s not real­ly much of a clue the exis­tence of an indus­try filled with secre­tive com­pa­nies like Can­diru. Numer­ous actors on the stage have access to cut­ting-edge zero-days. For all we know the Safari zero-day cam­paign and USAID phish­ing cam­paigns could both be dif­fer­ent Can­diru cus­tomers using ‘Russ­ian lan­guage’ fea­tures to leave those ‘clues’ for Crowd­Strike and oth­ers to find:

...
More­over, the cam­paign tar­get­ing iOS devices coin­cid­ed with oth­ers from the same threat actor—which Microsoft has iden­ti­fied as Nobelium–targeting users on Win­dows devices to deliv­er Cobalt Strike, researchers wrote. Secu­ri­ty firm Volex­i­ty described one of these attacks in a report [153] post­ed online in May, the researchers added.
...

Also note that the Microsoft zero-day exploits iden­ti­fied in a sep­a­rate cam­paign in April tar­get­ing Armen­ian activists is a ref­er­ences to the same Can­diru exploits Cit­i­zen­Lab was report­ing on. They aren’t all Microsoft vul­ner­a­bil­i­ties. Google’s Chrome brows­er was hit. But we’re hear­ing about vul­ner­a­bil­i­ties in Inter­net Explor­er, Office, and some oth­er mys­tery pay­load that could­n’t even be recov­ered ini­tial­ly. That’s a lot of Microsoft holes. It’s fits the Can­diru ‘pat­tern’:

...
Google researchers also linked three addi­tion­al zero-day flaws they iden­ti­fied this year to a com­mer­cial sur­veil­lance ven­dor, accord­ing to Google TAG’s Shane Hunt­ley [154]. Two of those vul­ner­a­bil­i­ties–CVE-2021–21166 [155] and CVE-2021–30551 [156]—were found in Chrome, and one, tracked as CVE-2021–33742 [157], in Inter­net Explor­er.

CVE-2021–21166 and CVE-2021–30551, two Chrome ren­dered remote-code exe­cu­tion (RCE) flaws, were iden­ti­fied sep­a­rate­ly but lat­er believed to be used by the same actor, researchers wrote in the blog. Google researchers dis­cov­ered the for­mer in Feb­ru­ary and the lat­ter in June.

“Both of these 0‑days were deliv­ered as one-time links sent by email to the tar­gets, all of whom we believe were in Arme­nia,” Stone and Lecigne wrote. “The links led to attack­er-con­trolled domains that mim­ic­ked legit­i­mate web­sites relat­ed to the tar­get­ed users.”
...

All in all, it’s been such a parade of zero-day exploits that we’ve heard about this year hit­ting Microsoft that it should come as no sur­prise to learn that, just over mid way through this year there’s already been 50 per­cent more zero-days exploits announced than the entire year of 2020. That’s triple the pace of 2020 and 2020 was a record year. Why is this hap­pen­ing? Well, more report­ing is no doubt a fac­tor. But as the Google secu­ri­ty researcher admit, com­mer­cial ven­dors are sell­ing more access to zero-day exploits than they were a decade ago. There are sim­ply many more zero-day pieces of mal­ware in exis­tence and a grow­ing num­ber of actors with the abil­i­ty to deploy them:

...
All in all, secu­ri­ty researchers have iden­ti­fied 33 zero-day flaws [158] so far in 2021, which is 11 more than the total num­ber from 2020, accord­ing to the post.

While that trend reflects an increase in the num­ber of these types of vul­ner­a­bil­i­ties that exist, Google researchers “believe greater detec­tion and dis­clo­sure efforts are also con­tribut­ing to the upward trend,” they wrote.

Still, it’s high­ly pos­si­ble that attack­ers are indeed using more zero-day exploits [159] for a few rea­sons, researchers not­ed. One is that the increase and mat­u­ra­tion of secu­ri­ty tech­nolo­gies and fea­tures means attack­ers also have to lev­el up, which in turn requires more zero-day vul­ner­a­bil­i­ties [160] for func­tion­al attack chains, they said.

The growth of mobile plat­forms also has result­ed in an increase in the num­ber of prod­ucts that threat actors want to target—hence more rea­son to use zero-day exploits, researchers observed. Per­haps inspired by this increase in demand, com­mer­cial ven­dors also are sell­ing more access to zero-days than in the ear­ly 2010s, they said.
...

We’ve seen a lot of omi­nous cyber warn­ings this year. But that stat of zero-days at triple last year’s rate is meta-omi­nous. It’s like the cyber ver­sion of the point in Mar­vel movies where the uni­verse on the cusp of explod­ing. Or implod­ing. Some­thing real­ly bad.

NSO Group: It’s Not Just a Cybermercenary. It’s a Tool of Israel’s Foreign Policy. A Very Important Tool MBS Covets

A cou­ple days lat­er, we get our first big NSO Group update of July. The New York Times has a piece giv­ing us a big update on the con­se­quences NSO Group paid over the role its Pega­sus soft­ware played in the killing of Sau­di dis­si­dent Jamal Khashog­gi. The com­pa­ny did pay a price. Or the own­ers. Although they were paid actu­al­ly: Fol­low­ing Khashog­gi’s killing, NSO Group inves­ti­ga­tion the Saudi’s use of its soft­ware and deter­mined the con­tract should be can­celed. And it was can­celed, at which point the full diplo­mat­ic nature of these ‘export licens­es’ became more appar­ent. The Israeli gov­ern­ment pres­sured NSO Group to renewed the Pega­sus con­tract. When that did­n’t hap­pen, the own­ers sold to a Euro­pean pri­vate equi­ty group and the Sau­di sub­scrip­tion to NSO Group’s tools was renewed [10]. At the end of it all, the one par­ty involved with the Jamal Khashog­gi killing to pay a price was Khashog­gi [54]:

The New York Times

Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing

Ignor­ing con­cerns that Sau­di Ara­bia was abus­ing Israeli spy­ware to crush dis­sent at home and abroad, Israel encour­aged its com­pa­nies to work with the king­dom.

By Ronen Bergman and Mark Mazzetti
July 17, 2021

TEL AVIV — Israel secret­ly autho­rized a group of cyber-sur­veil­lance firms to work for the gov­ern­ment of Sau­di Ara­bia despite inter­na­tion­al con­dem­na­tion of the kingdom’s abuse of sur­veil­lance soft­ware to crush dis­sent, even after the Sau­di killing of the jour­nal­ist Jamal Khashog­gi, gov­ern­ment offi­cials and oth­ers famil­iar with the con­tracts said.

After the mur­der of Mr. Khashog­gi in 2018, one of the firms, NSO Group, can­celed its con­tracts with Sau­di Ara­bia amid accu­sa­tions that its hack­ing tools were being mis­used to abet heinous crimes.

But the Israeli gov­ern­ment encour­aged NSO and two oth­er com­pa­nies to con­tin­ue work­ing with Sau­di Ara­bia, and issued a new license for a fourth to do sim­i­lar work, over­rid­ing any con­cerns about human rights abus­es, accord­ing to one senior Israeli offi­cial and three peo­ple affil­i­at­ed with the com­pa­nies.

Since then, Sau­di Ara­bia has con­tin­ued to use the spy­ware to mon­i­tor dis­si­dents and polit­i­cal oppo­nents.

The fact that Israel’s gov­ern­ment has encour­aged its pri­vate com­pa­nies to do secu­ri­ty work for the king­dom — one of its his­toric adver­saries and a nation that still does not for­mal­ly rec­og­nize Israel — is yet more evi­dence of the reorder­ing of tra­di­tion­al alliances in the region and the strat­e­gy by Israel and sev­er­al Per­sian Gulf coun­tries to join forces to iso­late Iran.

NSO is by far the best known of the Israeli firms, large­ly because of rev­e­la­tions in the last few years that its Pega­sus pro­gram was used by numer­ous gov­ern­mens to spy on [161], and even­tu­al­ly imprison, human rights activists.

NSO sold Pega­sus to Sau­di Ara­bia in 2017. The king­dom used the spy­ware as part of a ruth­less cam­paign to crush dis­sent inside the king­dom and to hunt down Sau­di dis­si­dents abroad.

It is not pub­licly known whether Sau­di Ara­bia used Pega­sus or oth­er Israeli-made spy­ware in the plot to kill Mr. Khashog­gi. NSO has denied that its soft­ware was used.

Israel’s Min­istry of Defense also licensed for Sau­di work a com­pa­ny called Can­diru, which Microsoft accused last week [144] of help­ing its gov­ern­ment clients spy on more than 100 jour­nal­ists, politi­cians, dis­si­dents and human rights advo­cates around the world.

Microsoft, which con­duct­ed its inves­ti­ga­tion in tan­dem with Cit­i­zen Lab, a research insti­tute at the Uni­ver­si­ty of Toron­to, said Can­diru had used mal­ware to exploit a vul­ner­a­bil­i­ty in Microsoft prod­ucts, enabling its gov­ern­ment clients to spy on per­ceived ene­mies.

Can­diru has had at least one con­tract with Sau­di Ara­bia since 2018.

Israel has also grant­ed licens­es to at least two oth­er firms, Verint, which was licensed before the Khashog­gi killing, and Quadream, which signed a con­tract with Sau­di Ara­bia after the killing.

A fifth com­pa­ny, Cellebrite, which man­u­fac­tures phys­i­cal hack­ing sys­tems for mobile phones, has also sold its ser­vices to the Sau­di gov­ern­ment, but with­out min­istry approval, accord­ing to the news­pa­per Haaretz.

Israel insists that if any Israeli spy­ware were used to vio­late civ­il rights that it would revoke the company’s license.

If the Defense Min­istry “dis­cov­ers that the pur­chased item is being used in con­tra­ven­tion of the terms of the license, espe­cial­ly after any vio­la­tion of human rights, a pro­ce­dure of can­cel­la­tion of the defense export license or of enforc­ing its terms is ini­ti­at­ed,” the min­istry said in a state­ment in response to ques­tions from The New York Times.

The min­istry declined to respond to spe­cif­ic ques­tions about the licens­es it gave to the Israeli firms, but said that “a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.

Rev­e­la­tions about the abus­es of NSO prod­ucts led the com­pa­ny to hire a group of out­side con­sul­tants in 2018 to pro­vide advice about which new clients NSO should take on and which to avoid. The group includ­ed Daniel Shapiro, the for­mer Oba­ma admin­is­tra­tion ambas­sador to Israel, and Bea­con Glob­al Strate­gies, a Wash­ing­ton strate­gic con­sult­ing firm.

Bea­con is led by Jere­my Bash, a for­mer C.I.A. and Pen­ta­gon chief of staff; Michael Allen, a for­mer staff direc­tor for the House Intel­li­gence Com­mit­tee; and Andrew Shapiro, a for­mer top State Depart­ment offi­cial.

While the group’s man­date was to vet poten­tial new clients, the inter­na­tion­al out­rage over Mr. Khashoggi’s killing in Octo­ber 2018 led the group to advise NSO to can­cel its Sau­di con­tracts and shut down NSO sys­tems in the king­dom.

Sep­a­rate­ly, NSO con­duct­ed an inter­nal inves­ti­ga­tion into whether any of its tools were used by Sau­di offi­cials for the Khashog­gi oper­a­tion and con­clud­ed that they were not. How­ev­er a law­suit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Sau­di Ara­bia [162] using Pega­sus, and that hack gave Sau­di offi­cials access to his con­ver­sa­tions with Mr. Khashog­gi, includ­ing com­mu­ni­ca­tions about oppo­si­tion projects.

Over sev­er­al days in late 2018, exec­u­tives both of NSO and the pri­vate equi­ty firm that owned it at the time, Fran­cis­co Part­ners, met in Wash­ing­ton with the advi­so­ry group.

Accord­ing to sev­er­al peo­ple famil­iar with the meet­ings, the NSO exec­u­tives argued that the Israeli gov­ern­ment was strong­ly encour­ag­ing the com­pa­ny to weath­er the storm and con­tin­ue its work in Sau­di Ara­bia. They also said that Israeli offi­cials had indi­cat­ed to them that the Trump admin­is­tra­tion also want­ed NSO’s work with Sau­di Ara­bia to con­tin­ue.

In the end, NSO man­age­ment heed­ed the advice of the out­side group and can­celed its con­tracts with Sau­di Ara­bia in late 2018. Mr. Shapiro, the for­mer ambas­sador to Israel, end­ed his work for the com­pa­ny short­ly after­ward.

Months lat­er, how­ev­er, after anoth­er pri­vate equi­ty firm bought NSO, the com­pa­ny was once again doing busi­ness with Sau­di Ara­bia.

NSO’s new own­er, Novalpina, reject­ed the advice of the out­side advi­so­ry group and NSO resumed its work in Sau­di Ara­bia in mid-2019. Around that time, Bea­con end­ed its work with NSO.

The new con­tract with the Saud­is came with some restric­tions. For exam­ple, NSO set up its sys­tem to block any attempts by Sau­di offi­cials to hack Euro­pean tele­phone num­bers, accord­ing to a per­son famil­iar with the pro­gram­ming.

But it is clear that Sau­di Ara­bia has con­tin­ued to use NSO soft­ware to spy on per­ceived oppo­nents abroad.

In one case that has come to light, three dozen phones belong­ing to jour­nal­ists at Al Jazeera, which Sau­di Ara­bia con­sid­ers a threat, were hacked using NSO’s Pega­sus soft­ware last year, accord­ing to Cit­i­zen Lab. Cit­i­zen Lab traced 18 of the attacks back to Sau­di intel­li­gence.

After the rev­e­la­tion of the attack on Al Jazeera jour­nal­ists, NSO recent­ly shut down the sys­tem, and at a meet­ing in ear­ly July, the company’s board decid­ed to declare new deals with Sau­di Ara­bia off lim­its, accord­ing to a per­son famil­iar with the deci­sion.

Israel’s defense min­istry is cur­rent­ly fight­ing law­suits by Israeli rights activists demand­ing that it release details about its process for grant­i­ng the licens­es.

The Israeli gov­ern­ment also impos­es strict secre­cy on the com­pa­nies that receive the licens­es, threat­en­ing to revoke them if the com­pa­nies speak pub­licly about the iden­ti­ty of their clients.

...

These busi­ness ties came as Israel was qui­et­ly build­ing rela­tion­ships direct­ly with the Sau­di gov­ern­ment.

Ben­jamin Netanyahu, then Israel’s prime min­is­ter, met sev­er­al times with Sau­di Arabia’s day-to-day ruler, Crown Prince Mohammed bin Salman, and mil­i­tary and intel­li­gence lead­ers of the two coun­tries meet fre­quent­ly.

While Sau­di Ara­bia was not offi­cial­ly par­ty to the Abra­ham Accords — the diplo­mat­ic ini­tia­tives dur­ing the end of the Trump admin­is­tra­tion nor­mal­iz­ing rela­tions between Israel and sev­er­al Arab coun­tries — Sau­di lead­ers worked behind the scenes to help bro­ker the deals.

————–

“Israeli Com­pa­nies Aid­ed Sau­di Spy­ing Despite Khashog­gi Killing” by Ronen Bergman and Mark Mazzetti; The New York Times; 07/17/2021 [54]

“The fact that Israel’s gov­ern­ment has encour­aged its pri­vate com­pa­nies to do secu­ri­ty work for the king­dom — one of its his­toric adver­saries and a nation that still does not for­mal­ly rec­og­nize Israel — is yet more evi­dence of the reorder­ing of tra­di­tion­al alliances in the region and the strat­e­gy by Israel and sev­er­al Per­sian Gulf coun­tries to join forces to iso­late Iran.

It was­n’t just a nation­al secu­ri­ty tool. Pega­sus was effec­tive­ly being used as a diplo­mat­ic tool. A diplo­mat­ic tool to help bring Sau­di Ara­bia and oth­er Per­sian Gulf neighors into an alliance against Iran. Which, we’ll recall, was the meta-theme through­out the #TrumpRus­sia adven­tures involv­ing Michael Fly­nn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear pow­er plants across the Mid­dle East (except for Iran) [12]. The secu­ri­ty rela­tion­ship between the US, Israel, Sau­di Ara­bia, and the UAE got a lot deep­er over the last decade and it’s hard to avoid sus­pi­cions that shar­ing access to super spy­ware tools like NSO Group’s Pega­sus was part of that deep­en­ing rela­tion­ship. Just look at the lan­guage the Israeli Defense Min­istry used when describ­ing the process that goes into approv­ing one of these licens­es: ““a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.” That’s one way to put it:

...
Israel insists that if any Israeli spy­ware were used to vio­late civ­il rights that it would revoke the company’s license.

If the Defense Min­istry “dis­cov­ers that the pur­chased item is being used in con­tra­ven­tion of the terms of the license, espe­cial­ly after any vio­la­tion of human rights, a pro­ce­dure of can­cel­la­tion of the defense export license or of enforc­ing its terms is ini­ti­at­ed,” the min­istry said in a state­ment in response to ques­tions from The New York Times.

The min­istry declined to respond to spe­cif­ic ques­tions about the licens­es it gave to the Israeli firms, but said that “a wide range of secu­ri­ty, diplo­mat­ic and strate­gic con­sid­er­a­tions are tak­en into account” when con­sid­er­ing whether to grant a license to export offen­sive cyber tech­nol­o­gy.
...

And as we saw, NSO Group isn’t the only com­pa­ny with hack­ing tools the Israeli gov­ern­ment was licens­ing to Sau­di Ara­bia at this time. One com­pa­ny, Quadream, even signed its con­tracts with Sau­di Ara­bia after Khoshog­gi’s killing. So when the NSO Group claims that it can­celed the Sau­di con­tracts in the wake of the Khashog­gi killings, but were then encour­age by the Israeli gov­ern­ment to con­tin­ue work­ing with Sau­di Ara­bia, it’s not an implau­si­ble sce­nario. The licens­ing of cut­ting-edge hack­ing tools is clear­ly part of the Israeli diplo­mat­ic play­book. Which isn’t a sur­prise. It’s a pow­er­ful diplo­mat­ic tool. Crazy dan­ger­ous, but pow­er­ful:

...
After the mur­der of Mr. Khashog­gi in 2018, one of the firms, NSO Group, can­celed its con­tracts with Sau­di Ara­bia amid accu­sa­tions that its hack­ing tools were being mis­used to abet heinous crimes.

But the Israeli gov­ern­ment encour­aged NSO and two oth­er com­pa­nies to con­tin­ue work­ing with Sau­di Ara­bia, and issued a new license for a fourth to do sim­i­lar work, over­rid­ing any con­cerns about human rights abus­es, accord­ing to one senior Israeli offi­cial and three peo­ple affil­i­at­ed with the com­pa­nies.

Since then, Sau­di Ara­bia has con­tin­ued to use the spy­ware to mon­i­tor dis­si­dents and polit­i­cal oppo­nents.

...

NSO sold Pega­sus to Sau­di Ara­bia in 2017. The king­dom used the spy­ware as part of a ruth­less cam­paign to crush dis­sent inside the king­dom and to hunt down Sau­di dis­si­dents abroad.

...

Israel’s Min­istry of Defense also licensed for Sau­di work a com­pa­ny called Can­diru, which Microsoft accused last week [144] of help­ing its gov­ern­ment clients spy on more than 100 jour­nal­ists, politi­cians, dis­si­dents and human rights advo­cates around the world.

...

Israel has also grant­ed licens­es to at least two oth­er firms, Verint, which was licensed before the Khashog­gi killing, and Quadream, which signed a con­tract with Sau­di Ara­bia after the killing.

A fifth com­pa­ny, Cellebrite, which man­u­fac­tures phys­i­cal hack­ing sys­tems for mobile phones, has also sold its ser­vices to the Sau­di gov­ern­ment, but with­out min­istry approval, accord­ing to the news­pa­per Haaretz.

...

The Israeli gov­ern­ment also impos­es strict secre­cy on the com­pa­nies that receive the licens­es, threat­en­ing to revoke them if the com­pa­nies speak pub­licly about the iden­ti­ty of their clients.
...

But, again, the sale of this kind of super-hack­ing soft­ware to gov­ern­ments around the world prob­a­bly was­n’t just an Israeli gov­ern­ment project. The US gov­ern­ment would almost sure­ly have involved in giv­ing its approval, if infor­mal­ly. So we should­n’t be sur­prised to learn NSO Group hired DC-based Bea­con Glob­al Strate­gies — led by fig­ures US nation­al secu­ri­ty state com­mu­ni­ty fig­ure­heads like Jere­my Bash — to effec­tive­ly give its bless­ings to NSO Group’s more con­tro­ver­sial clients. The pic­ture that emerges from the var­i­ous accounts of NSO Group’s inter­nal delib­er­a­tions is a pic­ture where NSO Group want­ed to drop the con­tract but was feel­ing like it was effec­tive­ly being asked by the Israeli gov­ern­ment and Trump admin­is­tra­tion to con­tin­ue the Sau­di con­tract:

...
Rev­e­la­tions about the abus­es of NSO prod­ucts led the com­pa­ny to hire a group of out­side con­sul­tants in 2018 to pro­vide advice about which new clients NSO should take on and which to avoid. The group includ­ed Daniel Shapiro, the for­mer Oba­ma admin­is­tra­tion ambas­sador to Israel, and Bea­con Glob­al Strate­gies, a Wash­ing­ton strate­gic con­sult­ing firm.

Bea­con is led by Jere­my Bash, a for­mer C.I.A. and Pen­ta­gon chief of staff; Michael Allen, a for­mer staff direc­tor for the House Intel­li­gence Com­mit­tee; and Andrew Shapiro, a for­mer top State Depart­ment offi­cial.

While the group’s man­date was to vet poten­tial new clients, the inter­na­tion­al out­rage over Mr. Khashoggi’s killing in Octo­ber 2018 led the group to advise NSO to can­cel its Sau­di con­tracts and shut down NSO sys­tems in the king­dom.

Sep­a­rate­ly, NSO con­duct­ed an inter­nal inves­ti­ga­tion into whether any of its tools were used by Sau­di offi­cials for the Khashog­gi oper­a­tion and con­clud­ed that they were not. How­ev­er a law­suit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Sau­di Ara­bia [162] using Pega­sus, and that hack gave Sau­di offi­cials access to his con­ver­sa­tions with Mr. Khashog­gi, includ­ing com­mu­ni­ca­tions about oppo­si­tion projects.

Over sev­er­al days in late 2018, exec­u­tives both of NSO and the pri­vate equi­ty firm that owned it at the time, Fran­cis­co Part­ners, met in Wash­ing­ton with the advi­so­ry group.

Accord­ing to sev­er­al peo­ple famil­iar with the meet­ings, the NSO exec­u­tives argued that the Israeli gov­ern­ment was strong­ly encour­ag­ing the com­pa­ny to weath­er the storm and con­tin­ue its work in Sau­di Ara­bia. They also said that Israeli offi­cials had indi­cat­ed to them that the Trump admin­is­tra­tion also want­ed NSO’s work with Sau­di Ara­bia to con­tin­ue.
....

And then, at the end of all that con­sult­ing about what to do about its Sau­di con­tract, NSO Group can­celed the con­tract. Months lat­er the com­pa­ny is sold to a new pri­vate equi­ty group [10] and the con­tract is re-opened. The com­mit­ment on behalf of the Israeli gov­ern­ment and Trump admin­is­tra­tion to pro­vid­ing Sau­di Ara­bia with these hack­ing tools was so intense that NSO Group some­how found a new own­er who was open to that Sau­di con­tract:

...
In the end, NSO man­age­ment heed­ed the advice of the out­side group and can­celed its con­tracts with Sau­di Ara­bia in late 2018. Mr. Shapiro, the for­mer ambas­sador to Israel, end­ed his work for the com­pa­ny short­ly after­ward.

Months lat­er, how­ev­er, after anoth­er pri­vate equi­ty firm bought NSO, the com­pa­ny was once again doing busi­ness with Sau­di Ara­bia.

NSO’s new own­er, Novalpina, reject­ed the advice of the out­side advi­so­ry group and NSO resumed its work in Sau­di Ara­bia in mid-2019. Around that time, Bea­con end­ed its work with NSO.

The new con­tract with the Saud­is came with some restric­tions. For exam­ple, NSO set up its sys­tem to block any attempts by Sau­di offi­cials to hack Euro­pean tele­phone num­bers, accord­ing to a per­son famil­iar with the pro­gram­ming.

But it is clear that Sau­di Ara­bia has con­tin­ued to use NSO soft­ware to spy on per­ceived oppo­nents abroad.
...

It’s worth keep­ing in mind that it’s pos­si­ble Sau­di Ara­bia was task with a sim­i­lar role to one Israel has long played in the West­ern alliance: spy­ing on oth­er West­ern allies. Might that be part of the rea­son Israel and the US were insis­tent Sau­di Ara­bia get access to these tools? Out­source the out­source ally-spy­ing? Per­haps.

It’s also pos­si­ble the Saud­is were mak­ing access to NSO Group tools a require­ment for the broad­er Mid­dle East peace plan the Trump admin­is­tra­tion and Jared Kush­n­er were work­ing on [163] and this sto­ry reflects those unusu­al cir­cum­stances the US and Israel were acqui­esc­ing to those demands. But these aren’t nor­mal demands. These are tools approach­ing the NSA and GCHQ capa­bil­i­ties in many respects. It’s hard to imag­ine the US and Israel casu­al­ly giv­ing this kind of pow­er away, even to a long-stand­ing mil­i­tary ally like Sau­di Ara­bia. That’s part why ques­tions about deep­er intel­li­gence-shar­ing pacts and/or illic­it quid-pro-quo spy­ing arrange­ments are so intrigu­ing in this sto­ry. NSO Group was ped­dling dig­i­tal nuclear weapons. That could­n’t have been treat­ed light­ly by the US and Israel. And yet 40 or so gov­ern­ments got their hands on these dig­i­tal nuclear weapons. What kind of arrange­ments were made to ensure the inevitable abus­es of these tools don’t tar­get US and Israeli inter­ests? A promise not to abuse it? It’s a mas­sive ques­tion loom­ing over this sto­ry (and the answers point towards lit­tle more than promis­es).

NSO Group’s Worst Nightmare: Sunshine. Lots of Sunshine on Its Shady Activities from Forbidden Stories and Amnesty International

A day after that explo­sive NY Times report, the Wash­ing­ton Post brings us a write up of a huge new inves­ti­ga­tion released by For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al, based on thou­sands phone num­bers leaked that were pur­port­ed­ly the tar­get phone num­bers of NSO Group’s feared Pega­sus spy­ware. Phone num­bers that, as we’ll see, include major world lead­ers like Emmanuel Macron. And if those thou­sands of num­bers real­ly are an accu­rate tar­get list, it was ram­pant abuse, with activists and rival politi­cians fre­quent­ly on the tar­get list. There’s also a new unstop­pable zero-day exploit that worked sim­ply by send­ing a SMS text mes­sage or iMes­sage to smart­phones. 60 gov­ern­ment agen­cies in 40 coun­tries were allowed to buy sub­scrip­tions to the soft­ware and, again, they policed them­selves. It start­ed with Mex­i­co get­ting a sub­scrip­tion in 2011. So the Pega­sus super spy­ware has been sold for a decade now to a grow­ing list of gov­ern­ment agen­cies. Those unlucky Armen­ian activists had a lot of com­pa­ny.

What is NSO Group’s response to this report? By point­ing out that it’s up to the gov­ern­ments to decide who gets tar­get­ed and NSO Group does­n’t know. And while that may not be the best response to the crit­i­cism since it’s more or less an admis­sion the abuse alle­ga­tions are like­ly true, it’s an entire­ly plau­si­ble response. NSO Group’s tools are prob­a­bly entire­ly con­trolled by the gov­ern­ments who buy these sub­scrip­tions. It’s absurd to expect gov­ern­ments to hand infor­ma­tion like their intel­li­gence tar­gets over to NSO Group. That’s part of what’s so scan­dalous about this indus­try sup­ply super-spy­ware to gov­ern­ments: it’s hard to imag­ine a sce­nario where there’s mean­ing­ful over­sight pos­si­ble. It’s an indus­try built for unchecked secre­cy by the clients and that’s an indus­try built for abuse.

And yet we are told there are geolo­ca­tion restric­tions on the soft­ware and US-based smart­phones can’t be tar­get­ed by NSO Group’s tools. The phone num­ber list in the report appears to bear that out. So there is some degree of over­sight, sole­ly based on loca­tion. But that’s it. All oth­er over­sight is up to the client, hence all the activists, jour­nal­ists, and polit­i­cal oppo­nent phone num­bers that show up on the tar­get list [56]:

The Wash­ing­ton Post

Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide

NSO Group’s Pega­sus spy­ware, licensed to gov­ern­ments around the globe, can infect phones with­out a click

By Dana Priest, Craig Tim­berg and Souad Mekhen­net

Updat­ed July 18 at 8:15 p.m. Orig­i­nal­ly pub­lished July 18, 2021

Mil­i­tary-grade spy­ware licensed by an Israeli firm to gov­ern­ments for track­ing ter­ror­ists and crim­i­nals was used in attempt­ed and suc­cess­ful hacks of 37 smart­phones belong­ing to jour­nal­ists, human rights activists, busi­ness exec­u­tives and two women close to mur­dered Sau­di jour­nal­ist Jamal Khashog­gi, accord­ing to an inves­ti­ga­tion by The Wash­ing­ton Post and 16 media part­ners.

The phones appeared on a list of more than 50,000 num­bers that are con­cen­trat­ed in coun­tries known to engage in sur­veil­lance of their cit­i­zens and also known to have been clients of the Israeli firm, NSO Group, a world­wide leader in the grow­ing and large­ly unreg­u­lat­ed pri­vate spy­ware indus­try, the inves­ti­ga­tion found.

The list does not iden­ti­fy who put the num­bers on it, or why, and it is unknown how many of the phones were tar­get­ed or sur­veilled. But foren­sic analy­sis of the 37 smart­phones shows that many dis­play a tight cor­re­la­tion between time stamps asso­ci­at­ed with a num­ber on the list and the ini­ti­a­tion of sur­veil­lance, in some cas­es as brief as a few sec­onds.

For­bid­den Sto­ries, a Paris-based jour­nal­ism non­prof­it, and Amnesty Inter­na­tion­al, a human rights group, had access to the list and shared it with the news orga­ni­za­tions, which did fur­ther research and analy­sis. Amnesty’s Secu­ri­ty Lab did the foren­sic analy­ses on the smart­phones.

The num­bers on the list are unat­trib­uted, but reporters were able to iden­ti­fy more than 1,000 peo­ple span­ning more than 50 coun­tries through research and inter­views on four con­ti­nents: sev­er­al Arab roy­al fam­i­ly mem­bers, at least 65 busi­ness exec­u­tives, 85 human rights activists, 189 jour­nal­ists, and more than 600 politi­cians and gov­ern­ment offi­cials — includ­ing cab­i­net min­is­ters, diplo­mats, and mil­i­tary and secu­ri­ty offi­cers. The num­bers of sev­er­al heads of state and prime min­is­ters also appeared on the list.

Among the jour­nal­ists whose num­bers appear on the list, which dates to 2016, are reporters work­ing over­seas for sev­er­al lead­ing news orga­ni­za­tions, includ­ing a small num­ber from CNN, the Asso­ci­at­ed Press, Voice of Amer­i­ca, the New York Times, the Wall Street Jour­nal, Bloomberg News, Le Monde in France, the Finan­cial Times in Lon­don and Al Jazeera in Qatar.

The tar­get­ing of the 37 smart­phones would appear to con­flict with the stat­ed pur­pose of NSO’s licens­ing of the Pega­sus spy­ware, which the com­pa­ny says is intend­ed only for use in sur­veilling ter­ror­ists and major crim­i­nals. The evi­dence extract­ed from these smart­phones, revealed here for the first time, calls into ques­tion pledges by the Israeli com­pa­ny to police its clients for human rights abus­es.

The media con­sor­tium, titled the Pega­sus Project, ana­lyzed the list through inter­views and foren­sic analy­sis of the phones, and by com­par­ing details with pre­vi­ous­ly report­ed infor­ma­tion about NSO. Amnesty’s Secu­ri­ty Lab exam­ined 67 smart­phones where attacks were sus­pect­ed. Of those, 23 were suc­cess­ful­ly infect­ed and 14 showed signs of attempt­ed pen­e­tra­tion.

For the remain­ing 30, the tests were incon­clu­sive, in sev­er­al cas­es because the phones had been replaced. Fif­teen of the phones were Android devices, none of which showed evi­dence of suc­cess­ful infec­tion. How­ev­er, unlike iPhones, Androids do not log the kinds of infor­ma­tion required for Amnesty’s detec­tive work. Three Android phones showed signs of tar­get­ing, such as Pega­sus-linked SMS mes­sages.

Amnesty shared back­up copies of data on four iPhones with Cit­i­zen Lab, which con­firmed that they showed signs of Pega­sus infec­tion. Cit­i­zen Lab, a research group at the Uni­ver­si­ty of Toron­to that spe­cial­izes in study­ing Pega­sus, also con­duct­ed a peer review of Amnesty’s foren­sic meth­ods [164] and found them to be sound.

In lengthy respons­es before pub­li­ca­tion, NSO called the investigation’s find­ings exag­ger­at­ed and base­less [165]. It also said it does not oper­ate the spy­ware licensed to its clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties.

After pub­li­ca­tion, NSO chief exec­u­tive Shalev Hulio expressed con­cern in a phone inter­view with The Post about some of the details he had read in Pega­sus Project sto­ries Sun­day, while con­tin­u­ing to dis­pute that the list of more than 50,000 phone num­bers had any­thing to do with NSO or Pega­sus.

“The com­pa­ny cares about jour­nal­ists and activists and civ­il soci­ety in gen­er­al,” Hulio said. “We under­stand that in some cir­cum­stances our cus­tomers might mis­use the sys­tem and, in some cas­es like we report­ed in [NSO’s] Trans­paren­cy and Respon­si­bil­i­ty Report, we have shut down sys­tems for cus­tomers who have mis­used the sys­tem.”

He said that in the past 12 months NSO had ter­mi­nat­ed two con­tracts over alle­ga­tions of human rights abus­es, but he declined to name the coun­tries involved.

“Every alle­ga­tion about mis­use of the sys­tem is con­cern­ing me,” he said. “It vio­lates the trust that we give cus­tomers. We are inves­ti­gat­ing every alle­ga­tion.”

NSO describes its cus­tomers as 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries, although it will not con­firm the iden­ti­ties of any of them, cit­ing client con­fi­den­tial­i­ty oblig­a­tions. The con­sor­tium found many of the phone num­bers in at least 10 coun­try clus­ters, which were sub­ject­ed to deep­er analy­sis: Azer­bai­jan, Bahrain, Hun­gary, India, Kaza­khstan, Mex­i­co, Moroc­co, Rwan­da, Sau­di Ara­bia and the Unit­ed Arab Emi­rates. Cit­i­zen Lab also has found evi­dence that all 10 have been clients of NSO, accord­ing to Bill Mar­czak, a senior research fel­low.

For­bid­den Sto­ries orga­nized the media consortium’s inves­ti­ga­tion, and Amnesty pro­vid­ed analy­sis and tech­ni­cal sup­port but had no edi­to­r­i­al input. Amnesty has open­ly crit­i­cized NSO’s spy­ware busi­ness and sup­port­ed an unsuc­cess­ful law­suit against the com­pa­ny in an Israeli court seek­ing to have its export license revoked. After the inves­ti­ga­tion began, sev­er­al reporters in the con­sor­tium learned that they or their fam­i­ly mem­bers had been suc­cess­ful­ly attacked with Pega­sus spy­ware.

Beyond the per­son­al intru­sions made pos­si­ble by smart­phone sur­veil­lance, the wide­spread use of spy­ware has emerged as a lead­ing threat to democ­ra­cies world­wide, crit­ics say. Jour­nal­ists under sur­veil­lance can­not safe­ly gath­er sen­si­tive news with­out endan­ger­ing them­selves and their sources. Oppo­si­tion politi­cians can­not plot their cam­paign strate­gies with­out those in pow­er antic­i­pat­ing their moves. Human rights work­ers can­not work with vul­ner­a­ble peo­ple — some of whom are vic­tims of their own gov­ern­ments — with­out expos­ing them to renewed abuse.

For exam­ple, Amnesty’s foren­sics found evi­dence that Pega­sus was tar­get­ed at the two women clos­est to Sau­di colum­nist Khashog­gi [166], who wrote for The Post’s Opin­ions sec­tion. The phone of his fiancee, Hat­ice Cen­giz, was suc­cess­ful­ly infect­ed dur­ing the days after his mur­der in Turkey on Oct. 2, 2018, accord­ing to a foren­sic analy­sis by Amnesty’s Secu­ri­ty Lab. Also on the list were the num­bers of two Turk­ish offi­cials involved in inves­ti­gat­ing his dis­mem­ber­ment by a Sau­di hit team. Khashog­gi also had a wife, Hanan Ela­tr, whose phone was tar­get­ed by some­one using Pega­sus in the months before his killing. Amnesty was unable to deter­mine whether the hack was suc­cess­ful.

“This is nasty soft­ware — like elo­quent­ly nasty,” said Tim­o­thy Sum­mers, a for­mer cyber­se­cu­ri­ty engi­neer at a U.S. intel­li­gence agency and now direc­tor of IT at Ari­zona State Uni­ver­si­ty. With it “one could spy on almost the entire world pop­u­la­tion. … There’s not any­thing wrong with build­ing tech­nolo­gies that allows you to col­lect data; it’s nec­es­sary some­times. But human­i­ty is not in a place where we can have that much pow­er just acces­si­ble to any­body.”

In response to detailed ques­tions from the con­sor­tium before pub­li­ca­tion, NSO said in a state­ment [165] that it did not oper­ate the spy­ware it licensed to clients and did not have reg­u­lar access to the data they gath­er. The com­pa­ny also said its tech­nolo­gies have helped pre­vent attacks and bomb­ings and bro­ken up rings that traf­ficked in drugs, sex and chil­dren. “Sim­ply put, NSO Group is on a life-sav­ing mis­sion, and the com­pa­ny will faith­ful­ly exe­cute this mis­sion unde­terred, despite any and all con­tin­ued attempts to dis­cred­it it on false grounds,” NSO said. “Your sources have sup­plied you with infor­ma­tion that has no fac­tu­al basis, as evi­denced by the lack of sup­port­ing doc­u­men­ta­tion for many of the claims.”

The com­pa­ny denied that its tech­nol­o­gy was used against Khashog­gi, or his rel­a­tives or asso­ciates.

...

Thomas Clare, a libel attor­ney hired by NSO, said that the con­sor­tium had “appar­ent­ly mis­in­ter­pret­ed and mis­char­ac­ter­ized cru­cial source data on which it relied” and that its report­ing con­tained flawed assump­tions and fac­tu­al errors.

“NSO Group has good rea­son to believe that this list of ‘thou­sands of phone num­bers’ is not a list of num­bers tar­get­ed by gov­ern­ments using Pega­sus, but instead, may be part of a larg­er list of num­bers that might have been used by NSO Group cus­tomers for oth­er pur­pos­es,” Clare wrote.

In response to fol­low-up ques­tions, NSO called the 50,000 num­ber “exag­ger­at­ed” and said it was far too large to rep­re­sent num­bers tar­get­ed by its clients. Based on the ques­tions it was being asked, NSO said, it had rea­son to believe that the con­sor­tium was bas­ing its find­ings “on mis­lead­ing inter­pre­ta­tion of leaked data from acces­si­ble and overt basic infor­ma­tion, such as HLR Lookup ser­vices, which have no bear­ing on the list of the cus­tomers tar­gets of Pega­sus or any oth­er NSO prod­ucts … we still do not see any cor­re­la­tion of these lists to any­thing relat­ed to use of NSO Group tech­nolo­gies.”

The term HLR, or Home Loca­tion Reg­is­ter, refers to a data­base that is essen­tial to oper­at­ing cel­lu­lar phone net­works. Such reg­is­ters keep records on the net­works of cell­phone users and their gen­er­al loca­tions, along with oth­er iden­ti­fy­ing infor­ma­tion that is used rou­tine­ly in rout­ing calls and texts. HLR lookup ser­vices oper­ate on the SS7 sys­tem that cel­lu­lar car­ri­ers use to com­mu­ni­cate with each oth­er. The ser­vices can be used as a step toward spy­ing on tar­gets.

Telecom­mu­ni­ca­tions secu­ri­ty expert Karsten Nohl, chief sci­en­tist for Secu­ri­ty Research Labs in Berlin, said that he does not have direct knowl­edge of NSO’s sys­tems but that HLR lookups and oth­er SS7 queries are wide­ly and inex­pen­sive­ly used by the sur­veil­lance indus­try — often for just tens of thou­sands of dol­lars a year.

“It’s not dif­fi­cult to get that access. Giv­en the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen coun­tries,” Nohl said. “From a dozen coun­tries, you can spy on the rest of the world.”

Pega­sus was engi­neered a decade ago by Israeli ex-cyber­spies with gov­ern­ment-honed skills. The Israeli Defense Min­istry must approve any license to a gov­ern­ment that wants to buy it, accord­ing to pre­vi­ous NSO state­ments.

“As a mat­ter of pol­i­cy, the State of Israel approves the export of cyber prod­ucts exclu­sive­ly to gov­ern­men­tal enti­ties, for law­ful use, and only for the pur­pose of pre­vent­ing and inves­ti­gat­ing crime and coun­tert­er­ror­ism, under end-use/end user cer­tifi­cates pro­vid­ed by the acquir­ing gov­ern­ment,” a spokesper­son for the Israeli defense estab­lish­ment said Sun­day. “In cas­es where export­ed items are used in vio­la­tion of export licens­es or end-use cer­tifi­cates, appro­pri­ate mea­sures are tak­en.”

The num­bers of about a dozen Amer­i­cans work­ing over­seas were dis­cov­ered on the list, in all but one case while using phones reg­is­tered to for­eign cel­lu­lar net­works. The con­sor­tium could not per­form foren­sic analy­sis on most of these phones. NSO has said for years that its prod­uct can­not be used to sur­veil Amer­i­can phones. The con­sor­tium did not find evi­dence of suc­cess­ful spy­ware pen­e­tra­tion on phones with the U.S. coun­try code.

“We also stand by our pre­vi­ous state­ments that our prod­ucts, sold to vet­ted for­eign gov­ern­ments, can­not be used to con­duct cyber­sur­veil­lance with­in the Unit­ed States, and no cus­tomer has ever been grant­ed tech­nol­o­gy that would enable them to access phones with U.S. num­bers,” the com­pa­ny said in its state­ment. “It is tech­no­log­i­cal­ly impos­si­ble and reaf­firms the fact your sources’ claims have no mer­it.”

...

Some Pega­sus intru­sion tech­niques detailed in a 2016 report were changed in a mat­ter of hours after they were made pub­lic, under­scor­ing NSO’s abil­i­ty to adapt to coun­ter­mea­sures.

Pega­sus is engi­neered to evade defens­es on iPhones and Android devices and to leave few traces of its attack. Famil­iar pri­va­cy mea­sures like strong pass­words and encryp­tion offer lit­tle help against Pega­sus, which can attack phones with­out any warn­ing to users. It can read any­thing on a device that a user can, while also steal­ing pho­tos, record­ings, loca­tion records, com­mu­ni­ca­tions, pass­words, call logs and social media posts. Spy­ware also can acti­vate cam­eras and micro­phones for real-time sur­veil­lance.

“There is just noth­ing from an encryp­tion stand­point to pro­tect against this,” said Clau­dio Guarnieri, a.k.a. “Nex,” the Amnesty Secu­ri­ty Lab’s 33-year-old Ital­ian researcher who devel­oped and per­formed the dig­i­tal foren­sics on 37 smart­phones that showed evi­dence of Pega­sus attacks.

That sense of help­less­ness makes Guarnieri, who often dress­es head-to-toe in black, feel as use­less as a 14th-cen­tu­ry doc­tor con­fronting the Black Plague with­out any use­ful med­ica­tion. “Pri­mar­i­ly I’m here just to keep the death count,” he said.

The attack can begin in dif­fer­ent ways. It can come from a mali­cious link in an SMS text mes­sage or an iMes­sage. In some cas­es, a user must click on the link to start the infec­tion. In recent years, spy­ware com­pa­nies have devel­oped what they call “zero-click” attacks, which deliv­er spy­ware sim­ply by send­ing a mes­sage to a user’s phone that pro­duces no noti­fi­ca­tion. Users do not even need to touch their phones for infec­tions to begin.

Many coun­tries have laws per­tain­ing to tra­di­tion­al wire­tap­ping and inter­cep­tion of com­mu­ni­ca­tions, but few have effec­tive safe­guards against deep­er intru­sions made pos­si­ble by hack­ing into smart­phones. “This is more devi­ous in a sense because it real­ly is no longer about inter­cept­ing com­mu­ni­ca­tions and over­hear­ing con­ver­sa­tion. … This cov­ers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of ques­tions from not only human rights, but even nation­al con­sti­tu­tion­al laws as to is this even legal?”

Clare, NSO’s attor­ney, attacked the foren­sic exam­i­na­tions as “a com­pi­la­tion of spec­u­la­tive and base­less assump­tions” built on assump­tions based on ear­li­er reports. He also said, “NSO does not have insight into the spe­cif­ic intel­li­gence activ­i­ties of its cus­tomers.”

...

‘What a ques­tion!’

Some expressed out­rage even at the sug­ges­tion of spy­ing on jour­nal­ists.

A reporter for the French dai­ly Le Monde work­ing on the Pega­sus Project recent­ly posed such a ques­tion to Hun­gar­i­an Jus­tice Min­is­ter Judit Var­ga dur­ing an inter­view about the legal require­ments for eaves­drop­ping:

“If some­one asked you to tape a jour­nal­ist or an oppo­nent, you wouldn’t accept this?”

“What a ques­tion!” Var­ga respond­ed. “This is a provo­ca­tion in itself!” A day lat­er, her office request­ed that this ques­tion and her answer to it “be erased” from the inter­view.

In the past, NSO has blamed its client coun­tries for any alleged abus­es. NSO released its first “Trans­paren­cy and Respon­si­bil­i­ty Report” last month, argu­ing that its ser­vices are essen­tial to law enforce­ment and intel­li­gence agen­cies try­ing to keep up with the 21st cen­tu­ry.

“Ter­ror orga­ni­za­tions, drug car­tels, human traf­fick­ers, pedophile rings and oth­er crim­i­nal syn­di­cates today exploit off-the-shelf encryp­tion capa­bil­i­ties offered by mobile mes­sag­ing and com­mu­ni­ca­tions appli­ca­tions.

“These tech­nolo­gies pro­vide crim­i­nals and their net­works a safe haven, allow­ing them to ‘go dark’ and avoid detec­tion, com­mu­ni­cat­ing through impen­e­tra­ble mobile mes­sag­ing sys­tems. Law enforce­ment and coun­tert­er­ror­ism state agen­cies around the world have strug­gled to keep up.”

NSO also said it con­ducts rig­or­ous reviews of poten­tial cus­tomers’ human rights records before con­tract­ing with them and inves­ti­gates reports of abus­es, although it did not cite any spe­cif­ic cas­es. It assert­ed that it has dis­con­tin­ued con­tracts with five clients for doc­u­ment­ed vio­la­tions and that the company’s due dili­gence has cost it $100 mil­lion in lost rev­enue. A per­son famil­iar with NSO oper­a­tions who spoke on the con­di­tion of anonymi­ty to dis­cuss inter­nal com­pa­ny mat­ters not­ed that in the last year alone NSO had ter­mi­nat­ed con­tracts with Sau­di Ara­bia and Dubai in the Unit­ed Arab Emi­rates over human rights con­cerns.

“Pega­sus is very use­ful for fight­ing orga­nized crime,” said Guiller­mo Valdes Castel­lanos, head of Mexico’s domes­tic intel­li­gence agency CISEN from 2006 to 2011. “But the total lack of checks and bal­ances [in Mex­i­can agen­cies] means it eas­i­ly ends up in pri­vate hands and is used for polit­i­cal and per­son­al gain.”

Mex­i­co was NSO’s first over­seas client in 2011, less than a year after the firm was found­ed in Israel’s Sil­i­con Val­ley, in north­ern Tel Aviv.

In 2016 and 2017, more than 15,000 Mex­i­cans appeared on the list exam­ined by the media con­sor­tium, among them at least 25 reporters work­ing for the country’s major media out­lets, accord­ing to the records and inter­views.

One of them was Car­men Aris­tegui, one of the most promi­nent inves­tiga­tive jour­nal­ists in the coun­try and a reg­u­lar con­trib­u­tor to CNN. Aris­tegui, who is rou­tine­ly threat­ened for expos­ing the cor­rup­tion of Mex­i­can politi­cians and car­tels, was pre­vi­ous­ly revealed as a Pega­sus tar­get in sev­er­al media reports. At the time, she said in a recent inter­view, her pro­duc­er was also tar­get­ed. The new records and foren­sics show that Pega­sus links were detect­ed on the phone of her per­son­al assis­tant.

“Pega­sus is some­thing that comes to your office, your home, your bed, every cor­ner of your exis­tence,” Aris­tegui said. “It is a tool that destroys the essen­tial codes of civ­i­liza­tion.”

Unlike Aris­tegui, free­lance reporter Cecilio Pine­da was unknown out­side his vio­lence-wracked south­ern state of Guer­rero. His num­ber appears twice on the list of 50,000. A month after the sec­ond list­ing, he was gunned down while lying in a ham­mock at a car­wash while wait­ing for his car. It is unclear what role, if any, Pegasus’s abil­i­ty to geolo­cate its tar­gets in real time con­tributed to his mur­der. Mex­i­co is among the dead­liest coun­tries for jour­nal­ists; 11 were killed in 2017, accord­ing to Reporters With­out Bor­ders.

“Even if For­bid­den Sto­ries were cor­rect that an NSO Group client in Mex­i­co tar­get­ed the journalist’s phone num­ber in Feb­ru­ary 2017, that does not mean that the NSO Group client or data col­lect­ed by NSO Group soft­ware were in any way con­nect­ed to the journalist’s mur­der the fol­low­ing month,” Clare, NSO’s lawyer, wrote in his let­ter to For­bid­den Sto­ries. “Cor­re­la­tion does not equal cau­sa­tion, and the gun­men who mur­dered the jour­nal­ist could have learned of his loca­tion at a pub­lic car­wash through any num­ber of means not relat­ed to NSO Group, its tech­nolo­gies, or its clients.”

Mexico’s Pub­lic Secu­ri­ty Min­istry acknowl­edged last year that the domes­tic intel­li­gence agency, CISEN, and the attor­ney general’s office acquired Pega­sus in 2014 and dis­con­tin­ued its use in 2017 when the license expired. Mex­i­can media have also report­ed that the Defense Min­istry used the spy­ware.

Snowden’s lega­cy

Today’s thriv­ing inter­na­tion­al spy­ware indus­try dates back decades but got a boost after the unprece­dent­ed 2013 dis­clo­sure of high­ly clas­si­fied Nation­al Secu­ri­ty Agency doc­u­ments by con­trac­tor Edward Snow­den. They revealed that the NSA could obtain the elec­tron­ic com­mu­ni­ca­tions of almost any­one [167] because it had secret access to the transna­tion­al cables car­ry­ing Inter­net traf­fic world­wide and data from Inter­net com­pa­nies such as Google and giant telecom­mu­ni­ca­tions com­pa­nies such as AT&T.

Even U.S. allies in Europe were shocked by the com­pre­hen­sive scale of the Amer­i­can dig­i­tal spy­ing, and many nation­al intel­li­gence agen­cies set out to improve their own sur­veil­lance abil­i­ties. For-prof­it firms staffed with mid­ca­reer retirees from intel­li­gence agen­cies saw a lucra­tive mar­ket-in-wait­ing free from the gov­ern­ment reg­u­la­tions and over­sight imposed on oth­er indus­tries.

The dra­mat­ic expan­sion of end-to-end encryp­tion by Google, Microsoft, Face­book, Apple and oth­er major tech­nol­o­gy firms also prompt­ed law enforce­ment and intel­li­gence offi­cials to com­plain they had lost access to the com­mu­ni­ca­tions of legit­i­mate crim­i­nal tar­gets. That in turn sparked more invest­ment in tech­nolo­gies, such as Pega­sus, that worked by tar­get­ing indi­vid­ual devices.

“When you build a build­ing, you want to make sure the build­ing holds up, so we fol­low cer­tain pro­to­cols,” said Ido Sivan-Sevil­la, an expert on cyber gov­er­nance at the Uni­ver­si­ty of Mary­land. By pro­mot­ing the sale of unreg­u­lat­ed pri­vate sur­veil­lance tools, “we encour­age build­ing build­ings that can be bro­ken into. We are build­ing a mon­ster. We need an inter­na­tion­al norms treaty that says cer­tain things are not okay.”

With­out inter­na­tion­al stan­dards and rules, there are secret deals between com­pa­nies like NSO and the coun­tries they ser­vice.

The unfet­tered use of a mil­i­tary-grade spy­ware such as Pega­sus can help gov­ern­ments to sup­press civic activism at a time when author­i­tar­i­an­ism is on the rise world­wide. It also gives coun­tries with­out the tech­ni­cal sophis­ti­ca­tion of such lead­ing nations as the Unit­ed States, Israel and Chi­na the abil­i­ty to con­duct far deep­er dig­i­tal cyberes­pi­onage than ever before.

‘Your body stops func­tion­ing’

Azer­bai­jan, a long­time ally of Israel, has been iden­ti­fied as an NSO client by Cit­i­zen Lab and oth­ers. The coun­try is a fam­i­ly-run klep­toc­ra­cy with no free elec­tions, no impar­tial court sys­tem and no inde­pen­dent news media. The for­mer Sovi­et ter­ri­to­ry has been ruled since the Sovi­et Union col­lapsed 30 years ago by the Aliyev fam­i­ly, whose theft of the country’s wealth and mon­ey-laun­der­ing schemes abroad have result­ed in for­eign embar­goes, inter­na­tion­al sanc­tions and crim­i­nal indict­ments.

Despite the dif­fi­cul­ties, rough­ly three dozen Azer­bai­jani reporters con­tin­ue to doc­u­ment the family’s cor­rup­tion. Some are hid­ing inside the coun­try, but most were forced into exile where they are not so easy to cap­ture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Lib­er­ty, which was kicked out of the coun­try in 2015 for its report­ing. The oth­ers work for an inves­tiga­tive report­ing non­prof­it called the Orga­nized Crime and Cor­rup­tion Report­ing Project, which is based in Sara­je­vo, the Bosn­ian cap­i­tal, and is one of the part­ners in the Pega­sus Project.

The fore­most inves­tiga­tive reporter in the region is Khadi­ja Ismay­ilo­va, whom the regime has worked for a decade to silence: It plant­ed a secret cam­era in her apart­ment wall, took videos of her hav­ing sex with her boyfriend and then post­ed them on the Inter­net in 2012; she was arrest­ed in 2014, tried and con­vict­ed on trumped-up tax-eva­sion and oth­er charges, and held in prison cells with hard­ened crim­i­nals. After glob­al out­rage and the high-pro­file inter­ven­tion of human rights attor­ney Amal Clooney, she was released in 2016 and put under a trav­el ban.

“It is impor­tant that peo­ple see exam­ples of jour­nal­ists who do not stop because they were threat­ened,” Ismay­ilo­va said in a recent inter­view. “It’s like a war. You leave your trench, then the attack­er comes in. … You have to keep your posi­tion, oth­er­wise it will be tak­en and then you will have less space, less space, the space will be shrink­ing and then you will find it hard to breathe.”

Last month, her health fail­ing, she was allowed to leave the coun­try. Col­leagues arranged to test her smart­phone imme­di­ate­ly. Foren­sics by Secu­ri­ty Lab deter­mined that Pega­sus had attacked and pen­e­trat­ed her device numer­ous times from March 2019 to as late as May of this year.

She had assumed some kind of sur­veil­lance, Ismay­ilo­va said, but was still sur­prised at the num­ber of attacks. “When you think maybe there’s a cam­era in the toi­let, your body stops func­tion­ing,” she said. “I went through this, and for eight or nine days I could not use the toi­let, any­where, not even in pub­lic places. My body stopped func­tion­ing.”

She stopped com­mu­ni­cat­ing with peo­ple because who­ev­er she spoke with end­ed up harassed by secu­ri­ty ser­vices. “You don’t trust any­one, and then you try not to have any long-term plans with your own life because you don’t want any per­son to have prob­lems because of you.”

Con­fir­ma­tion of the Pega­sus pen­e­tra­tion galled her. “My fam­i­ly mem­bers are also vic­tim­ized. The sources are vic­tim­ized. Peo­ple I’ve been work­ing with, peo­ple who told me their pri­vate secrets are vic­tim­ized,” she said. “It’s despi­ca­ble. … I don’t know who else has been exposed because of me, who else is in dan­ger because of me.”

Is the min­is­ter para­noid or sen­si­ble?

The fear of wide­spread sur­veil­lance impedes the already dif­fi­cult mechan­ics of civic activism.

“Some­times, that fear is the point,” said John Scott-Rail­ton, a senior researcher at Cit­i­zen Lab, who has researched Pega­sus exten­sive­ly. “The psy­cho­log­i­cal hard­ship and the self-cen­sor­ship it caus­es are key tools of mod­ern-day dic­ta­tors and author­i­tar­i­ans.”

When Sid­dharth Varadara­jan, co-founder of the Wire, an inde­pen­dent online out­let in India, learned that Secu­ri­ty Lab’s analy­sis showed that his phone had been tar­get­ed and pen­e­trat­ed by Pega­sus, his mind imme­di­ate­ly ran through his sen­si­tive sources. He thought about a min­is­ter in Prime Min­is­ter Naren­dra Modi’s gov­ern­ment who had dis­played an unusu­al con­cern about sur­veil­lance when they met.

The min­is­ter first moved the meet­ing from one loca­tion to anoth­er at the last moment, then switched off his phone and told Varadara­jan to do the same.

Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is real­ly para­noid. But maybe he was being sen­si­ble,’ ” Varadara­jan said in a recent inter­view.

When foren­sics showed his phone had been pen­e­trat­ed, he knew the feel­ing him­self. “You feel vio­lat­ed, there’s no doubt about it,” he said. “This is an incred­i­ble intru­sion, and jour­nal­ists should not have to deal with this. Nobody should have to deal with this.”

————-

“Pri­vate Israeli spy­ware used to hack cell­phones of jour­nal­ists, activists world­wide” by Dana Priest, Craig Tim­berg and Souad Mekhen­net; The Wash­ing­ton Post; 07/18/2021 [56]

“The tar­get­ing of the 37 smart­phones would appear to con­flict with the stat­ed pur­pose of NSO’s licens­ing of the Pega­sus spy­ware, which the com­pa­ny says is intend­ed only for use in sur­veilling ter­ror­ists and major crim­i­nals. The evi­dence extract­ed from these smart­phones, revealed here for the first time, calls into ques­tion pledges by the Israeli com­pa­ny to police its clients for human rights abus­es.

It’s long been jus­ti­fi­ably sus­pect­ed that NSO Group does­n’t actu­al­ly have safe­guards in place to ensure its unstop­pable hack­ing soft­ware isn’t being abused by its gov­ern­ment clients. Dozens and dozens of gov­ern­ment clients. But if the analy­sis of the lists of tar­get­ed phones and foren­sic analy­sis of a num­ber of those phones by For­bid­den Sto­ries and Amnesty Inter­na­tion­al is cor­rect, we have that evi­dence. NSO Group’s Pega­sus soft­ware has been wild­ly abused by its gov­ern­ment clients. Because of course it was. You could­n’t give dozens of gov­ern­ments around the world super hack­ing tools and not expect them to tar­get activists, jour­nal­ists, aca­d­e­mics, and oth­er gov­ern­ments.

How much abuse has tak­en place? We don’t know. And if we believe NSO Group, they don’t real­ly know either. They don’t oper­ate the soft­ware for the clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties. That’s what the com­pa­ny itself is claim­ing in its defense. It does­n’t know how its soft­ware is actu­al­ly used. That’s 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries oper­at­ing under that see-no-evil-because-we-are-blind over­sight from the ven­dor.

And yet the com­pa­ny defends itself by point­ing out how it ter­mi­nat­ed two con­tracts over alle­ga­tions of abus­es in the last 12 months. Note the term “alle­ga­tions”. Not “inves­ti­ga­tion” or “rou­tine audit”. The con­tracts were can­celed after alle­ga­tions. Against Sau­di Ara­bia and Dubai. So NSO defend­ed itself against charges that it was allow­ing its clients to abuse its soft­ware by point­ing out that it can­celed Sau­di Ara­bi­a’s and Dubai’s con­tracts due to human rights con­cerns. Con­cerns obvi­ous­ly tied to the assas­si­na­tion of Jamal Khashog­gi and all of the pub­lic scruti­ny NSO received as a result. It’s not exact­ly proac­tive over­sight:

...
In lengthy respons­es before pub­li­ca­tion, NSO called the investigation’s find­ings exag­ger­at­ed and base­less [165]. It also said it does not oper­ate the spy­ware licensed to its clients and “has no insight” into their spe­cif­ic intel­li­gence activ­i­ties.

After pub­li­ca­tion, NSO chief exec­u­tive Shalev Hulio expressed con­cern in a phone inter­view with The Post about some of the details he had read in Pega­sus Project sto­ries Sun­day, while con­tin­u­ing to dis­pute that the list of more than 50,000 phone num­bers had any­thing to do with NSO or Pega­sus.

“The com­pa­ny cares about jour­nal­ists and activists and civ­il soci­ety in gen­er­al,” Hulio said. “We under­stand that in some cir­cum­stances our cus­tomers might mis­use the sys­tem and, in some cas­es like we report­ed in [NSO’s] Trans­paren­cy and Respon­si­bil­i­ty Report, we have shut down sys­tems for cus­tomers who have mis­used the sys­tem.”

He said that in the past 12 months NSO had ter­mi­nat­ed two con­tracts over alle­ga­tions of human rights abus­es, but he declined to name the coun­tries involved.

“Every alle­ga­tion about mis­use of the sys­tem is con­cern­ing me,” he said. “It vio­lates the trust that we give cus­tomers. We are inves­ti­gat­ing every alle­ga­tion.”

NSO describes its cus­tomers as 60 intel­li­gence, mil­i­tary and law enforce­ment agen­cies in 40 coun­tries, although it will not con­firm the iden­ti­ties of any of them, cit­ing client con­fi­den­tial­i­ty oblig­a­tions. The con­sor­tium found many of the phone num­bers in at least 10 coun­try clus­ters, which were sub­ject­ed to deep­er analy­sis: Azer­bai­jan, Bahrain, Hun­gary, India, Kaza­khstan, Mex­i­co, Moroc­co, Rwan­da, Sau­di Ara­bia and the Unit­ed Arab Emi­rates. Cit­i­zen Lab also has found evi­dence that all 10 have been clients of NSO, accord­ing to Bill Mar­czak, a senior research fel­low.

...

“This is nasty soft­ware — like elo­quent­ly nasty,” said Tim­o­thy Sum­mers, a for­mer cyber­se­cu­ri­ty engi­neer at a U.S. intel­li­gence agency and now direc­tor of IT at Ari­zona State Uni­ver­si­ty. With it “one could spy on almost the entire world pop­u­la­tion. … There’s not any­thing wrong with build­ing tech­nolo­gies that allows you to col­lect data; it’s nec­es­sary some­times. But human­i­ty is not in a place where we can have that much pow­er just acces­si­ble to any­body.”

In response to detailed ques­tions from the con­sor­tium before pub­li­ca­tion, NSO said in a state­ment [165] that it did not oper­ate the spy­ware it licensed to clients and did not have reg­u­lar access to the data they gath­er. The com­pa­ny also said its tech­nolo­gies have helped pre­vent attacks and bomb­ings and bro­ken up rings that traf­ficked in drugs, sex and chil­dren. “Sim­ply put, NSO Group is on a life-sav­ing mis­sion, and the com­pa­ny will faith­ful­ly exe­cute this mis­sion unde­terred, despite any and all con­tin­ued attempts to dis­cred­it it on false grounds,” NSO said. “Your sources have sup­plied you with infor­ma­tion that has no fac­tu­al basis, as evi­denced by the lack of sup­port­ing doc­u­men­ta­tion for many of the claims.”

...

Clare, NSO’s attor­ney, attacked the foren­sic exam­i­na­tions as “a com­pi­la­tion of spec­u­la­tive and base­less assump­tions” built on assump­tions based on ear­li­er reports. He also said, “NSO does not have insight into the spe­cif­ic intel­li­gence activ­i­ties of its cus­tomers.”

...

In the past, NSO has blamed its client coun­tries for any alleged abus­es. NSO released its first “Trans­paren­cy and Respon­si­bil­i­ty Report” last month, argu­ing that its ser­vices are essen­tial to law enforce­ment and intel­li­gence agen­cies try­ing to keep up with the 21st cen­tu­ry.

...

NSO also said it con­ducts rig­or­ous reviews of poten­tial cus­tomers’ human rights records before con­tract­ing with them and inves­ti­gates reports of abus­es, although it did not cite any spe­cif­ic cas­es. It assert­ed that it has dis­con­tin­ued con­tracts with five clients for doc­u­ment­ed vio­la­tions and that the company’s due dili­gence has cost it $100 mil­lion in lost rev­enue. A per­son famil­iar with NSO oper­a­tions who spoke on the con­di­tion of anonymi­ty to dis­cuss inter­nal com­pa­ny mat­ters not­ed that in the last year alone NSO had ter­mi­nat­ed con­tracts with Sau­di Ara­bia and Dubai in the Unit­ed Arab Emi­rates over human rights con­cerns.

...

Mex­i­co was NSO’s first over­seas client in 2011, less than a year after the firm was found­ed in Israel’s Sil­i­con Val­ley, in north­ern Tel Aviv.
...

But then there’s the NSO Group’s more legit­i­mate excuse for sell­ing this kind of pow­er­ful soft­ware to gov­ern­ments known for human rights abus­es: the Israeli Defense Min­istry has to approve of the NSO Group’s con­tracts. Beyond that, NSO Group claims its soft­ware can­not be used on US-based phones, rais­ing ques­tions about whether or not the US gov­ern­ment was also tac­it­ly giv­ing its approval for these con­tracts:

...
Pega­sus was engi­neered a decade ago by Israeli ex-cyber­spies with gov­ern­ment-honed skills. The Israeli Defense Min­istry must approve any license to a gov­ern­ment that wants to buy it, accord­ing to pre­vi­ous NSO state­ments.

“As a mat­ter of pol­i­cy, the State of Israel approves the export of cyber prod­ucts exclu­sive­ly to gov­ern­men­tal enti­ties, for law­ful use, and only for the pur­pose of pre­vent­ing and inves­ti­gat­ing crime and coun­tert­er­ror­ism, under end-use/end user cer­tifi­cates pro­vid­ed by the acquir­ing gov­ern­ment,” a spokesper­son for the Israeli defense estab­lish­ment said Sun­day. “In cas­es where export­ed items are used in vio­la­tion of export licens­es or end-use cer­tifi­cates, appro­pri­ate mea­sures are tak­en.”

The num­bers of about a dozen Amer­i­cans work­ing over­seas were dis­cov­ered on the list, in all but one case while using phones reg­is­tered to for­eign cel­lu­lar net­works. The con­sor­tium could not per­form foren­sic analy­sis on most of these phones. NSO has said for years that its prod­uct can­not be used to sur­veil Amer­i­can phones. The con­sor­tium did not find evi­dence of suc­cess­ful spy­ware pen­e­tra­tion on phones with the U.S. coun­try code.

“We also stand by our pre­vi­ous state­ments that our prod­ucts, sold to vet­ted for­eign gov­ern­ments, can­not be used to con­duct cyber­sur­veil­lance with­in the Unit­ed States, and no cus­tomer has ever been grant­ed tech­nol­o­gy that would enable them to access phones with U.S. num­bers,” the com­pa­ny said in its state­ment. “It is tech­no­log­i­cal­ly impos­si­ble and reaf­firms the fact your sources’ claims have no mer­it.”
...

But by the biggest rev­e­la­tion in this sto­ry is the nature of these NSO Group exploits being sold with the Pega­sus sys­tem: “zero-click” exploits that qui­et­ly deliv­er spy­ware sim­ply by send­ing a mes­sage to the tar­get’s phone. That is effec­tive­ly an unstop­pable attack. So NSO Group was sell­ing unstop­pable exploits that could tar­get any smart­phone in the world — with the pos­si­ble excep­tion of US phones if we believe the com­pa­ny’s assur­ances — to over 40 dif­fer­ent gov­ern­ments around the world, start­ing in 2011 with the con­tract with Mex­i­co. And as this inves­ti­ga­tion revealed, those unstop­pable exploits were wide­ly used by these gov­ern­ments for far more than just law enforce­ment and ter­ror­ism cas­es. That is a mas­sive rel­e­va­tion, in part because it means gov­ern­ments around the world have been empow­ered to secret­ly hack each oth­er for years now. But this was­n’t exact­ly a new rev­e­la­tion. We learned back in May 2019 about NSO Group’s unstop­pable exploit that could infect a phone sim­ply by call­ing them over the What­sApp call­ing fea­ture. The exploit worked when vic­tims did­n’t answer the call [168]. So the exis­tence of ‘zero-click’ exploits isn’t exact­ly a new rev­e­la­tion, but it sounds like that What­sApp exploit was far from the only one. They’ve fig­ured out how to do it with SMS Text mes­sages or iMes­sages too. That cov­ers basi­cal­ly every smart­phone, whether you have What­sApp on it or not:

...
Some Pega­sus intru­sion tech­niques detailed in a 2016 report were changed in a mat­ter of hours after they were made pub­lic, under­scor­ing NSO’s abil­i­ty to adapt to coun­ter­mea­sures.

Pega­sus is engi­neered to evade defens­es on iPhones and Android devices and to leave few traces of its attack. Famil­iar pri­va­cy mea­sures like strong pass­words and encryp­tion offer lit­tle help against Pega­sus, which can attack phones with­out any warn­ing to users. It can read any­thing on a device that a user can, while also steal­ing pho­tos, record­ings, loca­tion records, com­mu­ni­ca­tions, pass­words, call logs and social media posts. Spy­ware also can acti­vate cam­eras and micro­phones for real-time sur­veil­lance.

“There is just noth­ing from an encryp­tion stand­point to pro­tect against this,” said Clau­dio Guarnieri, a.k.a. “Nex,” the Amnesty Secu­ri­ty Lab’s 33-year-old Ital­ian researcher who devel­oped and per­formed the dig­i­tal foren­sics on 37 smart­phones that showed evi­dence of Pega­sus attacks.

That sense of help­less­ness makes Guarnieri, who often dress­es head-to-toe in black, feel as use­less as a 14th-cen­tu­ry doc­tor con­fronting the Black Plague with­out any use­ful med­ica­tion. “Pri­mar­i­ly I’m here just to keep the death count,” he said.

The attack can begin in dif­fer­ent ways. It can come from a mali­cious link in an SMS text mes­sage or an iMes­sage. In some cas­es, a user must click on the link to start the infec­tion. In recent years, spy­ware com­pa­nies have devel­oped what they call “zero-click” attacks, which deliv­er spy­ware sim­ply by send­ing a mes­sage to a user’s phone that pro­duces no noti­fi­ca­tion. Users do not even need to touch their phones for infec­tions to begin.
...

Unstop­pable zero-day attacks and zero over­sight. What could pos­si­bly go wrong?

Forget All Those NSO Group and Candiru Stories: The US and Western Allies Accuse China of the Microsoft Exchange Hack

So how are gov­ern­ments respond­ing to this string of dev­as­tat­ing reports. First Can­diru’s zero-day mal­ware gets exposed being used against activists around the world. Then NSO Group is revealed to be the cyber equiv­a­lent of a nuclear mer­ce­nary. And a diplo­mat­ic tool. It was a rough week of report­ing on the “com­mer­cial sur­veil­lance” cyber indus­try. A lot of tough ques­tions for raised. And we got our answer one day after the Wash­ing­ton Post’s report: The US and West­ern allies were final­ly for­mal­ly accus­ing Chi­na of being behind the Microsoft Exchange hack first dis­closed back in March. It was great tim­ing.

And as we’ll see in the next arti­cle excerpt about the pub­lic accu­sa­tions by the US and its fel­low allies against China’s Min­istry of State Secu­ri­ty (MSS), Chi­na isn’t just accused of tol­er­at­ing smash-and-grab raids. The MSS-backed hack­er groups are also accused of tol­er­at­ing ran­somware attacks for their own per­son­al prof­it. So the hack­er groups accused of car­ry­ing out the Microsoft Exchange hack and oth­er hacks attrib­uted to Chi­na are also groups engag­ing in the kind of cyber-extor­tion and ran­somware schemes for their own prof­it that are tra­di­tion­al asso­ci­at­ed with stan­dard cyber crim­i­nals. That’s the evolv­ing nar­ra­tive in the face of evi­dence that the Microsoft Exchange hack was real­ly many hacks involv­ing mul­ti­ple crim­i­nal groups on a ram­pant spree that also run cyber-extor­tion schemes: They were Chi­nese state-backed hack­ers who also run pri­vate extortive crim­i­nal hacks on their own because Chi­na’s gov­ern­ment has decid­ed to give zero-day exploits to groups that take those zero-day exploits and go on a glob­al hack­ing spree. The Chi­nese gov­ern­ment endorsed or at least tol­er­at­ed that dra­mat­ic esca­la­tion. No longer espi­onage but glob­al smash-and-grab sprees. That’s the new nar­ra­tive. A new nar­ra­tive that’s evolv­ing in the face of the evi­dence that the peo­ple car­ry­ing out these mega-hacks are act­ing like tra­di­tion­al hack­ers and not state-backed espi­onage-focused groups.

Recall [35] how the known time­line of the Exchange hack is that it start­ed on Jan­u­ary 3 (Volex­i­ty’s first detect­ed use of the zero-day exploit by “Hafni­um). It was Jan­u­ary 6, dur­ing the Capi­tol Insur­rec­tion, when Volex­i­ty first observed a large down­load to an unau­tho­rized address. Hafni­um qui­et­ly hit orga­ni­za­tions until Microsoft issued a patch on March 2. At that point, mul­ti­ple groups went on a glob­al race to hit every unpatched serv­er con­nect­ed to the inter­net. So giv­en that time­line, it’s like­ly that the groups that went on the race fol­low­ing the patch are the ones with a crim­i­nal for-prof­it track-record. And we are to assume “Hafni­um”, a state-backed Chi­nese hack­er group, hand­ed this zero-day exploit over to these groups and gave its bless­ing to the glob­al smash-and-grab. Which, if true, real­ly would be a dra­mat­ic esca­la­tion in hacks from Chi­na. It’s the “if true” part that’s the catch. Notice how no one even both­ers to pro­vide a pre­tense of evi­dence for any of these claims.

Amus­ing­ly, the gov­ern­ments mak­ing these accu­sa­tions against Chi­na had­n’t quite got­ten their sto­ries straight. Because as we just saw, much of the osten­si­ble alarm over these accu­sa­tions is that they sig­ni­fy a shift from qui­et espi­onage to in-your-face smash-and-grab raids by Chi­nese state-backed hack­er. And yet as we’ll see, U.K. For­eign Sec­re­tary Dominic Raab describe the attack “a reck­less but famil­iar pat­tern of behav­iour” by Chi­nese state-backed groups. So what is it? New reck­less behav­ior? Or famil­iar reck­less behav­ior? That part of the nar­ra­tive has yet to be decid­ed. But this was what major West­ern gov­ern­ments were talk­ing about a day about that NSO Group report: Chi­na [58]:

Asso­ci­at­ed Press

Microsoft Exchange hack caused by Chi­na, US and allies say

By ERIC TUCKER
July 19, 2021

WASHINGTON (AP) — The Biden admin­is­tra­tion and West­ern allies for­mal­ly blamed Chi­na on Mon­day for a mas­sive hack of Microsoft Exchange email serv­er soft­ware [169] and assert­ed that crim­i­nal hack­ers asso­ci­at­ed with the Chi­nese gov­ern­ment have car­ried out ran­somware and oth­er illic­it cyber oper­a­tions.

The announce­ments, though not accom­pa­nied by sanc­tions against the Chi­nese gov­ern­ment, were intend­ed as a force­ful con­dem­na­tion of activ­i­ties a senior Biden admin­is­tra­tion offi­cial described as part of a “pat­tern of irre­spon­si­ble behav­ior in cyber­space.” They high­light­ed the ongo­ing threat from Chi­nese hack­ers even as the admin­is­tra­tion remains con­sumed with try­ing to curb ran­somware attacks from Rus­sia-based syn­di­cates that have tar­get­ed crit­i­cal infra­struc­ture.

The broad range of cyberthreats from Bei­jing dis­closed on Mon­day includ­ed a ran­somware attack [170] from gov­ern­ment-affil­i­at­ed hack­ers that tar­get­ed vic­tims — includ­ing in the U.S. — with demands for mil­lions of dol­lars. U.S offi­cials also alleged that crim­i­nal con­tract hack­ers asso­ci­at­ed with China’s Min­istry of State Secu­ri­ty have engaged in cyber extor­tion schemes and theft for their own prof­it.

Mean­while, the Jus­tice Depart­ment on Mon­day announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with the MSS in a hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. The defen­dants are accused of tar­get­ing trade secrets and con­fi­den­tial busi­ness infor­ma­tion, includ­ing sci­en­tif­ic tech­nolo­gies and infec­tious-dis­ease research.

Unlike in April, when pub­lic fin­ger-point­ing of Russ­ian hack­ing [171] was paired with a raft of sanc­tions against Moscow, the Biden admin­is­tra­tion did not announce any actions against Bei­jing. Nonethe­less, a senior admin­is­tra­tion offi­cial who briefed reporters said that the U.S. has con­front­ed senior Chi­nese offi­cials and that the White House regards the multi­na­tion sham­ing as send­ing an impor­tant mes­sage, even if no sin­gle action can change behav­ior.

Pres­i­dent Joe Biden told reporters “the investigation’s not fin­ished,” and White House press sec­re­tary Jen Psa­ki did not rule out future con­se­quences for Chi­na, say­ing, “This is not the con­clu­sion of our efforts as it relates to cyber activ­i­ties with Chi­na or Rus­sia.”

Even with­out fresh sanc­tions, Monday’s actions are like­ly to exac­er­bate ten­sions with Chi­na at a del­i­cate time. Just last week, the U.S. issued sep­a­rate stark warn­ings against trans­ac­tions with enti­ties that oper­ate in China’s west­ern Xin­jiang region, where Chi­na is accused of repress­ing Uyghur Mus­lims and oth­er minori­ties.

...

The Euro­pean Union and Britain were among the allies who called out Chi­na. The EU said mali­cious cyber activ­i­ties with “sig­nif­i­cant effects” that tar­get­ed gov­ern­ment insti­tu­tions, polit­i­cal orga­ni­za­tions and key indus­tries in the bloc’s 27 mem­ber states could be linked to Chi­nese hack­ing groups. The U.K.’s Nation­al Cyber Secu­ri­ty Cen­tre said the groups tar­get­ed mar­itime indus­tries and naval defense con­trac­tors in the U.S. and Europe and the Finnish par­lia­ment.

In a state­ment, EU for­eign pol­i­cy chief Josep Bor­rell said the hack­ing was “con­duct­ed from the ter­ri­to­ry of Chi­na for the pur­pose of intel­lec­tu­al prop­er­ty theft and espi­onage.”

The Microsoft Exchange cyber­at­tack “by Chi­nese state-backed groups was a reck­less but famil­iar pat­tern of behav­iour,” U.K. For­eign Sec­re­tary Dominic Raab said.

NATO, in its first pub­lic con­dem­na­tion of Chi­na for hack­ing activ­i­ties, called on Bei­jing to uphold its inter­na­tion­al com­mit­ments and oblig­a­tions “and to act respon­si­bly in the inter­na­tion­al sys­tem, includ­ing in cyber­space.” The alliance said it was deter­mined to “active­ly deter, defend against and counter the full spec­trum of cyber threats.”

That hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty were engaged in ran­somware was sur­pris­ing and con­cern­ing to the U.S. gov­ern­ment, the senior admin­is­tra­tion offi­cial said. But the attack, in which an uniden­ti­fied Amer­i­can com­pa­ny received a high-dol­lar ran­som demand, also gave U.S. offi­cials new insight into what the offi­cial said was “the kind of aggres­sive behav­ior that we’re see­ing com­ing out of Chi­na.”

A spokesper­son for the Chi­nese Embassy in Wash­ing­ton, Liu Pengyu, said in a state­ment that the “U.S. has repeat­ed­ly made ground­less attacks and mali­cious smear against Chi­na on cyber­se­cu­ri­ty. Now this is just anoth­er old trick, with noth­ing new in it.” The state­ment called Chi­na “a severe vic­tim of the US cyber theft, eaves­drop­ping and sur­veil­lance.”

The major­i­ty of the most dam­ag­ing and high-pro­file recent ran­somware attacks have involved Russ­ian crim­i­nal gangs. Though the U.S. has some­times seen con­nec­tions between Russ­ian intel­li­gence agen­cies and indi­vid­ual hack­ers, the use of crim­i­nal con­tract hack­ers by the Chi­nese gov­ern­ment “to con­duct unsanc­tioned cyber oper­a­tions glob­al­ly is dis­tinct,” the offi­cial said.

Dmitri Alper­ovitch, the for­mer chief tech­nol­o­gy offi­cer of the cyber­se­cu­ri­ty firm Crowd­strike, said the announce­ment makes clear that MSS con­trac­tors who for years have worked for the gov­ern­ment and con­duct­ed oper­a­tions on its behalf have over time decid­ed — either with the approval or the “blind eye of their boss­es” — to ”start moon­light­ing and engag­ing in oth­er activ­i­ties that could put mon­ey in their pock­ets.”

The Microsoft Exchange hack that months ago com­pro­mised tens of thou­sands of com­put­ers around the world was swift­ly attrib­uted to Chi­nese cyber spies [172] by Microsoft.

An admin­is­tra­tion offi­cial said the government’s attri­bu­tion to hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty took until now in part because of the dis­cov­ery of the ran­somware and for-prof­it hack­ing oper­a­tions and because the admin­is­tra­tion want­ed to pair the announce­ment with guid­ance for busi­ness­es about tac­tics that the Chi­nese have been using.

Giv­en the scope of the attack, Alper­ovitch said it was “puz­zling” that the U.S. did not impose sanc­tions.

“They cer­tain­ly deserve it, and at this point, it’s becom­ing a glar­ing stand­out that we have not,” he said.

He added, in a ref­er­ence to a large Russ­ian cyberes­pi­onage oper­a­tion dis­cov­ered late last year, “There’s no ques­tion that the Exchange hacks have been more reck­less, more dan­ger­ous and more dis­rup­tive than any­thing the Rus­sians have done in Solar­Winds.

———-

“Microsoft Exchange hack caused by Chi­na, US and allies say” by ERIC TUCKER; Asso­ci­at­ed Press; 07/19/2021 [58]

“The broad range of cyberthreats from Bei­jing dis­closed on Mon­day includ­ed a ran­somware attack [170] from gov­ern­ment-affil­i­at­ed hack­ers that tar­get­ed vic­tims — includ­ing in the U.S. — with demands for mil­lions of dol­lars. U.S offi­cials also alleged that crim­i­nal con­tract hack­ers asso­ci­at­ed with China’s Min­istry of State Secu­ri­ty have engaged in cyber extor­tion schemes and theft for their own prof­it.

Crim­i­nal con­tract hack­ers. That’s who China’s Min­istry of State Secu­ri­ty is appar­ent­ly hir­ing to car­ry out these mega hacks. That’s the accu­sa­tion com­ing from the US and allies. What evi­dence this asser­tion is based is of course nev­er giv­en, but the par­al­lel charges against four Chi­nese nation­als accuse of work­ing wit the MSS in a hack­ing cam­paign is pre­sum­ably sup­posed to serve as a kind of proxy evi­dence:

...
Mean­while, the Jus­tice Depart­ment on Mon­day announced charges against four Chi­nese nation­als who pros­e­cu­tors said were work­ing with the MSS in a hack­ing cam­paign that tar­get­ed dozens of com­put­er sys­tems, includ­ing com­pa­nies, uni­ver­si­ties and gov­ern­ment enti­ties. The defen­dants are accused of tar­get­ing trade secrets and con­fi­den­tial busi­ness infor­ma­tion, includ­ing sci­en­tif­ic tech­nolo­gies and infec­tious-dis­ease research.
...

But, again, observe how incon­sis­tent the accu­sa­tions are. The EU is refer­ring to hacks that could be linked to Chi­nese hack­ing groups while the UK’s For­eign Sec­re­tary calls it “a reck­less but famil­iar pat­tern of behav­iour”. And look at he US’s expla­na­tion for why it took this long to make the attri­bu­tion when Microsoft seem­ing­ly did it imme­di­ate­ly: the dis­cov­ery of ran­somware and for-prof­it schemes by these same hack­ers delayed the attri­bu­tion. In oth­er words, Microsoft­’s evi­dence-free ini­tial asser­tion that the hack was the respon­si­bil­i­ty of the Chi­nese (and def­i­nite­ly com­plete­ly unre­lat­ed to the Solar­Winds hack!) got com­pli­cat­ed after it was observed that the hack­ers were behav­ing like nor­mal crim­i­nals and engag­ing in ran­somware for-prof­it schemes. So they had to cre­ate a new nar­ra­tive about how the Chi­nese gov­ern­ment is now using con­tract crim­i­nal hack­ers to car­ry out their mega-hacks. Because why car­ry out a mega-hack on your own when you can share it with the crim­i­nal-under­world:

...
Even with­out fresh sanc­tions, Monday’s actions are like­ly to exac­er­bate ten­sions with Chi­na at a del­i­cate time. Just last week, the U.S. issued sep­a­rate stark warn­ings against trans­ac­tions with enti­ties that oper­ate in China’s west­ern Xin­jiang region, where Chi­na is accused of repress­ing Uyghur Mus­lims and oth­er minori­ties.

...

The Euro­pean Union and Britain were among the allies who called out Chi­na. The EU said mali­cious cyber activ­i­ties with “sig­nif­i­cant effects” that tar­get­ed gov­ern­ment insti­tu­tions, polit­i­cal orga­ni­za­tions and key indus­tries in the bloc’s 27 mem­ber states could be linked to Chi­nese hack­ing groups. The U.K.’s Nation­al Cyber Secu­ri­ty Cen­tre said the groups tar­get­ed mar­itime indus­tries and naval defense con­trac­tors in the U.S. and Europe and the Finnish par­lia­ment.

In a state­ment, EU for­eign pol­i­cy chief Josep Bor­rell said the hack­ing was “con­duct­ed from the ter­ri­to­ry of Chi­na for the pur­pose of intel­lec­tu­al prop­er­ty theft and espi­onage.”

The Microsoft Exchange cyber­at­tack “by Chi­nese state-backed groups was a reck­less but famil­iar pat­tern of behav­iour,” U.K. For­eign Sec­re­tary Dominic Raab said.

NATO, in its first pub­lic con­dem­na­tion of Chi­na for hack­ing activ­i­ties, called on Bei­jing to uphold its inter­na­tion­al com­mit­ments and oblig­a­tions “and to act respon­si­bly in the inter­na­tion­al sys­tem, includ­ing in cyber­space.” The alliance said it was deter­mined to “active­ly deter, defend against and counter the full spec­trum of cyber threats.”

That hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty were engaged in ran­somware was sur­pris­ing and con­cern­ing to the U.S. gov­ern­ment, the senior admin­is­tra­tion offi­cial said. But the attack, in which an uniden­ti­fied Amer­i­can com­pa­ny received a high-dol­lar ran­som demand, also gave U.S. offi­cials new insight into what the offi­cial said was “the kind of aggres­sive behav­ior that we’re see­ing com­ing out of Chi­na.”

...

The major­i­ty of the most dam­ag­ing and high-pro­file recent ran­somware attacks have involved Russ­ian crim­i­nal gangs. Though the U.S. has some­times seen con­nec­tions between Russ­ian intel­li­gence agen­cies and indi­vid­ual hack­ers, the use of crim­i­nal con­tract hack­ers by the Chi­nese gov­ern­ment “to con­duct unsanc­tioned cyber oper­a­tions glob­al­ly is dis­tinct,” the offi­cial said.

...

The Microsoft Exchange hack that months ago com­pro­mised tens of thou­sands of com­put­ers around the world was swift­ly attrib­uted to Chi­nese cyber spies [172] by Microsoft.

An admin­is­tra­tion offi­cial said the government’s attri­bu­tion to hack­ers affil­i­at­ed with the Min­istry of State Secu­ri­ty took until now in part because of the dis­cov­ery of the ran­somware and for-prof­it hack­ing oper­a­tions and because the admin­is­tra­tion want­ed to pair the announce­ment with guid­ance for busi­ness­es about tac­tics that the Chi­nese have been using.
...

Also keep in mind that the crim­i­nal hack­er groups did­n’t appear in the Exchange hack until March 2 accord­ing to our known time­line, the day Microsoft also issued its report that blamed the hack on state-spon­sored “Hafni­um” [107]. So the crim­i­nal-like behav­ior of the groups with access to this exploit was­n’t nec­es­sar­i­ly appar­ent when Microsoft made its ini­tial “Hafni­um” attri­bu­tion

But note the one con­sis­tent actor here: Dmitri Alper­ovitch — co-founder of Crowd­Strike and the guy who pio­neered the mod­ern approach of mak­ing loud evi­dence-free hack­ing accu­sa­tions against coun­tries as a means of pre­vent­ing future attacks [1] — is giv­ing us exact­ly the response we should expect by ask­ing why these accu­sa­tions haven’t led to new sanc­tions against Chi­na:

...
Dmitri Alper­ovitch, the for­mer chief tech­nol­o­gy offi­cer of the cyber­se­cu­ri­ty firm Crowd­strike, said the announce­ment makes clear that MSS con­trac­tors who for years have worked for the gov­ern­ment and con­duct­ed oper­a­tions on its behalf have over time decid­ed — either with the approval or the “blind eye of their boss­es” — to ”start moon­light­ing and engag­ing in oth­er activ­i­ties that could put mon­ey in their pock­ets.”

Giv­en the scope of the attack, Alper­ovitch said it was “puz­zling” that the U.S. did not impose sanc­tions.

“They cer­tain­ly deserve it, and at this point, it’s becom­ing a glar­ing stand­out that we have not,” he said.

He added, in a ref­er­ence to a large Russ­ian cyberes­pi­onage oper­a­tion dis­cov­ered late last year, “There’s no ques­tion that the Exchange hacks have been more reck­less, more dan­ger­ous and more dis­rup­tive than any­thing the Rus­sians have done in Solar­Winds.
...

Also note that Alper­ovitch is now the for­mer CTO of Crowd­strike, hav­ing left the com­pa­ny in 2020 to start a non-prof­it “pol­i­cy accel­er­a­tor” focused on cyber­se­cu­ri­ty in a geopo­lit­i­cal con­text [173]. In oth­er words, Alper­ovtich start­ed a think-tank and lob­by shop ded­i­cat­ed to push for the kind of hack­ing-based sanc­tions against Russ­ian and Chi­na he’s long advo­cat­ed for any­way.
The BBC has a bit more on the sto­ry that gives us a bet­ter idea of how the West­ern gov­ern­ments of the­o­riz­ing Chi­na decid­ed to car­ry out this glob­al mega-hack using com­mon cyber-crim­i­nals as co-con­spir­a­tors: Hafni­um knew Microsoft planned to deal with the weak­ness and so shared it with oth­er Chi­na-based hack­ers. In oth­er words, the Chi­nese state-backed hack­ers real­ized the jig was up and hand­ed the zero-day exploit (which was no longer a zero-day) to crim­i­nals for some strate­gic rea­son.

Again, recall the time­line: Recall [35] how the known time­line of the Exchange hack is that it start­ed on Jan­u­ary 3 (Volex­i­ty’s first detect­ed use of the zero-day exploit by “Hafni­um). It was Jan­u­ary 6, dur­ing the Capi­tol Insur­rec­tion, when Volex­i­ty first observed a large down­load to an unau­tho­rized address. Hafni­um qui­et­ly hit orga­ni­za­tions until Microsoft issued a patch on March 2, the same day it blamed the hack on Hafni­um, a state-backed Chi­nese hack­er group. That’s the day we are told mul­ti­ple crim­i­nal groups went on a glob­al race to hit every unpatched serv­er con­nect­ed to the inter­net.

So what would be the motive for Hafni­um to hand that zero-day exploit over to crim­i­nal groups and esca­late the hack to the lev­el of worst ever? Max­i­mize dam­age? Cov­er their tracks? It’s unclear what the the­o­rized ratio­nale would be. Microsoft blamed the hack on “Hafni­um” and called them a Chi­nese state-backed group dur­ing the ini­tial secu­ri­ty blog post that announced the Exchange patch to fix the exploit, which is when the crim­i­nal ran­sack­ing report­ed­ly start­ed. So it’s not like there was obvi­ous track cov­er­ing by Hafni­um to be done at that point. But that’s what we’re told by these West­ern gov­ern­ment sources: after get­ting caught with their qui­et tar­get hack, these state-backed hack­ers made a con­scious deci­sion to hand the super exploit over to crim­i­nals and tol­er­ate a glob­al ran­sack­ing [60]:

BBC News

Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies

Pub­lished
7/20/2021

Chi­na has denied alle­ga­tions that it car­ried out a major cyber-attack against tech giant Microsoft.

The US and oth­er West­ern coun­tries on Mon­day accused Chi­na of hack­ing Microsoft Exchange — a pop­u­lar email plat­form used by com­pa­nies world­wide.

They said it was part of a broad­er pat­tern of “reck­less” behav­iour that threat­ened glob­al secu­ri­ty.

Chi­na says it oppos­es all forms of cyber-crime, and has called the claims “fab­ri­cat­ed”.

Chi­na’s for­eign min­istry spokesman said the US had got its allies to make “unrea­son­able crit­i­cisms” against Chi­na.

The UK, EU, New Zealand, Aus­tralia and oth­ers joined the US to accuse Chi­nese state-spon­sored hack­ers.

...

Microsoft blamed a Chi­nese cyber-espi­onage group for tar­get­ing a weak­ness in Microsoft Exchange, which allowed hack­ers to get into email inbox­es.

It said the group, known as Hafni­um, was state-spon­sored and based in Chi­na.

West­ern secu­ri­ty sources believe Hafni­um knew Microsoft had planned to deal with the weak­ness, and so shared it with oth­er Chi­na-based hack­ers.

The sources say the hack seems to sig­nal a shift from a tar­get­ed espi­onage cam­paign to a smash-and-grab raid, lead­ing to con­cerns that Chi­nese cyber-behav­iour is esca­lat­ing.

The UK For­eign Office said the Chi­nese gov­ern­ment had “ignored repeat­ed calls to end its reck­less cam­paign, instead allow­ing state-backed actors to increase the scale of their attacks”.

US Pres­i­dent Joe Biden said the Chi­nese gov­ern­ment may not have been car­ry­ing out the attacks itself, but was “pro­tect­ing those who are doing it. And maybe even accom­mo­dat­ing them being able to do it”.

...

———–
“Chi­na says Microsoft hack­ing accu­sa­tions fab­ri­cat­ed by US and allies”; BBC News; 7/20/2021 [60]

“West­ern secu­ri­ty sources believe Hafni­um knew Microsoft had planned to deal with the weak­ness, and so shared it with oth­er Chi­na-based hack­ers.”

It’s quite a sce­nario described by the West­ern secu­ri­ty source for this arti­cle: Hafni­um found out Microsoft planned on clos­ing some vul­ner­a­bil­i­ties, prompt­ing Hafni­um to share the vul­ner­a­bil­i­ty with oth­er Chi­na-based hack­ers. Recall how, as we saw above, Volex­i­ty wit­nessed what was a qui­et infil­tra­tion of some sys­tems — using the zero-day exploits — on Jan­u­ary 6 dur­ing the Capi­tol insur­rec­tion. It was in the fol­low­ing days that the hack because much more wide­spread and open and aggres­sive. So we are prob­a­bly being asked to assume that the sec­ond noisy phase of the hack was after Hafni­um gave their incred­i­ble zero-day exploit to oth­er crim­i­nal hack­ers around Chi­na. And this was all qui­et­ly sanc­tioned by the Chi­nese gov­ern­ment. That’s the nar­ra­tive we are being asked to believe, this time with West­ern gov­ern­ments mak­ing the asser­tions, not Microsoft. And as always, we have no idea what evi­dence this belief is based on. The one thing we can state with con­fi­dence is that a large num­ber of the actors who used this exploit dur­ing that glob­al ran­sack­ing phase appear to be crim­i­nal.

But if we take the state-backed crim­i­nal-super-hack nar­ra­tive seri­ous­ly, we have to treat this as a major esca­la­tion by the Chi­nese gov­ern­ment. Which it very much would be if true. An insane esca­la­tion that could enrage the glob­al busi­ness com­mu­ni­ty. Not just gov­ern­ments:

...
The sources say the hack seems to sig­nal a shift from a tar­get­ed espi­onage cam­paign to a smash-and-grab raid, lead­ing to con­cerns that Chi­nese cyber-behav­iour is esca­lat­ing.
...

But, again, keep in mind that this entire dis­cus­sion about Hafni­um and crim­i­nal hack­ing groups was due to the US and its allies issue a big coor­di­nat­ed pub­lic rebuke of Chi­na’s involve­ment in the Exchange hack one day after the pair of NSO Group mega-scan­dal sto­ries. Sto­ries that raised enor­mous ques­tions about the hack­ing attri­bu­tions of the last decade, at a min­i­mum.

Macron to the World: New Phone, Who Dis?

And a few days after that coor­di­nat­ed pub­lic rebuke of Chi­na over “Hafni­um”, we get an update on the fall­out from the NSO Group sto­ry: Emmanuel Macron changed his phone. As a pre­cau­tion. His num­ber was on Moroc­co’s tar­get list. Awk­ward!

We also get an update from NSO Group on how its over­sight sys­tem works: while it does­n’t know the iden­ti­ties of the peo­ple tar­get­ed by Pega­sus, the com­pa­ny can retroac­tive­ly acquire the tar­get lists in the event of a com­plaint and uni­lat­er­al­ly shut down the offend­ing gov­ern­men­t’s sub­scrip­tion fol­low­ing an inves­ti­ga­tion. In oth­er words, NSO Group could in the­o­ry do ret­ro­spec­tive audits. But won’t unless there’s a com­plaint. A com­plaint about the super secret spy­ware you can’t find and don’t know about [62]:

Reuters

France’s Macron changes phone in light of Pega­sus case

Michel Rose and Dan Williams
July 22, 2021 3:25 PM CDT Updat­ed

PARIS, July 22 (Reuters) — French Pres­i­dent Emmanuel Macron has changed his mobile phone and phone num­ber in light of the Pega­sus spy­ware case, a pres­i­den­cy offi­cial said on Thurs­day, in one of the first con­crete actions announced in rela­tion to the scan­dal.

“He’s got sev­er­al phone num­bers. This does not mean he has been spied on. It’s just addi­tion­al secu­ri­ty,” the offi­cial told Reuters. Gov­ern­ment spokesman Gabriel Attal said the pres­i­den­t’s secu­ri­ty pro­to­cols were being adapt­ed in light of the inci­dent.

A glob­al out­cry was trig­gered when sev­er­al inter­na­tion­al media organ­i­sa­tions report­ed that the Pega­sus spy­ware was used in hack­ing smart­phones belong­ing to jour­nal­ists, human rights activists and gov­ern­ment offi­cials in sev­er­al coun­tries.

In Israel, home of Pega­sus devel­op­er NSO Group, a senior law­mak­er said a par­lia­men­tary pan­el may look into spy­ware export restric­tions. NSO says its soft­ware is used to fight crime and ter­ror­ism and has denied any wrong­do­ing.

“Obvi­ous­ly we’re tak­ing (this) very seri­ous­ly,” Attal told reporters hours after an emer­gency cab­i­net meet­ing focused on the Pega­sus alle­ga­tions.

Le Monde news­pa­per and Radio France broad­cast­er report­ed on Tues­day [174] that Macron’s phone was on a list of poten­tial tar­gets for sur­veil­lance by Moroc­co. The two media said that they did not have access to Macron’s phone and could not ver­i­fy if his phone had indeed been spied on.

Moroc­co has reject­ed these alle­ga­tions.

A French lawyer for Moroc­co, Olivi­er Baratel­li, said the gov­ern­ment planned to lodge defama­tion law­suits in Paris against non­govern­men­tal organ­i­sa­tions Amnesty Inter­na­tion­al and For­bid­den Sto­ries, accord­ing to French news out­let fran­ce­in­fo on Thurs­day. The two groups par­tic­i­pat­ed in the Pega­sus probe and alleged Moroc­co had tar­get­ed French offi­cials for sur­veil­lance with the spy­ware.

Amid mount­ing EU con­cern, Ger­man Chan­cel­lor Angela Merkel told reporters in Berlin that spy­ware should be denied to coun­tries where there is no judi­cial over­sight.

Hun­gar­i­an pros­e­cu­tors on Thurs­day launched an inves­ti­ga­tion into mul­ti­ple com­plaints received in the wake of the reports.

Israel has appoint­ed an inter-min­is­te­r­i­al team [175] to assess reports based on an inves­ti­ga­tion by 17 media organ­i­sa­tions that said Pega­sus had been used in attempt­ed or suc­cess­ful hacks of smart­phones using mal­ware that enables the extrac­tion of mes­sages, records calls and secret­ly acti­vates micro­phones.

...

“We cer­tain­ly have to look anew at this whole sub­ject of licences grant­ed by DECA,” Ram Ben-Barak, head of the Knes­set For­eign Affairs and Defence Com­mit­tee, told Israel’s Army Radio, refer­ring to the gov­ern­ment-run Defence Export Con­trols Agency.

The Israeli gov­ern­ment team “will con­duct its checks, and we will be sure to look into the find­ings and see if we need to fix things here”, said Ben-Barak. A for­mer deputy chief of Mossad, he said prop­er use of Pega­sus had “helped a great many peo­ple”.

DECA is with­in Israel’s Defence Min­istry and over­sees NSO exports. Both the min­istry and the firm have said that Pega­sus is meant to be used to track only ter­ror­ists or crim­i­nals, and that all for­eign clients are vet­ted gov­ern­ments.

NSO says it does not know the spe­cif­ic iden­ti­ties of peo­ple against whom clients use Pega­sus. If it receives a com­plaint of Pega­sus hav­ing been mis­used by a client, NSO can retroac­tive­ly acquire the tar­get lists and, should the com­plaint prove true, uni­lat­er­al­ly shut down that clien­t’s soft­ware, the com­pa­ny says.

Oth­er world lead­ers among those whose phone num­bers the news organ­i­sa­tions said were on a list of pos­si­ble tar­gets include Pak­istani Prime Min­is­ter Imram Khan and Moroc­co’s King Mohammed VI.

———-


France’s Macron changes phone in light of Pega­sus case” by Michel Rose and Dan Williams; Reuters; 07/22/2021

“NSO says it does not know the spe­cif­ic iden­ti­ties of peo­ple against whom clients use Pega­sus. If it receives a com­plaint of Pega­sus hav­ing been mis­used by a client, NSO can retroac­tive­ly acquire the tar­get lists and, should the com­plaint prove true, uni­lat­er­al­ly shut down that clien­t’s soft­ware, the com­pa­ny says.”

NSO Group can retroac­tive­ly acquire the tar­get lists to inves­ti­gate com­plaints. It’s the kind of descrip­tion that sounds like NSO Group would need to go to the clients to retrieve the list of tar­get phone num­bers or emails. That’s the kind of over­sight regime that rais­es ques­tions about whether or not these clients have the capa­bil­i­ty to scrub those tar­get lists before return­ing them to NSO Group. It’s also the kind of over­sight regime that rais­es ques­tions about how any sort of over­sight could ever hap­pen out­side of instances when there’s a news report about NSO Group mal­ware being dis­cov­ered and a ‘ret­ro­spec­tive inves­ti­ga­tion’ is con­duct­ed. Either an insid­er needs to leak about it or vic­tims need to dis­cov­er the mal­ware. Those are the only viable sce­nar­ios that could real­is­ti­cal­ly trig­ger an inves­ti­ga­tion and this is super-secret mal­ware that oper­at­ed with­out being detect­ed for years. Almost noth­ing oth­er than the inves­tiga­tive report­ing done by Amnesty Inter­na­tion­al and For­bid­den Sto­ries could real­is­ti­cal­ly cause a client to have their sub­scrip­tion revoked.

And as we saw in the case of Sau­di Ara­bia and the fall­out from the Jamal Khashog­gi assas­si­na­tion, the fall­out — in the form of NSO Group can­cel­ing Sau­di Ara­bi­a’s sub­scrip­tion, a move opposed by the Israeli gov­ern­ment — was ulti­mate­ly reversed after NSO Group was sud­den­ly sold to new investors. That’s part of the con­text of Israel’s assur­ances that it will be look anew at the licens­es grant­ed for these sub­scrip­tion. It can’t look anew. It would be a diplo­mat­ic night­mare for Israel. And per­haps not some­thing Israel can rea­son­ably uni­lat­er­al­ly decide on its own. If what we are look­ing at here is a broad­er West­ern-sanc­tioned glob­al sys­tem for dis­trib­ut­ing lim­it­ed super-hack­er capa­bil­i­ties, the fate of NSO Group and the entire Israeli “com­mer­cial sur­veil­lance” sec­tor sud­den­ly becomes a much more mul­ti­lat­er­al affair:

...
“We cer­tain­ly have to look anew at this whole sub­ject of licences grant­ed by DECA,” Ram Ben-Barak, head of the Knes­set For­eign Affairs and Defence Com­mit­tee, told Israel’s Army Radio, refer­ring to the gov­ern­ment-run Defence Export Con­trols Agency.

The Israeli gov­ern­ment team “will con­duct its checks, and we will be sure to look into the find­ings and see if we need to fix things here”, said Ben-Barak. A for­mer deputy chief of Mossad, he said prop­er use of Pega­sus had “helped a great many peo­ple”.

DECA is with­in Israel’s Defence Min­istry and over­sees NSO exports. Both the min­istry and the firm have said that Pega­sus is meant to be used to track only ter­ror­ists or crim­i­nals, and that all for­eign clients are vet­ted gov­ern­ments.
...

Will the Israeli gov­ern­ment con­duct a mean­ing­ful audit of its cyber mer­ce­nary export sec­tor? The sto­ry of the NSO Group and Jamal Khashog­gi’s mur­der sug­gests oth­er­wise.

NSO Group and Candiru: Joined at the Founding Financial Hip

We’re now at the end of our arti­cle marathon. This one isn’t from Decem­ber 2020-July 2021. It’s from Octo­ber 2019. So it was­n’t old news as all of this as has been play­ing out. One mega-hack sto­ry after anoth­er. One Microsoft exploit after anoth­er. As the world turned to Microsoft to lead the inves­ti­ga­tion into this parade of Microsoft vul­ner­a­bil­i­ties (some might con­sid­er that a con­flict of inter­est), the fol­low­ing sto­ry for Octo­ber 2019 was sys­tem­at­i­cal­ly ignore: An intro­duc­tion to Can­diru, its pow­er­ful suite of Microsoft exploits, and the fact that its founders over­lap with the NSO Group’s founders.

Yep, in the fol­low­ing Forbes piece we learn how Can­diru has clients like Uzbek­istan, Sau­di Ara­bia, and the UAE. The main Can­diru finan­cial backer was Founders Group, which was co-found­ed by one of the three men who set up NSO Group, Omri Lavie. Addi­tion­al­ly, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack. We’re also told that the indus­try is increas­ing­ly close to its finan­cial back­ers because, well, it’s become so con­tro­ver­sial there aren’t that many finan­cial back­ers avail­able. A hyper-secre­tive inces­tu­ous indus­try increas­ing­ly behold­en to the shrink­ing num­ber of peo­ple will­ing to go into some­thing this explo­sive­ly pow­er­ful [176]:

Forbes

Meet Can­diru — The Mys­te­ri­ous Mer­ce­nar­ies Hack­ing Apple And Microsoft PCs For Prof­it

Thomas Brew­ster Forbes Staff
Cyber­se­cu­ri­ty
Asso­ciate edi­tor at Forbes, cov­er­ing cyber­crime, pri­va­cy, secu­ri­ty and sur­veil­lance.
Oct 3, 2019,06:06am EDT

Israel is home to scores of hack­er-for-hire busi­ness­es, but one of the most clan­des­tine has been Can­diru. With no web­site and few records avail­able, it’s oper­at­ed large­ly under the radar.

But now a researcher is claim­ing the elite Tel Aviv-based firm sold cyber weapons to the gov­ern­ment of Uzbek­istan, while indus­try sources tell Forbes the com­pa­ny is hack­ing both Microsoft Win­dows and Apple Macs for var­i­ous nation states.

In doing so it calls into ques­tion the company’s ethics for part­ner­ing with a gov­ern­ment brand­ed as an abuser of sur­veil­lance tools, just like the morals of its com­pa­tri­ot dig­i­tal arms deal­ers have come under scruti­ny over the last half decade.

Smash­ing Win­dows

Candiru’s spe­cial­i­ty, hack­ing Microsoft Win­dows for nation-state intel­li­gence agen­cies, is one key rev­enue stream. And one of those Can­diru cus­tomers is almost cer­tain­ly Uzbek­istan, accord­ing to Bri­an Bartholomew, a researcher at Russ­ian cyber­se­cu­ri­ty com­pa­ny Kasper­sky Lab. He claimed that a lapse in an Uzbek­istan intel­li­gence agency’s oper­a­tional secu­ri­ty allowed him to link mul­ti­ple Win­dows vul­ner­a­bil­i­ties used in Uzbek attacks back to Can­diru and two oth­er cus­tomers: Sau­di Ara­bia and the U.A.E.

Bartholomew detailed just how Uzbek­istan was slop­py to Forbes ahead of the pub­lic release of his research at London’s Virus Bul­letin con­fer­ence on Thurs­day, though he couldn’t pro­vide clear links between the leaked tools and the Israeli com­pa­ny.

Per­haps Uzbek­istan’s biggest mis­take was to set up a test com­put­er, exposed on the inter­net, that test­ed its hack­ing tools against var­i­ous antivirus sys­tems like Kasper­sky. Bartholomew’s team found that com­put­er online and not­ed that it reg­u­lar­ly con­nect­ed to a sin­gle Web address. And here’s where the Uzbek­istan gov­ern­ment exposed itself: Not only was that address reg­is­tered in Uzbek­istan, but the reg­is­trant was the appar­ent leader of “Mil­i­tary Unit 02616.” Though there was lit­tle infor­ma­tion on that divi­sion, Bart­hole­mew soon dis­cov­ered it was part of Uzbekistan’s sur­veil­lance agency, the Nation­al Secu­ri­ty Ser­vice (NSS).

Accord­ing to Bartholomew, the NSS is essen­tial­ly the suc­ces­sor to the Sovi­et KGB con­tin­gent, which trans­ferred pow­er in the ear­ly 1990s. “They have loads of pow­er. They can pret­ty much do what they want,” Bart­hole­mew said. The NSS also has a his­to­ry of buy­ing mal­ware from for­eign deal­ers, as revealed in the leaked 2015 emails of Ital­ian provider Hack­ing Team [177]. Host­ed on Wik­ileaks, the emails con­tain fre­quent mes­sages about deals between Hack­ing Team and the unit; Bartholomew believes Uzbek­istan spent near­ly $1 mil­lion on the Ital­ian company’s ser­vices, look­ing at all the invoic­es in the leak.

But because the agency exposed its Win­dows exploits on the web, Kasper­sky researchers were able to link them to oth­er mali­cious soft­ware Bartholomew says were cre­at­ed by Can­diru, name­ly those that appeared to be con­trolled by Sau­di Ara­bia and the U.A.E. “Slop­py cus­tomers are bad cus­tomers,” the researcher said.

Human rights experts have now raised the alarm about Candiru’s cus­tomer base and the poten­tial for abuse. Bartholomew and anoth­er source with knowl­edge of the attacks said he dis­cov­ered Can­diru sur­veil­lance soft­ware was used in pre­vi­ous­ly report­ed [178] hacks on Uzbek human rights activists and inde­pen­dent media.

“Each of these gov­ern­ments is a ser­i­al spy­ware abuser, and it is painful­ly pre­dictable that civ­il soci­ety got tar­get­ed again,” said John Scott-Rail­ton, a sur­veil­lance mar­ket researcher at the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab. “For an indus­try that is try­ing to tell investors and reg­u­la­tors that it is work­ing to clean up its act, pro­vid­ing spy­ware to these auto­crat­ic regimes is a guar­an­teed way to get it abused.”

Rain­ing down on Macs

Can­diru spe­cial­izes in hack­ing Win­dows, but it’s also work­ing on tools to crack Apple’s MacOS oper­at­ing sys­tem, accord­ing to Tal Dil­ian, who claims to have part­nered with Can­diru as part of his work with his own sur­veil­lance start­up, Intellex­er. Though not sure, he also said Can­diru may also have a focus on iOS too.

Scott-Rail­ton said he was also con­vinced that Can­diru was devel­op­ing exploits for both Apple and Microsoft tech­nol­o­gy.

Israel’s dig­i­tal mer­ce­nar­ies unite

Out­side of Candiru’s appar­ent rela­tion­ship with Dilian’s spy­ware enterprises—WiSpear and Intellexa—it has at least one tie to the most con­tro­ver­sial of Israel’s sur­veil­lance providers: NSO Group. That’s because two indus­try sources said the main Can­diru finan­cial backer was Founders Group, cofound­ed by one of the three men who set up NSO, Omri Lavie.

As sur­veil­lance indus­try sources also told Forbes, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack.. Accord­ing to Pitch­book, Zack is also a board mem­ber at wire­less charg­ing start­up Humavox and at Sepio Sys­tems. The lat­ter is a cyber­se­cu­ri­ty com­pa­ny, focused on doing the exact oppo­site of Can­diru: pro­tect­ing hard­ware from being turned into silent sur­veil­lance devices. Its board also includes Tamir Par­do, the for­mer head of the Mossad, Israel’s intel­li­gence agency.

Com­pa­nies like Can­diru are being forced to go to investors with whom they’re already on friend­ly terms because of an increas­ing antipa­thy towards the indus­try from typ­i­cal ven­ture cap­i­tal firms. “YL Ven­tures has not and will not invest in offen­sive cyber tech­nol­o­gy ven­dors,” said Yoav Leit­ers­dorf, man­ag­ing part­ner at YL Ven­tures. “The pri­ma­ry rea­son for this is eth­i­cal, since often­times the cus­tomers of these ven­dors end up using the tech­nol­o­gy in a way that vio­lates human rights, with or with­out the ven­dors’ knowl­edge. Such usage goes direct­ly against our val­ues and the val­ues of our lim­it­ed part­ners.”

Israeli firms have found them­selves at the cen­ter of an inter­na­tion­al con­tro­ver­sy over the sale of spy­ware to repres­sive gov­ern­ments. Can­diru has avoid­ed the spot­light up until now, but its rival NSO Group has become embroiled in sev­er­al con­tro­ver­sies. In Mex­i­co, the use of alleged NSO mal­ware Pega­sus by the gov­ern­ment to mon­i­tor jour­nal­ists, activists and lawyers work­ing on the 2014 killing of 43 stu­dents caused a major polit­i­cal scan­dal. And in Jan­u­ary, NSO chief Shalev Hulio had to state on the record that his firm had not worked with the Sau­di gov­ern­ment to mon­i­tor jour­nal­ist Jamal Khashog­gi in the months before his mur­der by Sau­di agents.

...

————

“Meet Can­diru — The Mys­te­ri­ous Mer­ce­nar­ies Hack­ing Apple And Microsoft PCs For Prof­it” by Thomas Brew­ster; Forbes; 10/03/2019 [176]

“Candiru’s spe­cial­i­ty, hack­ing Microsoft Win­dows for nation-state intel­li­gence agen­cies, is one key rev­enue stream. And one of those Can­diru cus­tomers is almost cer­tain­ly Uzbek­istan, accord­ing to Bri­an Bartholomew, a researcher at Russ­ian cyber­se­cu­ri­ty com­pa­ny Kasper­sky Lab. He claimed that a lapse in an Uzbek­istan intel­li­gence agency’s oper­a­tional secu­ri­ty allowed him to link mul­ti­ple Win­dows vul­ner­a­bil­i­ties used in Uzbek attacks back to Can­diru and two oth­er cus­tomers: Sau­di Ara­bia and the U.A.E.

Uzbek­istan, Sau­di Ara­bia, and the UAE. Those were three of Can­diru’s clients iden­ti­fied back in late 2019 when the com­pa­ny first received media expo­sure and it’s obvi­ous­ly a very incom­plete client list. The kind of client list where we can be con­fi­dent all sorts of oth­er ter­ri­fy­ing cus­tomers are being qui­et­ly ser­viced.

Also keep in mind that Uzbek­istan’s hack­ers would­n’t have any trou­ble leav­ing Russ­ian ‘cul­tur­al arti­fact’ clues. They all speak Russ­ian. Of course, as we saw with the Shad­ow­Bro­kers sto­ry, the CIA’s hack­ing toolk­it fea­tured tools to inject Russ­ian or Man­darin into the code to leave leave kinds of clues [128] so it’s not like a hack­er nec­es­sar­i­ly needs to know Russ­ian or Man­darin to leave these kinds of ‘clues’. But still, since such ‘clues’ are giv­en so much weight when it comes to cyber­at­tri­bu­tion, it behooves us to note that the hack­ers work­ing for the many for­mer Sovi­et Republics are going to know Russ­ian. At least enough to stick it in their code or on forums or wher­ev­er to make sure every­one knows it was the ‘Rus­sians’. We now know all dozens of gov­ern­ments have been sub­scrib­ing to these mal­ware ser­vices over the last decade. What are the odds they haven’t been doing pre­cise­ly what the CIA’s toolk­its do and inject­ing their own ‘cul­tur­al arti­facts’? What are the odds these sub­scrip­tion toolk­its don’t already offer those exact fea­tures? Sau­di Ara­bia and the UAE, for exam­ple, would prob­a­bly real­ly enjoy those fea­tures:

...
Accord­ing to Bartholomew, the NSS is essen­tial­ly the suc­ces­sor to the Sovi­et KGB con­tin­gent, which trans­ferred pow­er in the ear­ly 1990s. “They have loads of pow­er. They can pret­ty much do what they want,” Bart­hole­mew said. The NSS also has a his­to­ry of buy­ing mal­ware from for­eign deal­ers, as revealed in the leaked 2015 emails of Ital­ian provider Hack­ing Team [177]. Host­ed on Wik­ileaks, the emails con­tain fre­quent mes­sages about deals between Hack­ing Team and the unit; Bartholomew believes Uzbek­istan spent near­ly $1 mil­lion on the Ital­ian company’s ser­vices, look­ing at all the invoic­es in the leak.

But because the agency exposed its Win­dows exploits on the web, Kasper­sky researchers were able to link them to oth­er mali­cious soft­ware Bartholomew says were cre­at­ed by Can­diru, name­ly those that appeared to be con­trolled by Sau­di Ara­bia and the U.A.E. “Slop­py cus­tomers are bad cus­tomers,” the researcher said.

Human rights experts have now raised the alarm about Candiru’s cus­tomer base and the poten­tial for abuse. Bartholomew and anoth­er source with knowl­edge of the attacks said he dis­cov­ered Can­diru sur­veil­lance soft­ware was used in pre­vi­ous­ly report­ed [178] hacks on Uzbek human rights activists and inde­pen­dent media.

“Each of these gov­ern­ments is a ser­i­al spy­ware abuser, and it is painful­ly pre­dictable that civ­il soci­ety got tar­get­ed again,” said John Scott-Rail­ton, a sur­veil­lance mar­ket researcher at the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab. “For an indus­try that is try­ing to tell investors and reg­u­la­tors that it is work­ing to clean up its act, pro­vid­ing spy­ware to these auto­crat­ic regimes is a guar­an­teed way to get it abused.”
...

And look at the remark­able rela­tion­ship between NSO Group and Can­diru: the main Can­diru finan­cial backer was Founders Group, co-found­ed by one of the three men who set up NSO, Omri Lavie, and one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack:

...
Out­side of Candiru’s appar­ent rela­tion­ship with Dilian’s spy­ware enterprises—WiSpear and Intellexa—it has at least one tie to the most con­tro­ver­sial of Israel’s sur­veil­lance providers: NSO Group. That’s because two indus­try sources said the main Can­diru finan­cial backer was Founders Group, cofound­ed by one of the three men who set up NSO, Omri Lavie.

As sur­veil­lance indus­try sources also told Forbes, one of the lead investors is Founders Group man­ag­ing part­ner Isaac Zack.. Accord­ing to Pitch­book, Zack is also a board mem­ber at wire­less charg­ing start­up Humavox and at Sepio Sys­tems. The lat­ter is a cyber­se­cu­ri­ty com­pa­ny, focused on doing the exact oppo­site of Can­diru: pro­tect­ing hard­ware from being turned into silent sur­veil­lance devices. Its board also includes Tamir Par­do, the for­mer head of the Mossad, Israel’s intel­li­gence agency.
...

So when we read about NSO Group and Can­diru both being licensed out to coun­tries like Sau­di Ara­bia, it’s seems like kind of a pack­age deal. You get Can­diru for the Microsoft exploits and NSO Group for the oth­er things.

********************************

Ok, we’re almost done with our excerpt marathon. A marathon that was almost all from just a sev­en month peri­od start­ing in Decem­ber 2020. Fire­Eye deliv­ers what felt like a night­mare at the time. And was and is a night­mare. Just not our worst night­mare. Not even close. Our night­mare sce­nario kept get­ting worse. Keeps going. It nev­er ends.

And sure, it’s nev­er going to end by def­i­n­i­tion. As long as there are com­put­er there are going to be hack sto­ries and some of them major hacks. But as we’ve seen, this is been an unusu­al sev­en month peri­od. One mega-hack after anoth­er. It’s like cyber-cli­mate change just start­ed to become notice­able.

And through­out this wave of Microsoft mega-hacks, we’ve had Microsoft lead­ing the way in attri­bu­tions. It’s always a state-backed actor. Known with­in 24 to 48 hours. Con­clu­sive­ly. Rus­sia or Chi­na. Don’t ask why. Just accept the con­clu­sion. The high­ly self-serv­ing easy con­clu­sion that is far less ter­ri­fy­ing than the idea of crim­i­nals car­ry­ing out these mega-hacks. Yes, the US gov­ern­ment backs Microsoft on these attri­bu­tions. Also with­out pro­vid­ing any hint of the evi­dence it’s based on. Just accept what­ev­er attri­bu­tion peo­ple come up with uncrit­i­cal­ly because, hey, they’re experts. They must know, right? That’s the cli­mate of con­tem­po­rary cyber­at­tri­bu­tion: Watch­ing peo­ple engage it what appears to be read­ing the dig­i­tal tea leaves to come up with the cul­prit, who then pro­claim their find­ings like a foren­sic exam­i­na­tion deci­sive­ly con­clud­ed it. And for the most part this is absolute­ly unques­tioned.

Now, it’s impor­tant to keep one thing in mind in terms of this cyber­at­tri­bu­tion regime: part of the rea­son Microsoft and gov­ern­ments make these attri­bu­tion pro­nounce­ments with­out both­er­ing to give any evi­dence and act as if we should just trust them is because we more or less have to do exact­ly that. We have to just trust Microsoft and gov­ern­ments and who­ev­er else has access to the com­put­er sys­tems to study these hacks. Much of the evi­dence is pri­vate and some­one has to go in and the foren­sic cyber-inves­ti­ga­tions exam­in­ing mal­ware, look­ing for ‘cul­tur­al arti­facts’ or what­ev­er. That’s all well and good and part of how a tech­no­log­i­cal­ly com­plex soci­ety oper­ates. It’s heav­i­ly trust-based.

But that’s pre­cise­ly why the high­ly con­ve­nient and log­i­cal­ly sus­pect nar­ra­tives that con­tin­u­al­ly pop up around these mega-hacks — where the cul­prit is always Russ­ian or Chi­nese hack­ers, declared with­in days — is so prob­lem­at­ic. We’re forced to trust the inves­ti­ga­tors because no evi­dence is ever giv­en. And yet the con­clu­sions always seem like they were con­ve­nient­ly made up and vir­tu­al­ly nev­er acknowl­edge the exis­tence of a glob­al indus­try of com­pa­nies like NSO Group and Can­diru. If activists are tar­get­ed, sure, a gov­ern­ment run­ning “com­mer­cial sur­veil­lance ven­dor” soft­ware might be sus­pect­ed, as was the case with Can­diru’s mal­ware get­ting caught being used against activists. But that’s basi­cal­ly the only time we see this legal offen­sive cyber-for-hire indus­try come up in the attri­bu­tions. It’s near­ly always oth­er­wise attrib­uted to Rus­sia, Chi­na, North Korea or Iran. Maybe crim­i­nals if no gov­ern­ment net­works got it. But that’s basi­cal­ly it. That’s con­tem­po­rary cyber­at­tri­bu­tion regime. Those are the accept­able choic­es. Rus­sia, Chi­na, North Korea Iran, maybe crim­i­nals. While at least 40 gov­ern­ments around the world have NSO Group sub­scrip­tions. And sto­ries like the Vault7 hack­ing tools that plant­ed for­eign ‘cul­tur­al arti­facts’ are less than a decade all. Each indi­vid­ual hack might by hard to assess, but tak­en togeth­er it’s just implau­si­ble.

To get a sense of how implau­si­ble, here’s our final quick excerpt. It’s from Octo­ber 2020, about the find­ing in Microsoft Dig­i­tal Defence Report, which you can down­load here [179]. The report includes a dia­gram (page 42) show­ing the per­cent break­down of the dif­fer­ent coun­tries for the state-backed attri­bu­tions made by Microsoft­’s Microsoft­’s Threat Intel­li­gence Cen­ter (MSTC) study between July 2019 and June 2020. So this is Microsoft telling us what it’s own secu­ri­ty experts found. There were just four coun­tries on the entire chart. Guess which four: 52 per­cent of hacked attrib­uted to state-backed actors were attrib­uted to Rus­sia, 25 per­cent to Iran, 12 to Chi­na, and 11 to North Korea. Now, take a moment to digest those num­bers. 52 + 25 + 12+ 11 = 100. 100 per­cent of the state-backed attri­bu­tions made between July 2019 and June 2020 by Microsoft were Rus­sia, Iran, Chi­na, or North Korea. All of them. That’s why the ‘trust us’ attri­bu­tion par­a­digm is slow prob­lem­at­ic. It’s hard to trust an implau­si­ble nar­ra­tive [180]:

The Inde­pen­dent

Rus­sia respon­si­ble for over half of all state-spon­sored hack­ing, Microsoft says

Attacks focused on polit­i­cal groups, rather than nation­al infra­struc­ture, in an attempt to affect oth­er gov­ern­ments’ pol­i­cy

Adam Smith
Fri­day 02 Octo­ber 2020 14:57

Rus­sia is respon­si­ble for over half of all state-spon­sored hack­ing, vast­ly more than any oth­er state, accord­ing to a new report from Microsoft.

Russ­ian activ­i­ty made up 52 per cent of all attacks between July 2019 and June 2020, the soft­ware giant’s Dig­i­tal Defence Report states [181].

It is fol­lowed by Iran, which makes up 25 per cent of the attacks mon­i­tored.

Chi­na is respon­si­ble for 12 per cent of attacks, while North Korea and oth­er states make up the final 11 per cent.

The major­i­ty of their tar­gets have been in the Unit­ed States, which is tar­get­ed 69 per cent of the time. The Unit­ed King­dom is the next most pop­u­lar vic­tim, receiv­ing 19 per cent of attacks, fol­lowed by Cana­da, South Kora, and Sau­di Ara­bia.

While there has been much con­cern over recent years that coun­tries’ crit­i­cial nation­al infas­truc­ture – such as the nation­al grid of finan­cial ser­vices – could be tar­get­ed by hack­ers, Microsoft says that is not the most com­mon tar­get.

Accord­ing to the soft­ware giant, 90 per cent of attacks from nation-states have been focused on “non­govern­men­tal organ­i­sa­tions (NGOs), advo­ca­cy groups, human rights orga­ni­za­tions and think tanks focused on pub­lic pol­i­cy, inter­na­tion­al affairs or secu­ri­ty.”

The com­pa­ny sug­gests that nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly.

...

————

“Rus­sia respon­si­ble for over half of all state-spon­sored hack­ing, Microsoft says” by Adam Smith; The Inde­pen­dent; 10/02/2020 [180]

Again, 52 + 25 + 12+ 11 = 100. Microsoft­’s threat assess­ment team can appar­ent­ly only deter­mine hacks came from those four coun­tries. Even at a time when dozens of gov­ern­ments have sub­scrip­tions soft­ware from com­pa­nies like NSO Group and Can­diru and none of this is real­ly a secret. It’s shame­less. No states decid­ed to abuse their super spy­ware? None at all? Just Russ­ian, Iran, Chi­na, and North Korea? Yes, that’s what we are being it’s to believe by Microsoft and Microsoft is the lead­ing fig­ure shap­ing this nar­ra­tive. A nar­ra­tive most­ly about Microsoft vul­ner­a­bil­i­ties of late. Lots of Microsoft vul­ner­a­bil­i­ties and yet almost no men­tions by Microsoft­’s threat assess­ment teams of Can­diru’s exis­tence. The com­pa­ny exists to sell super Microsoft exploits to gov­ern­ments around the world and yet, in this entire col­lec­tion of sto­ries we looked it, it was only after Cit­i­zen­Lab pub­licly iden­ti­fied new Microsoft zero-day exploits Can­diru’s clients were using against activists that we saw Microsoft even acknowl­edge the exis­tence of Can­diru.

But to real­ly appre­ci­ate why this prob­lem­at­ic cyber­at­tri­bu­tion nar­ra­tive — where it’s always Rus­sia, Iran, Chi­na, and North Korea — is so wild­ly dan­ger­ous to civ­i­liza­tion, we have to appre­ci­ate how the Solar­Winds hack and Microsoft Exchange mega-hacks relate to these seem­ing­ly sooth­ing words from Microsoft back in Octo­ber when it was assuag­ing con­cerns about attacks on crit­i­cal infra­struc­ture: nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly:

...
While there has been much con­cern over recent years that coun­tries’ crit­i­cial nation­al infas­truc­ture – such as the nation­al grid of finan­cial ser­vices – could be tar­get­ed by hack­ers, Microsoft says that is not the most com­mon tar­get.

Accord­ing to the soft­ware giant, 90 per cent of attacks from nation-states have been focused on “non­govern­men­tal organ­i­sa­tions (NGOs), advo­ca­cy groups, human rights orga­ni­za­tions and think tanks focused on pub­lic pol­i­cy, inter­na­tion­al affairs or secu­ri­ty.”

The com­pa­ny sug­gests that nation-states are hop­ing to influ­ence gov­ern­ment pol­i­cy through sub­tler means, rather than tar­get­ing infra­struc­ture direct­ly.
...

Microsoft was telling us this as the Solar­Winds hack was ongo­ing and two months before it was revealed. And as we’ve seen, both the Solar­Winds and Microsoft Exchange mega-hacks could arguably be con­sid­ered attacks on crit­i­cal infra­struc­ture. They were a very big deal. Espe­cial­ly the Microsoft Exchange hacks that could be auto­mat­ed and were car­ried out by seem­ing­ly for-prof­it crim­i­nal actors. That’s an infra­struc­ture attack. Who­ev­er car­ried this out was con­duct­ing a kind of dig­i­tal infra­struc­ture attack. It was that vast and aggres­sive.

But beyond the imme­di­ate dam­age by these mega-hacks, it’s the poten­tial for seeds to have been sown for future even more dev­as­tat­ing hacks that make these sto­ries absolute­ly dev­as­tat­ing from a secu­ri­ty stand­point. Basi­cal­ly every major orga­ni­za­tion’s com­put­er net­works got hit by sophis­ti­cat­ed actors with a demon­strat­ed capac­i­ty to deploy mul­ti­ple zero-day exploits. We have every rea­son to believe the retained access to a large num­ber of these net­works. Remem­ber what Bill Whitak­er of Bold­en told us [46]: it would have been triv­ial for the Solar­Winds hack­ers to have turned that mal­ware into the kind of stuff that caus­es the com­put­ers on those net­works to effec­tive­ly self-destruct. A few dozen more lines of code. That’s how eas­i­ly these kinds of mega-hacks can become major crises. Lethal crises. Imag­ine the dig­i­tal infra­struc­ture of most of the world get­ting crip­pled with ran­somware simul­ta­ne­ous­ly. A few dozen lines of code could have turned Solar­Winds or the Exchange hack into the kind of hack that crip­ples phys­i­cal infra­struc­ture.

Now imag­ine a glob­al strike like that that crip­ples every coun­ty’s dig­i­tal infra­struc­ture except, say, Rus­si­a’s. Or Chi­na’s. It would be treat­ed as an act of war. And we could be pret­ty con­fi­dent Microsoft and plen­ty of oth­er actors in the secu­ri­ty sec­tor would be more than hap­py to pro­vide those defin­i­tive attri­bu­tions that, yes, it was Rus­sia. Or Chi­na. Or Iran or North Korea or who­ev­er is most con­ve­nient. Hack­ing has become the per­fect crime in mul­ti­ple sens­es. Not only can a hack be exe­cut­ed in a man­ner where no one can deter­mine the iden­ti­ty of the cul­prit but, by virtue of that com­pli­ca­tion, any­one can become the cul­prit. True con­clu­sive attri­bu­tion is so dif­fi­cult, and yet increas­ing­ly impor­tant and urgent, that civ­i­liza­tion has col­lec­tive just turned to the dig­i­tal secu­ri­ty indus­try and gov­ern­ments and asked them to give us their best edu­cat­ed guess­es and then we treat those best edu­cat­ed guess­es as con­clu­sive find­ings. It real­ly is a faith-based attri­bu­tion sys­tem. Increas­ing­ly faith in Microsoft being hon­est about Microsoft mega-hacks. There’s bad faith. And blind faith. And then there’s that kind of faith. Blind dumb faith in Microsoft­’s hon­esty and integri­ty. It’s clear­ly very pop­u­lar these days. Enjoy it while you still can [182].