Move over COVID. 2021 is turning out to be another year of the digital virus. One massive hacking story after another. Unrelated stories in many cases, we are told. In particular:
1. The SolarWinds mega-hack announced in December of 2020, blamed on Russia. Specifically, blamed on the hacking group known as ‘Cozy Bear’/APT29/Pawn Storm. Microsoft dubbed them Nobelium.
2. The Microsoft Exchange mega-hack disclosed in March 2021, blamed on China. Specifically, blamed on a previously unidentified state-backed group Microsoft dubbed Hafnium.
3. The revelations about NSO Group’s oversight (or lack thereof) of its powerful spyware sold to governments around the world.
4. The emerging story of Candiru, one of NSO Group’s fellow “commercial surveillance vendors”, selling toolkits overflowing with zero-day exploits, specializing in targeting Microsoft products.
But how unrelated are these stories? That’s the big question we’re going to explore in this post. A question punctuated by another meta-story we’ve looked at many times before: the meta-story of a cyberattribution paradigm seemingly designed to allow private companies and governments to concoct an attribution scenario for whatever guilty party they want to finger [1]. As long as there was some sort of ‘clue’ found by investigators — like piece of Cyrillic or Mandarin text or malware previously attributed to a group — these clues were strung together in a “pattern recognition” manner to arrive at a conclusion about the identity of the perpetrators [2]. Attribution conclusions often arrived at with incredible levels of confidence. Recall how the Japanese cybersecurity firm TrendMicro attributed a 2017 US Senate email phishing campaign to ‘Pawn Storm’/Fancy Bear with 100 percent certainty [3], and they made this highly certain attribution based heavily on how similar the hack was to the 2017 hacks of Emmanuel Macron’s emails via a phishing campaign that TrendMicro attributed at the time with 99 percent certainty to Pawn Storm/Fancy Bear [4] and yet the ANSSI, the French government’s cybersecurity agency, was leaving open the possibility that the hack they could be the work of “other high-level” hackers trying to pin the blame on “Pawn Storm” (another name for “Fancy Bear”) [5]. TrendMicro was making 99 percent certain attributions that the French government said could be any range of actors. That was the state of affairs for cyberattributions in 2017 and nothing has changed in the years since. Highly certain attributions continued to be piled on top of highly certain attributions — almost always pointing towards Russian, Iran, China, or North Korea — built on a foundation of what appear to be largely guesswork. Often highly motivated guesswork.
It’s that willingness by cybersecurity firms and governments to make strong ‘100 percent certain’ declarations about who was behind a hack, based on seemingly no compelling evidence, that continues plague our collective understanding of global digital threats. A lack of understanding that could have grave global implications going forward. Because as we’re going to see, the repeated prevailing narrative encouraging the public to fixate their hacking fears on Russian and Chinese hackers is a narrative that conveniently leaves out the explosion over the last decade of a global industry of powerful legal cutting-edge spyware sold to governments around the world. Dozens of governments that didn’t previously have access to spyware of this caliber. In other words, the default ‘Russia or China did!’ narrative acts as a cover story to deflect suspicions from all the other countries (or private entities) with access to the kind of spyware previously assumed to be the exclusive to a handful of nations with known powerful hacking capabilities.
Also looming large in this discussion is the story of the “ShadowBrokers” story of 2016 and the leak of Vault7, the CIA’s hacking toolkit that included features explicitly designed to confuse this “pattern recognition” approach to cyberattribution. The toolkit literally contained features that injected Cyrillic or Mandarin or other ‘clues’ into the malware code [6]. This was all revealed months before TrendMicro made its ‘100 percent certain’ attribution of the Macron email hacks based on pattern recognition. And yet, other than the acknowledgment by France’s ANSSI that someone could be intentionally leaving false ‘clues’, the story of the ShadowBrokers and the digital ‘clues’ left by Vault7 did not appear to impact the reporting or analysis of the Macron hack in any meaningful way. It’s a big part of the meta-story here: no matter how many reports come out that should raise major questions about the quality of current cyberattibutions based on “pattern recognition”, nothing actually changes in terms of how the cybersecurity carries out its attributions.
For example, as we’re going to see, when the SolarWinds hack was first uncovered, it was a team led Adam Meyers, the vice president for threat intelligence at CrowdStrike, who first examined the hack. In an interview [7] describing their early investigation, Meyers claimed to be fully expecting to find some sort of ‘cultural artifact’ like Cyrillic or Mandarin and expressed dismay that nothing was found. They nonetheless attributed the hack to Russia. We’re never given a clear explanation why. The whole episode, and Meyers’s shock at a lack of any ‘clues’, suggests the elite cybersecurity firms like CrowdStrike are not only willing to utilize “pattern recognition” to carry out these attributions but are routinely doing so, raising the question of whether or not hackers these days just now know to leave ‘clues’ in order to satisfy the cybersecurity industry and their clients.
Now, when we learn that it was CrowdStrike who led the SolarWinds hack investigation relying heavily on looking for ‘cultural artifacts’ in the malware, it’s also import to recall how [1] CrowdStrike itself was literally founded in 2011 by Dmitri Alperovitch on the conviction that hacks should be responded to with clear public attributions as a primary means of warding off future attacks. Before CrowdStrike, the idea of publicly naming culprits was anathema in the cyber security industry in large part because it is so difficult to truly know who the culprit is due to this hall-of-mirrors nature of digital evidence [8]. So in that sense, we shouldn’t at all be surprised to learn that CrowdStrike continues to make baseless attributions. It’s CrowdStrike’s business model.
As we’re also going to see, it’s not like cybersecurity industry always plays dumb about the possibility of actors spoofing the ‘pattern recognition’ methods by intentionally leaving ‘clues’ like Cyrillic. When the SolarWinds mega-hack story broke, it broke in the wake of a disclosure by cybersecurity firm FireEye that its own “Red Team” suite of hacking tools — kits of known exploits used to test clients systems for vulnerabilities — was stolen by unknown hackers. Immediately, experts warned how a toolkit like that could be used by governments to cover their tracks. But that’s really the only time we’re going see this kind of basic insight plainly stated. Right at the start of it with the FireEye attack. For the rest of the time, this obvious problem with our global cyberattribution regime is systematically ignored. Still.
NSO Group: A Quick Review
First, recall how NSO Group first came to the public’s attention in relation to Michael Flynn’s appointment in May of 2016 to the advisory board of OSY Technologies and consulted for Francisco Partners. Francisco Partners was NSO Group’s owner at the time and OSY happened to be an NSO Group offshoot [9].
Next, recall how Francisco Partners ended up selling NSO Group to a European private equity firm, Novalpina, in early 2019 [10] following the international outrage over the role NSO Group’s malware played in the assassination of Jamal Khashoggi [11]. We’re going to learn more about that sale and why it happened (hint: Saudi Arabia’s access to that spyware was part of a larger diplomatic process).
So the picture that had already emerged about NSO Group was that of a provider of cutting-edge hacking toolkits to governments around the world, but also a point of leverage in Israel’s own diplomatic toolkit. It was the kind of corporate profile that suggests any scandals involving NSO Group are implicitly government-related scandals. And that picture of a company that distributes powerful hacking tools as part of Israel’s diplomatic efforts gets all the more intriguing when we factor in the chapter of the #TrumpRussia saga involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran) [12]. In other words, there’s no way of separating the NSO Group story from the larger story of the cozying relationship between Israel and its Sunni allies in a regional alliance against Iran and the still-unresolved agenda of Michael Flynn, Erik Prince, and the network of other US conservatives in Donalt Trump’s orbit who had major agenda’s of their own involving the Middle East.
That’s all part of the context we’re going to have to keep in mind when reading about these new revelations that appears to show the widespread use of NSO Group’s powerful malware against a number of journalist, activists, and even government ministers around the world. And the more we’re learning about the history of the NSO Group, the clearer it’s becoming that the NSO Group’s malware has been secretly used by dozens of governments around the world for at least decade now.
And as we’re going to see with the story of Candiru, it’s important to keep in mind that NSO Group is merely one of a number of secretive firms selling cutting-edge hacking toolkits to governments around the world. This is a global industry.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers” [1]. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails [13]. Nothing has done a more effective job at obscuring from the global public the emergence of this global super-hacking capability better than the prevailing narrative that all hacks are being done by Russia and China. Hardly anyone even bothers asking if it could be anyone else anymore.
Finally, it’s important to keep in mind another major dimension of this story: the explosion of government access to these powerful hacking tools over the last decade has presumably coincided with an explosion of actual hacking. Well, that presumed explosion of actual hacking just happened to coincide with the emergence of highly ‘noisy’ and high-profile ‘Russian hacker’ campaigns. As we’ve seen, following the outbreak of conflict in Ukraine, a number of very publicly visible mass phishing attacks were waged against NATO governments and institutions. It was described by cybersecurity experts as a significant shift in the behavior of Russian government-backed hackers and yet we were nonetheless told that these high-profile hacks must be coming from Russia despite a lack of any solid technical evidence. It was the rise of the “pattern recognition” form of cyberattribution, which consistently found patterns of “Russian hackers” [1]. Recall how the first hack of the DNC, the 2015 hack, took place amidst a giant phishing campaign that hit 50–60,000 email addresses and was described is very different from traditional Russian government hacker phishing campaigns that would normally just have 5 to 6 carefully crafted phishing emails [13].
Let’s not forget that the globalization of NSA-level spyware was one of the obvious possible logical conclusions of the Snowden affair. Yes, it was remarkable what a stunning edge the NSA had over almost every other government. A desire for a leveling of the playing field was understandable and the globalization of super-spyware is one of the obvious ways to achieve that. There are no easy answer on this topic. It’s a ‘lesser evil’ situation.
So we have to ask: what role have these very high-profile public mass hacking campaigns waged over the last decade and blamed on ‘Russia hackers’ (or ‘Chinese hackers’) played in obscuring the reality that dozens of governments around the world suddenly got access to quiet super hacking tools? The timing sure has been convenient. And it’s not hard to imagine that the high profile ‘noisy’ phishing campaigns of the last decade simultaneously ran zero-click super-malware like NSO Group’s unstoppable WhatsApp exploit malware. One of the key selling points of this NSO Group malware is how difficult it is to detect. A lot of people and organizations have presumably been hacked without ever discovering the source of the hack. How often have organizations over the past decade, especially governments, discovered they were hacked by a company’s ‘legal’ hacker toolkit like NSO Group’s and just assumed it was ‘Russian hackers’ due to the waves of global high-profile ‘Russian hacker’ campaigns? It’s a question that looms ever larger as the client list of this global legal hacking industry continues to grow in the shadows.
**************************
Let’s Play “What’s Wrong With This Picture?”
Ok, so let’s start off with an overview of the articles we’re going to be reviewing. An overview that screams the question “What’s wrong with this picture?”. Again, it’s four major stories. Unrelated stories we are told: 1. The SolarWinds mega-hack of December 2020 (blamed on Russia). 2. The Microsoft Exchange mega-hack of March 2021 (blamed on China). 3. Revelations of NSO Group abuses. 4. Revelations that Candiru is selling cutting-edge spyware showing, specialized in targeting Microsoft’s systems. We are told those are four largely unrelated stories. What’s wrong with this picture?
* December 8, 2020 [14]: FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State [15]:
The story that got the ball rolling. At least publicly. Cybersecurity firm FireEye informs the world of a nightmare scenario. FireEye’s “Red Team” code suite was stolen. So whoever managed to hack FireEye obtained a toolkit of virtually all the most powerful known exploits. A digital treasure trove that had suddenly fallen into the hands of whoever already had the wherewithal to pull off this hack. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally , an implicit admission as to how shoddy contemporary cyberattribution truly are today. So who did it? FireEye wasn’t ready to name a culprit. The FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given.
* December 14, 2020 [16]: Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce [17]:
The nightmare explodes. We learn it wasn’t just FireEye after FireEye informs SolarWinds that it was SolarWinds’s own Orion update software that delivered the malware onto FireEye’s systems. It was a rather ominous update given that the same Orion software is on another 18,000 client networks. Oh, and the US was already naming names: It was Russia again. Specificaly APT29/Cozy Bear/Pawn Storm, the infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015 [13]. Cozy Bear was also behind this new mega-hack. That was the line from the US a week after FireEye first announced the hack. Russia did it. No reasons for this attribution are given, of course, but is treated as more of a given since numerous US government agencies were hit. Simultaneously, we are told that the aggressive nature of this hack was unprecedented for Cozy Bear.
We also get an early important clue about how the SolarWinds hack was carried out: SolarWinds informed the world that it suspects Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. In other words, the SolarWinds hack started with the hack of Microsoft’s products.
* December 15, 2020 [18]: FireEye Discovered SolarWinds Breach While Probing Own Hack [19]:
In some additional reporting on the breaking SolarWinds news, we learn that FireEye isn’t actually ready to join the US government in attributing the hack to Russia due to a lack of evidence.
* December 15, 2020 [20]: Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny [21]:
More information is coming out about the role Microsoft product vulnerabilities played in the hack. The hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be assured by Microsoft that the Microsoft-Exchange hack was carried out by China.
* December 21, 2020 [22]: Treasury Department’s Senior Leaders Were Targeted by Hacking [23]:
The US Treasury Department gives us an update on the scope of the hack. The hackers gained access to agency emails in July 2020, via the manipulation of internal software keys. Specifically, we are told the hackers performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network. This taken allowed the hackers to fool the system into thinking they were legitimate users. So spoofing Microsoft credentials appears to be one of the SolarWinds hacker specialties.
* Febuary 4, 2021 [24]: SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack [25]:
It’s confirmed! SolarWinds confirms the hack started via a compromised Microsoft Office 365 email account. The hackers used a previously unknown zero-day vulnerability in Microsoft’s Officer 365 email software to gain access to and exploit the development environment for the SolarWinds Orion.
But beyond that, we learn that 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds. It’s the kind of revelation that raises the disturbing question of whether or not these hackers had some other yet-to-be-discovered technique for infiltrating networks. Which obviously raises a number of questions about whether or not other Microsoft exploits were being used by these hackers. After all, the hackers managed to infiltrate SolarWinds’s own network via a zero-day Microsoft exploit. Why wouldn’t it work elsewhere? In other words, the SolarWinds mega-hack might actually be part of an even larger Microsoft super-mega-hack. A still unrecognized super-mega-Microsoft-hack.
* February 05, 2021 [26]: Microsoft: No Evidence SolarWinds Was Hacked Via Office 365 [27]:
Not true! None of it! That’s the line from Microsoft a day after SolarWinds’s CEO appears to confirm that the exploitation of a Microsoft Office 365 email vulnerability wasn’t just used in the hack but used to execute the initial compromise of SolarWinds’s software development environment. Microsoft does admit that Microsoft services were indeed targeted by the SolarWinds hackers, but insists that the hackers gained privileged credentials in another way, implying it was due to software configuration issues on the client end and not due to vulnerabilities in Microsoft’s products. And what about all the reports from SolarWinds and the US government that they found evidence of an Office 365 email exploit? “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” That was Microsoft’s line. Still.
* February 19, 2021 [28]: SolarWinds Hackers Kept Going After Microsoft Until January [29]:
Microsoft gave us an update on its SolarWinds investigation. The company acknowledge that its own networks were plundered during the attack, and even some of its source was stolen. The source code reported involved the cloud-based versions of Asure, Intune, and Exchange (email server software). We are also told the hackers were searching Microsoft’s networks for useful secrets like API keys, credentials, and security tokens that may have been embedded in the source code.
* March 5, 2021 [30]: At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software [31]:
A new mega-hack is upon us! Back-to-back mega-hacks. This time Microsoft is the main target. The software giant informed the world that hundreds of thousands of Microsoft Exchange Servers were attacked around the world. The attack was first detected by Volexity on January 6, during the Capitol insurrection, with a large download to an illegitimate user, although days later Volexity issued an update that it found evidence of the attack starting on January 3rd [32]. Days later this quiet hack exploded into a loud global ransacking. Virtually every self-hosted Microsoft Exchange email server in the world connected to the internet was hit over the next two months. Or at least is assumed hit. That’s a lot of hacked email. And potentially voicemail [33]. Microsoft was continuing to assure us the hack had nothing to do with the SolarWinds hack, and also that the SolarWinds hack had nothing to do with any Microsoft vulnerabilities. They were seriously touting the ‘don’t worry about Microsoft security’ line during the Exchange mega-hack disclosure.
* March 10, 2021 [34]: Microsoft Exchange Hack Could Be Worse Than SolarWinds [35]:
With more information about the Hafnium hack coming in the more this is looking like the worst worst case scenario. Or at least worse than the SolarWinds hack, which would make this the worst yet. Literally the worst hack ever. So far. Give it a few months.
The hack started on Jan 3, with “Hafnium” quietly hacking away at dozens of targets until Microsoft issued a patch in early March. At that point, it was a criminal free-for-all race that included at least a dozen more criminal actors.
A big part of what make it the worst hack ever is the scale, with potentially hundreds of thousands of Exchange email servers all hit in short order but this is an attack that can be automated. The hackers needed scrips and time to let the scripts to their work.
But another part of what arguably makes this the worst hack ever is that the ability to remotely take over the Exchange server software doesn’t just potentially give the hackers the ability to read emails. It also potentially give hackers the ability to compromise the Microsoft Active Directory system, which is the system used for ID authentication across the Microsoft ecosystem of software. So if you corrupt the Active Directory system on a computer, you can potentially get super-user access to all the Microsoft software running on that computer’s network. And the catch here is that Microsoft Exchange server only runs on Windows. So anyone running it is running it on a Windows Server operating system. So compromising the Active Directory system on the computer running the Microsoft Exchange server software can hand over complete control of the server. This also means the hackers could have burrowed in all sorts of hidden backdoors all over the victim networks. This was a huge deep hack.
But here’s the big detail we learn from Ed Hunter, CISO at Infoblox, a cybersecurity company, who is commenting to a reporter about the hack: the vulnerability has been present in the Microsoft Exchange codebase for a decade. As Hunter put it, “one has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox.”
And, again, it was just two weeks earlier that Microsoft disclosed that the SolarWinds hackers stole Exchange source code for the cloud-based version of Exchange. But in this case, it was the self-host Exchange servers that got hacked. All of them. Hundreds of thousands of email servers around the world. Also keep in mind the SolarWinds hackers had already demonstrated zero-day abilities to manipulate Microsoft’s credential systems. So this hack sure seems closely related to the SolarWinds hackers, and yet Microsoft confidently assured us that this had nothing to do with the SolarWinds hack and was in fact carried out by a state-backed Chinese hacking group Microsoft dubbed “Hafnium”.
* April 16, 2021 [36]: A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack [7]:
Four months after it was first announced, NPR has a big piece on the then-untold story of how the hack unfolded. By that point, the Biden White House was unequivically stating Russian intelligence was behind it. While the reason Russia is given the attribution is, as always, never given, there was by now enough known about the hack to determine that these really were exceptional hackers. Multiple never-before-seen “zero-day” exploits were utilized. Beyond that, the malware was introduced into the SolarWinds software development pipeline at the very last possible moment, during the compilation process, allowing it to evade the standard security checks for unwanted software. It was proof-of-concept and could be used against anyone else using the same compilation softare (they didn’t name the software). This ability to use this attack against other software developers is particularly acute when we recall that this attack created backdoors on the networks of the many of the largest software developers in the world. Including Microsoft. Yikes.
And it’s in this April 2021 NPR piece where we get further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. And he was leading the team that first investigated it. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” So this update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” This is a good time to recall the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead [6]. This was confirmed just four years ago. Everyone really is playing dumb here. Double yikes.
* April 23, 2021 [37]: SolarWinds hacking campaign puts Microsoft in the hot seat [38]:
Microsoft’s terrible, horrible, no good, very bad year continues. A week after that big NPR piece on SolarWinds, we learn new significant details on the SolarWinds hack in a new report put out by The Atlantic Council. The kind of details that have Microsoft scrambling for explanations. And culprits. Again. It turns out the delivery of the backdoor malware via the SolarWinds Orion updating software was just the first phase of the mega-hack. Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But the other big reason is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks. Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress.
* May 28, 2021 [39]: Microsoft says group behind SolarWinds hack now targeting government agencies, NGOs [40]:
Cozy Bear/APT29/“Nobelium” is back at it. They’re up to their old tricks, according to Microsoft. Targeted phishing, with organizations who signed up to received communications from USAID being the targets. 3,000 email accounts at more than 150 different organizations. Somehow, the hackers managed to minick emails from the firm Constant Contact, the firm that handle’s USAID’s email communications, to make it look like a USAID communication. At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work. The US and UK blame Russia’s SVR (the same agency Cozy Bear/APT is said to work for...long with the FSB).
How did Microsoft determine that this was done by the same hackers who pulled off the SolarWinds hack? That’s never explained. It’s not due to technical similarities. In fact, the Microsoft blog post describing this USAID phishing scheme [41] explicitly states that this new attack had few technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the SolarWinds hack was uncovered. Four new zero-day pieces of malware deployed [42] on the computers of the victims that clicked on the malicious link, so keep in mind that if this was the same hacking group that is involved with the SolarWinds hack and/or Microsoft Exchange hack, this crew is sporting a significant number of zero-day exploits.
* June 25, 2021 [43]: Microsoft says new breach discovered in probe of suspected SolarWinds hackers [44]:
Cozy Bear/APT29/“Nobelium” is at it again. Again. This time, Microsoft tells is the hackers somehow hacked a Microsoft agent who had access to Microsoft customer support tools with subscription information. Of course, we’ve already been told about how the SolarWinds hackers stole code involving how Microsoft tools verify identities, and the same hackers reportedly pulled this hack off. So it’s not hard to imagine some of those stolen insights were used to carry out this hack. But we aren’t told much else from Microsoft other than that it was definitely the SolarWinds hackers who are definitely working for the Russian state. Of that they are sure. Always and forever, except when it’s China.
* July 4, 2021 [45]: SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments [46]:
Less than two weeks later, CBS has an article with more interviews of figures involved with the SolarWinds hack investigation, including Brad Smith, president of Microsoft. Smith points to the list of US government agencies hit by the hack and insists that means it was a foreign intelligence collection mission (which ignores the other 18,000 largely commercial group of victims also hit). The piece reveals that the SolarWinds hackers were on US federal networks reading emails and other traffic for months.
It ends an interview of Jon Miller, who runs a company Boldend, that sells cutting-edge cyber weapons to US intelligence agencies. Miller observes that the notable thing about the SolarWinds hack wasn’t the sophistication. He builds things much more sophisticated (presumably for his US intelligence clients). Instead, what makes this attack stand out is how aggressive it was. It’s the kind of assessment that suggests a lot of different actors could have pulled this attack of for some time and someone finally did it.
Miller also reminds us of another crucial aspect of both the SolarWinds and Exchange mega-hacks: It would be trivial to turn those backdoors into digital bombs that destroy victim networks. In other words, these mega-hacks could have been A LOT more damaging had the hackers wanted them to be. And since the hackers like embedded themselves in victim networks in ways not yet detected, they could decide to unleash those digital bombs in the future if they choose to in the future.
* July 15, 2021 [47]: Microsoft says Israeli group sold tools to hack Windows [48]:
CitizenLab put out a report on an Israeli commercial hacking group behind malware discovered targeting Windows. But Candiru’s toolkit doesn’t just hit MIcrosoft products. It appears to be the same company Google had just attributed to a set of additional zero-day exploits targeting Google’s products that Citizen Lab also connected to Candiru. So Microsoft and Google both announced the discovery of Candiru zero-day exploits as roughly the same time.
* July 15, 2021 [49]: Microsoft says it blocked spying on rights activists, others [50]:
In some more reporting on Candiru, we learn that the company goes by several names. We also learn that its spyware “infrastructure” includes webistes “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
* July 15, 2021: [51]Safari Zero-Day Used in Malicious LinkedIn Campaign [52]:
More on Google’s Threat Assessment Group (TAG) security announcement. A Russian-language group was exploiting a vulnerability in the Safari browser on iOS systems. Malicious links that executed the vulnerability were being sent to Western European government officials through LinkedIn’s direct message app. It is noted that the malicious link campaign coincided with a “Nobelium’s” USAID phishing campaign in May targeting Windows devices.
During this same report, Google’s TAG announced a new exploit it discovered that was used against Armenian activists in April. A zero-day exploit against Microsoft’s Internet Explorer.
The TAG team also announced three new zero-day exploits attributed to an unnamed “commercial surveillance vendor” (Candiru). Two vulnerabilities in Google’s Chrome and one in Microsoft’s Internet Explorer. These exploits were also used against Armenian targets but we are told that this was a separate campaign for the other Armenian hack, with one of the Chrome exploits discovered in February and the second in June.
Finally, the article notes that security researchers have identified 33 zero-day vulnerabilities until that point in 2021, which is 11 more than the 22 total found in 2020. That’s triple the rate of the previous year, which itself was a record year.
* July 17, 2021 [53]: Israeli Companies Aided Saudi Spying Despite Khashoggi Killing [54]:
NSO Group’s recent headache has begun. The New York Times has an update on NSO Group and long-standing questions about the extent to which the license given to countries to buy NSO Group’s super-spyware is used as a tool of Israel’s foreign policy. It’s a question that relates to more than NSO Group but the entire Israeli ‘commercial surveillance’ industry that governments around the world turn to. As we should have expected, it turns out the super-spyware suites like NSO Group’s Pegasus software aren’t just super-spyware suites. They’re also diplomatic tools for the Israeli government. And that means sometimes NSO Groups might effectively be forced to keep selling to clients like Saudi Arabia even when its relationship with those clients becomes toxic. That’s apparently what happened following the Saudi government’s assassination of Jamal Khashoggi. NSO Group canceled the Saudi contract only to be pressured by the Israeli government to renew it. NSO Group was ultimately sold to new private equity owners and proceeded to renew the Saudi contract.
But the NSO Group reveals a far more legitimate excuse for its apparent negligence in regulating its super-spyware: the Israeli government approves of these sales. If you want a subscription for Pegasus, you better make sure you’re on at least least decent terms with the Israeli government. It’s pretty
* July 18, 2021 [55]: Private Israeli spyware used to hack cellphones of journalists, activists worldwide [56]:
The Washington Post follows up with a huge report that confirmed a bunch of other things that have been suspected about NSO Group: People have long accused the company of not having any safeguards to ensure the super-spyware it sells to governments around the world around only used to track ‘terrorists and criminals’. And, yep, there are basically no safeguards. It’s up to the government to promise not to abuse the super spyware. Although there are geographic limitations. The spyware was configured to not work on US-based smartphones and could be limited to certain countries. But how it was used inside those approved geographic areas was up to the governments. In other words, Pegasus was abused. A lot. At least that’s according to an investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International.
How much abused of the NSO Group’s super-spyware has been taking place? Well, this report was based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Almost unstoppable spyware suits that can hit almost any smartphone. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves.
NSO Group’s defense against charges that it was knowingly allowing governments to abuse its super-spyware was to point out that the company doesn’t police how governments use its software. It really is up to the governments to polices themselves, as confirmed by this study and the rampant abuse it reveals. It’s not actually a great defense if you think about it, but it gets better when you keep in mind this is all sanctioned and encouraged by the Israeli government (and probably the US government).
* July 19, 2021 [57]: Microsoft Exchange hack caused by China, US and allies say [58]:
The US formally accuses Chinese state-backed hackers of carrying out the Microsoft Exchange mega-hack. At the same time, the US Justice Department announced charges against four Chinese nationals who prosecutors said were working with China’s Ministry of State Security in a different hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. But beyond that, the US accused these state-backed Chinese hackers of carrying out ransomware and other for-profit extortion hacks for their own personal enrichment. In fact, an administration official told reporters that the formal attribution of the Exchange hack to China took this many months (recall Microsoft did it immediately) in part because of the ransomware and for-profit hacking operations. In other words, the hackers the US was accusing of working on behalf of the Chinese state were behaving like regular criminals. But we are nonetheless assured that, no, they were working for China. Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks [1] — expresses a sense of puzzlement that sanctions against China haven’t been declared yet.
* July 20, 2021 [59]: China says Microsoft hacking accusations fabricated by US and allies [60]:
The US’s allies (the UK, New Zealand, Australia, and EU) join the US in jointly condemning China for the Microsoft Exchange mega-hack. Anonymous Western security sources tell reports that they believe Hafnium new Microsoft was going to plug the Exchange vulnerability and so shared it with other China-based hackers, culminating in the giant global smash-and-grab. It’s another indication that the Microsoft Exchange mega-hack has the appearance of being a criminal smash-and-grab event and we are now told that this was all how China planned it to play out. And we are also told that Microsoft was about to plug this massive vulnerability but were thwarted by Chinese spies or something. The facts and details may change, but two things always stays the same: China did it and this definitely didn’t involve the SolarWinds hack.
* July 22, 2021 [61]: France’s Macron changes phone in light of Pegasus case [62]:
The NSO Group scandal gets extra awkward when Emmanuel Macron’s administration officially acknowledges that it changed Macron’s mobile phone and phone number after the number showed up on a list of potential targets for surveillance by Morocco in the report by Forbidden Stories and Amnesty International. Israel has formed an inter-ministerial team to look into the export licenses issued by the Defence Export Controls Agency (DECA). NSO Group continues to defend itself by reiterating that it doesn’t know the identities of the people targeted by Pegasus. The company can, however, retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. So oversight only happens if a complaint is issued over the abuse of the super-secret difficult-to-find spyware. There presumably aren’t very many complaints.
*******************************
That’s the story we are being asked to buy. Or rather, those are the stories we are being asked to buy. Breaking stories about two record-breaking mega-hacks and revelatory stories about two cutting-edge ‘commercial surveillance vendors’ licensing selling zero-day exploits around the world. Separate stories, at least that’s what we are told. The SolarWinds hack and the Microsoft Exchange hack are two completely separate hacks, one executed by Russia and the other by China. The fact that the SolarWinds hackers possessed Microsoft zero-day exploits and appeared to initiate the hack using those exploits is just ignored. The fact that no actual evidence indicating it was Russia or China behind the hacks are also just ignored. And the fact that stories about a massive powerful global “commercial surveillance” industry selling super-exploits to governments around the world are also just ignored. Or other government hacking toolkits like the CIA’s Vault7, that had features specifically designed to spoof the “pattern recognition” approach to cyberattribution. Ignore all that. It’s a faith-based attribution paradigm, ripe for bad-faith attributions.
FireEye Wakes Up to a “Red Team Tools” Nightmare. Which Could Become Everyone’s Nightmare
December 8, 2020, was a dark day for digital security. A worst case scenario was playing out in real-time. Someone hacked the security firm and stole its “Red Team” code suite. A toolkit of virtually all the most powerful known exploits. And as experts warned, nation-states could potentially hide their own tracks using this toolkit. This is basically going to be the only time we see an expert admit that governments around the world could be intentionally. FireEye wasn’t ready to name a culprit. But the FBI announced was it was confident it was carried out by a nation-state, and while they would name a specific nation it was pretty clear Russia was the prime suspect. No reason for these suspicions are given [15]:
The New York Times
FireEye, a Top Cybersecurity Firm, Says It Was Hacked by a Nation-State
The Silicon Valley company said hackers — almost certainly Russian — made off with tools that could be used to mount new attacks around the world.
By David E. Sanger and Nicole Perlroth
Published Dec. 8, 2020 Updated Feb. 6, 2021WASHINGTON — For years, the cybersecurity firm FireEye [63] has been the first call for government agencies and companies around the world who have been hacked by the most sophisticated attackers, or fear they might be.
Now it looks like the hackers [64] — in this case, evidence points to Russia’s intelligence agencies — may be exacting their revenge.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers [65] used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.
The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
The hack raises the possibility that Russian intelligence agencies saw an advantage in mounting the attack while American attention — including FireEye’s — was focused on securing the presidential election system. At a moment that the nation’s public and private intelligence systems were seeking out breaches of voter registration systems or voting machines, it may have a been a good time for those Russian agencies, which were involved in the 2016 election breaches, to turn their sights on other targets.
The hack was the biggest known theft of cybersecurity [66] tools since those of the National Security Agency were purloined in 2016 [67] by a still-unidentified group that calls itself the ShadowBrokers [68]. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools [69] in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
The breach is likely to be a black eye for FireEye. Its investigators worked with Sony after the devastating 2014 attack [70] that the firm later attributed to North Korea. It was FireEye that was called in after the State Department and other American government agencies were breached by Russian hackers in 2015. And its major corporate clients include Equifax [71], the credit monitoring service that was hacked three years ago, affecting nearly half of the American population.
In the FireEye attack, the hackers went to extraordinary lengths to avoid being seen. They created several thousand internet protocol addresses — many inside the United States — that had never before been used in attacks. By using those addresses to stage their attack, it allowed the hackers to better conceal their whereabouts.
“This attack is different from the tens of thousands of incidents we have responded to throughout the years,” said Kevin Mandia, FireEye’s chief executive. (He was the founder of Mandiant, a firm that FireEye acquired in 2014 [72].)
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.
Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
FireEye also published key elements of its “Red Team” tools so that others around the world would see attacks coming.
American investigators are trying to determine if the attack has any relationship to another sophisticated operation that the N.S.A. said Russia was behind in a warning issued on Monday. That gets into a type of software, called VM for virtual machines, which is used widely by defense companies and manufacturers. The N.S.A. declined to say what the targets of that attack were. It is unclear whether the Russians used their success in that breach to get into FireEye’s systems.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states [73] and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017 [74]. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers [75].
————
“FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said hackers [65] used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.”
FireEye couldn’t say who penetrated their systems. But they nonetheless confidently state it was the work a “a nation with top-tier offensive capabilities,” an assertion ostensibly rooted in the sophisticated nature of the attack, the discipine of the attackers, and the number of never-before-seen techniques used by these unknown hackers. In other words, a guess made based on pattern recognition, and not an assertion made with real certainty. FireEye didn’t actually know this attack came from a nation with top-tier offensive capabilities when it made that statement. FireEye couldn’t have truly ruled out a private actor when it made that confident statement. Or a nation without top-tier capabilites that purchased those top-tier capabilities from a top-tier commercial malware provider like NSO Group. But making attributions in cyber attacks is a service FireEye provides. It points towards one of the fundamental binds the cybersecurity industry faces: their clients are paying for answers, whether answers are feasible or not.
And when the FBI turned the case over to its Russia specialist, and ‘confirmed’ the hack was the work of a state, it was pretty clear where the blame was ultimately going to go. That ‘confirmation’ was no doubt predicated in part on the sophistication of the hack. And yet the apparent prize of this hack was FireEye’s “Red Team” tool kit that replicated the most sophisticated hacking tools in the world. Or at least the most sophisticated known hacking tools seen in the wild. It’s implicitly obvious in this very hack that the possession of world-class hacking tools isn’t limited to major nation-states like the US, Russia, and China. Beyond that, we are told how the theft of the FireEye Red Team kit was highly useful to nation-states because it would give them plausible deniability by allowing them to carry out risky hacks without using their ‘zero-day’ exploits, using someone else’s tools instead. All of the details about this story point towards the hall of mirrors nature of cyberattribution investigations:
...
It was a stunning theft, akin to bank robbers who, having cleaned out local vaults, then turned around and stole the F.B.I.’s investigative tools. In fact, FireEye said on Tuesday, moments after the stock market closed, that it had called in the F.B.I.The $3.5 billion company, which partly makes a living by identifying the culprits in some of the world’s boldest breaches — its clients have included Sony and Equifax — declined to say explicitly who was responsible. But its description, and the fact that the F.B.I. has turned the case over to its Russia specialists, left little doubt who the lead suspects were and that they were after what the company calls “Red Team tools.”
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
The F.B.I. on Tuesday confirmed that the hack was the work of a state, but it also would not say which one. Matt Gorham, assistant director of the F.B.I. Cyber Division, said, “The F.B.I. is investigating the incident and preliminary indications show an actor with a high level of sophistication consistent with a nation-state.”
...
The N.S.A.’s tools were most likely more useful than FireEye’s since the U.S. government builds purpose-made digital weapons. FireEye’s Red Team tools are essentially built from malware that the company has seen used in a wide range of attacks.
Still, the advantage of using stolen weapons is that nation-states can hide their own tracks when they launch attacks.
“Hackers could leverage FireEye’s tools to hack risky, high-profile targets with plausible deniability,” said Patrick Wardle, a former N.S.A. hacker who is now a principal security researcher at Jamf, a software company. “In risky environments, you don’t want to burn your best tools, so this gives advanced adversaries a way to use someone else’s tools without burning their best capabilities.”
A Chinese state-sponsored hacking group was previously caught using the N.S.A.’s hacking tools [69] in attacks around the world, ostensibly after discovering the N.S.A.’s tools on its own systems. “It’s like a no-brainer,” said Mr. Wardle.
...
And as the article reminds us, despite all hype about the ‘Shadow Brokers’ being a Russian hacker group, the global community has still never truly determined their idenity. As is the case with nearly all major hacks, the identities of the perpetrators is ultimately unknowable based on the available evidence:
...
The hack was the biggest known theft of cybersecurity [66] tools since those of the National Security Agency were purloined in 2016 [67] by a still-unidentified group that calls itself the ShadowBrokers [68]. That group dumped the N.S.A.’s hacking tools online over several months, handing nation-states and hackers the “keys to the digital kingdom,” as one former N.S.A. operator put it. North Korea and Russia ultimately used the N.S.A.’s stolen weaponry in destructive attacks on government agencies, hospitals and the world’s biggest conglomerates — at a cost of more than $10 billion.
...
It’s also worth observing how FireEye was declaring that the attackers tailored their world-class capabilities specifically to target and attack FireEye.” And yet, as we learn, this wasn’t a specific attack on FireEye at all. It was an attack on FireEye and SolarWinds’s 18,000 other customers. FireEye was just a very juicy target to pilfer amongst the thousands the hackers had to choose from:
...
But FireEye said it was still investigating exactly how the hackers had breached its most protected systems. Details were thin.Mr. Mandia, a former Air Force intelligence officer, said the attackers “tailored their world-class capabilities specifically to target and attack FireEye.” He said they appeared to be highly trained in “operational security” and exhibited “discipline and focus,” while moving clandestinely to escape the detection of security tools and forensic examination. Google, Microsoft and other firms that conduct cybersecurity investigations said they had never seen some of these techniques.
...
On Tuesday, Russia’s National Association for International Information Security held a forum with global security experts where Russian officials again claimed that there was no evidence its hackers were responsible for attacks that have resulted in American sanctions and indictments.
Security firms have been a frequent target for nation-states [73] and hackers, in part because their tools maintain a deep level of access to corporate and government clients all over the world. By hacking into those tools and stealing source code, spies and hackers can gain a foothold to victims’ systems.
...
Finally, note that FireEye is far from the only cybersecurity firm to report having their code stolen by ‘a Russian-speaking hacker group’ last year. McAfee, Symantec, and TrendMicro all reported getting hit. Which mean the “Red Team code” kits from all those other firms are also floating around out there. And in each case, it was “Russian-speaking hackers”. Whoever has been hacking these other security firms was been leaving Russian language artifacts in their malware. It’s a thing:
...
McAfee, Symantec and Trend Micro were among the list of major security companies whose code a Russian-speaking hacker group claimed to have stolen last year. Kaspersky, the Russian security firm, was hacked by Israeli hackers in 2017 [74]. And in 2012, Symantec confirmed that a segment of its antivirus source code was stolen by hackers [75].
...
And yet, as we’re going to see, that’s not actually the case with the FireEye hack. No Russian language artifacts, or any other language artifacts, were left in the malware used to attack FireEye. And as we’re also going to see, this lack of language artifacts in the atttack — no Cyrillic, or Mandarin or Persion — was seen as a utter shock by the CrowdStrike figures tasked with studying the attack.
FireEye Didn’t Start the Fire. Welcome to the SolarWinds Nightmare. Brought to You by Cozy Bear, According to the FBI, although FireEye isn’t So Sure
The FireEye nightmare explodes into the SolarWinds waking worst nightmare. It was determined that SolarWinds’s Orion update software delivered the malware onto FireEye’s systems. It’s the kind of ominous discovery that comes with the implication that the other 18,000 SolarWinds clients running the Orion software got hit too. Which is basically what happened.
We also got an early hint from SolarWinds about how the hack started in the first place: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
And as we can see, the FBI was ready to name names from the very onset of this investigation. It took basically no time at all: APT29 aka Cozy Bear is at it again. That was the line from the FBI. The infamous hacking group thought to work for Russia’s FSB (or SVR, it’s unclear) and that the US claims was behind the first hack of the Democratic National Committee (DNC) in 2015 [13] was also behind the new SolarWinds mega-hack. No reasons for this attribution are given, of course [17]:
The Washington Post
Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
By Ellen Nakashima and Craig Timberg
December 14, 2020 at 11:30 a.m. ESTRussian government hackers breached the Treasury and Commerce departments, along with other U.S. government agencies, as part of a global espionage campaign that stretches back months, according to people familiar with the matter.
Officials were scrambling over the weekend to assess the nature and extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant, the people familiar with the matter said.
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.
The FBI is investigating the campaign, which may have begun as early as spring, and had no comment Sunday. The victims have included government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached.
The Russian Embassy in Washington on Sunday called the reports of Russian hacking “baseless.” In a statement on Facebook it said, “attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain.
All of the organizations were breached through the update server of a network management system made by the firm SolarWinds, FireEye said in a blog post Sunday.
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.
SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.
Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
The scale of the Russian espionage operation appears to be large, said several individuals familiar with the matter. “This is looking very, very bad,” said one person. SolarWinds products are used by organizations across the world [76]. They include all five branches of the U.S. military, the Pentagon, State Department, Justice Department, NASA, the Executive Office of the President and the National Security Agency, the world’s top electronic spy agency, according to the firm’s website.
Its clients also include the top 10 U.S. telecommunications companies.
“This is a big deal, and given what we now know about where breaches happened, I’m expecting the scope to grow as more logs are reviewed,” said John Scott-Railton, a senior researcher at Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “When an aggressive group like this gets an open sesame to many desirable systems, they are going to use it widely.”
FireEye reported last week [77] that it was breached and that hacking tools it uses to test clients’ computer defenses were stolen. The Washington Post reported that APT29 was the group behind that hack. FireEye and Microsoft, which were investigating the breach, discovered the hackers were gaining access to victims through updates to SolarWinds’ Orion network monitoring software, FireEye said in its blog post, [78] without publicly naming the Russians.
...
At Commerce, the Russians targeted the National Telecommunications and Information Administration, an agency that handles Internet and telecommunications policy, Reuters reported. They have also been linked to attempts to steal coronavirus coronavirus [79] research.
In 2014 and 2015, the same group carried out a wide-ranging espionage campaign that targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecommunications firms and universities.
As part of that operation, it hacked the unclassified email systems of the White House [80], the Pentagon’s Joint Chiefs of Staff and the State Department.
“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
Because the Obama administration saw the APT29 operation as traditional espionage, it did not consider taking punitive measures, said Daniel, who is now president and chief executive of the Cyber Threat Alliance, an information-sharing group for cybersecurity companies.
“It was information collection, which is what nation states — including the United States — do,” he said. “From our perspective, it was more important to focus on shoring up defenses.”
But Chris Painter, State Department cyber coordinator in the Obama administration, said even if the Russian campaign is strictly about espionage and there’s no norm against spying, if the scope is broad there should be consequences. “We just don’t have to sit still for it and say ‘good job,’ ” he said.
Sanctions might be one answer, especially if done in concert with allies who were similarly affected, he said. “The problem is there’s not even been condemnation from the top. President Trump hasn’t wanted to say anything bad to Russia, which only encourages them to act irresponsibly across a wide range of activities.”
At the very least, he said, “you’d want to make clear to [Russian President Vladimir] Putin that this is unacceptable — the scope is unacceptable.”
So far there is no sign that the current campaign is being waged for purposes of leaking information or for disruption of critical infrastructure, such as electric grids.
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
APT29 compromised SolarWinds so that any time a customer checked in to request an update, the Russians could hitch a ride on the weaponized update to get into a victim’s system. FireEye dubbed the malware that the hackers used “Sunburst.”
“Monday may be a bad day for lots of security teams,” tweeted Dmitri Alperovitch [81], a cybersecurity expert and founder of the Silverado Policy Accelerator think tank.
———–
“The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.”
Less than a week after the FireEye nightmare hack is first announced to the world, we learn it was just one part of a much larger SolarWinds nightmare. A global espionage campaign that seemingly targeted US government agencies. And the US government had already determined the culprit: APT29/Cozy Bear was behind it. That’s the word we were getting from anonymous sources tied to the investigation. It was definitely Russia who had thoroughly hacked the US government’s networks starting in March of 2020 and was reading all those government emails and routing through US government networks this whole time:
...
The federal Cybersecurity and Infrastructure Security Agency issued an alert Sunday warning about an “active exploitation” of the SolarWinds Orion Platform, from versions of the software released in March and June. “CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures,” the alert said.SolarWinds said Sunday in a statement that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted . . . attack by a nation state.”
...
SolarWinds’ monitoring tool has extremely deep “administrative” access to a network’s core functions, which means that hacking the tool would allow the Russians to freely root around victims’ systems.
...
And note this ominous early detail: in its corporate filing disclosing the hack with the SEC, SolarWinds indicated that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers. Now, it’s important to note that this language is somewhat vague as to whether or not Microsoft’s Office 365 was used for the initial attack to infect the SolarWinds network or it was used after the SolarWinds hack to further exploit the networks of the 18,000 victims. But as we’re going to see, SolarWinds does confirm two months later that, yes, this Microsoft Office 365 email vulnerability was used in the initial hack of the SolarWinds network:
...
The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked. The corporate filing also said that Microsoft’s Office 365 email may have been “an attack vector” used by the hackers.Microsoft said in a blog post Sunday that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.
...
Finally, observe how similar the narrative we’re hearing now is to exactly what we heard from the US government in 2016 following the remarkably ‘aggressive’ and ‘noisy’ second hack of the DNC that we are told was executed by ‘Fancy Bear’ of Russia’s GRU. Recall how, back in late July 2016, US investigators were suggesting Fancy Bear was trying to get caught in the DNC hack. That was the explanation given for the notable apparent lack of sophistication in the hack that was seen as very different from previous hacks attributed to Fancy Bear [82]. So now we’re more or less hearing the same story in relation to Cozy Bear: this hack was highly uncharacteristic for Cozy Bear in the sense that the hackers actively fought to maintain their grip on the networks even after being caught. But we are nonetheless assured it’s Cozy Bear:
...
As part of that operation, it hacked the unclassified email systems of the White House [80], the Pentagon’s Joint Chiefs of Staff and the State Department.“That was the first time we saw the Russians become much more aggressive, and instead of simply fading away like ghosts when they were detected, they actually contested access to the networks,” said Michael Daniel, who was White House cybersecurity coordinator at the time.
One of its victims in 2015 was the Democratic National Committee. But unlike a rival Russian spy agency, the GRU, which also hacked the DNC, it did not leak the stolen material. In 2016, the GRU military spy agency leaked hacked emails to the online anti-secrecy organization WikiLeaks in an operation that disrupted the Democrats’ national convention in the midst of the presidential campaign.
The SVR, by contrast, generally steals information for traditional espionage purposes, seeking secrets that might help the Kremlin understand the plans and motives of politicians and policymakers. Its operators also have filched industrial data and hacked foreign ministries.
...
They weren’t behaving like Cozy Bear, which has never been known to behave this aggressively before. But it was definitely Cozy Bear. That’s what the US was confidently stating less than a week after the FireEye hack was disclosed. Yet FireEye wasn’t convinced. It’s one of the many data points pointing in the direction of contemporary cyber attributions being mostly just made up convenient narratives [19]:
Bloomberg Quint
FireEye Discovered SolarWinds Breach While Probing Own Hack
Kartikay Mehrotra
Published Dec 15 2020, 7:32 AM
Updated Dec 16 2020, 7:25 AM(Bloomberg) — When FireEye Inc. discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defenses.
It wasn’t just FireEye that got attacked, they quickly found out. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp.
“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.
After discovering the backdoor, FireEye contacted SolarWinds and law enforcement, Carmakal said.
...
National Security Advisor Robert O’Brien cut short a trip [83] to the Middle East and Europe to deal with the hack of U.S. government agencies. And Senator Richard Blumenthal, Democrat from Connecticut, said a classified briefing on “Russia’s cyber-attack left me deeply alarmed, in fact downright scared.”
s
The hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in clients’ computer networks. While the hack on FireEye was embarrassing for a cybersecurity firm, Carmakal argued that it may prove to be a crucial mistake for the hackers.“If this actor didn’t hit FireEye, there is a chance that this campaign could have gone on for much, much longer,” Carmakal said. “One silver lining is that we learned so much about how this threat actor works and shared it with our law enforcement, intelligence community and security partners.” Carmakal said there is no evidence FireEye’s stolen hacking tools were used against U.S. government agencies.
“There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.
...
Carmakal said the hackers took advanced steps to conceal their actions. “Their level of operational security is truly exceptional,” he said, adding that the hackers would operate from servers based in the same city as an employee they were pretending to be in order to evade detection.
...
———–
““There will unfortunately be more victims that have to come forward in the coming weeks and months,” he said. While some have attributed the attack to a state-sponsored Russian group known as APT 29, or Cozy Bear, FireEye had not yet seen sufficient evidence to name the actor, he said. A Kremlin official denied that Russia had any involvement.”
That early hesitancy on FireEye’s behalf to name a culprit due to a lack of evidence is going to be important to keep in mind. Because as we see in an NPR article from April of 2021, four months after the attack, there wasn’t really any new conclusive information about the hackers that emerges [7]. No clue that can positively identify the hackers and not even the joke ‘clues’ like Cyrillic or Mandarin characters. Nothing. The big shock expressed by Adam Meyers of CrowdStrike — the figure who led the early investigation of the SolarWinds hack — was that there wasn’t any ‘cultural artifact’ like Cyrillic or Mandarin. And yet we’re going to hear assertion after assertion that this was the work of Russian government hackers. Never an explanation why.
Is this the SolarWinds Mega-Hack? Or the Microsoft Mega-hack?
Similarly, note how SolarWinds was pointing an finger at a vulnerability in Microsoft’s Office 365 email as being a vector in the hack, and yet Microsoft was vociferously denying that a vulnerability in its own products played a role at all. As we’ll see [25], there’s never an explanation. Just faith. Faith in Microsoft. Faith that was again tested days after the initial disclosure of the hack when SolarWinds revealed more details on nature of the Microsoft exploits used by the hackers. Somehow the hackers were tricking Microsoft’s authentication controls. This includes forging authentication tokens for Microsoft’s Azure cloud services and creating password credentials for legitimate processes enabling them to read emails from Microsoft’s Exchange Online cloud-based email service. Keep in mind that the Microsoft-Exchange mega-hack that is announced in March was targeting the non-cloud self-hosted Microsoft Exchange email servers. So when the SolarWinds hackers demonstrate an ability to break into the cloud-based Exchange servers, they were demonstrating a capability that wasn’t exactly the same as that used to execute the Microsoft Exchange mega-hack but awfully close. And yet we will be repeatedly assured by Microsoft that the Microsoft-Exchange hack was carried out by China and not at all connected to the SolarWinds hack or “commercial surveillance vendors”. That’s part of what makes these early disclosures by Microsoft itself, that the SolarWinds hackers demonstrated a remarkable ability to manipulate Microsoft system credentials, is so significant. These are disclosures Microsoft seems to want to forget as this looks more and more like a Microsoft mega-hack [21]:
CRN
Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny
By Michael Novinson
December 15, 2020, 05:18 PM ESTMicrosoft has become ensnared in probes surrounding the recently disclosed colossal U.S. government hack [84], with media reports and company messages focusing on Office 365, Azure Active Directory and a key domain name.
Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls [85], according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack.
Microsoft didn’t provide an on-the-record response to CRN questions about if the company itself was breached as part of this campaign, and how significant Microsoft’s technology was in the hackers’ ability to exploit customers. Microsoft said in a blog post Sunday [86] that its investigations haven’t identified any Microsoft product or cloud service vulnerabilities. Once an attacker has compromised a target network, they potentially have access to a range of systems, according to a source familiar with the situation.”
On Monday, SolarWinds said it was made aware of an attack vector that was used to compromise the company’s Microsoft Office 365 emails [87], according to a filing with the U.S. Securities and Exchange Commission (SEC). Hackers had gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion network monitoring software, FireEye said in a blog Sunday.
That same attack vector might have provided access to other data contained in SolarWinds’ Office 365 office productivity tool, the company said. SolarWinds said it’s probing with Microsoft if any customer, personnel or other data was exfiltrated as a result of this compromise, but hasn’t uncovered any evidence at this time of exfiltration.
“SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether the compromise is associated with the attack on its Orion software build system,” the company wrote in its SEC filing.
As for Azure, the hackers were able to forge a token [88] which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
“Having gained a significant foothold in the on-premises environment, the actor has made modifications to Azure Active Directory settings to facilitate long term access,” the Microsoft Security Research Center wrote.
The hackers were observed adding new federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with hacker-owned certificates, Microsoft said. They could also use their administrator privileges to grant additional permissions to the target Application or Service Principal, according to Microsoft.
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
And from a domain perspective, Microsoft on Monday took control over a key domain name that was used by the SolarWinds hackers to communicate with systems compromised by the backdoor Orion product updates, KrebsOnSecurity reported Tuesday. Microsoft has a long history of seizing control of domains involved with malware, particularly when those sites are being used to attack Windows clients.
Armed with that access, KrebsOnSecurity said Microsoft should soon have some idea which and how many SolarWinds customers were affected [89]. That’s because Microsoft now has insight into which organizations have IT systems that are still trying to ping the malicious domain, KrebsOnSecurity said.
“However, because many Internet service providers and affected companies are already blocking systems from accessing that malicious control domain or have disconnected the vulnerable Orion services, Microsoft’s visibility may be somewhat limited,” KrebsOnSecurity cautioned.
...
———-
“Microsoft’s Role In SolarWinds Breach Comes Under Scrutiny” by Michael Novinson; CRN; 12/15/2020 [21]
“Two key victims in the massive nation-state hacking campaign reportedly had their Microsoft Office 365 accounts broken into. The Russian intelligence service hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Sunday.”
The ‘Russian hackers’ were reading government emails for months. And while we were getting assured that it was Russia behind it, it’s worth keeping in mind that the idea that it was Russia reading these emails is actually far more assuring than the idea of cyber criminals doing the same because at least Russia is less inclined to sell or release the data. In other words, these early aggressively highly confident attributions towards Russia aren’t just self-serving from the standpoint of aligning with US geopolitical interests. They’re also highly self-serving for Microsoft, SolarWinds, and the US government agencies that got hacked by downplaying the potential implications of the hack.
Now note these early details of how Microsoft vulnerabilities were used in the attack. The hackers were tricking Microsoft’s authentication controls. They could forge authentication tokens enabling access to Microsoft’s cloud-based Azure services. But critically, they were gaining access to read mail content from Exchange Online, effectively demonstrating the ability to hack Microsoft’s cloud-based Exchange email servers. This is going to be an important detail to keep in mind as we read about the Microsoft Exchange server mega-hack disclosed in March:
...
The hackers are “highly sophisticated” and were able to trick the Microsoft platform’s authentication controls [85], according to Reuters, citing a person familiar with the incident. The Commerce Department said that one of its bureaus had been breached, but didn’t respond to an inquiry about the role of Office 365 in the attack....
As for Azure, the hackers were able to forge a token [88] which claims to represent a highly privileged account in Azure Active Directory (AD), the Microsoft Security Research Center wrote in a blog Sunday. The hackers could also gain administrative Azure AD privileges with compromised credentials. Microsoft said this was particularly likely if the account in question is not protected by multi-factor authentication.
...
Microsoft also observed the hackers adding password credentials or x509 certificates to legitimate processes, granting them the ability to read mail content from Exchange Online via Microsoft Graph or Outlook REST. Examples of this happening include mail archiving applications, the firm said. Permissions usually, but not always, considered only the app identity rather than the current user’s permissions.
...
And note that at this point Microsoft itself is also describing how it observed the hackers adding password credentials or x509 certificates to legitimate processes to enabling the reading of emails. Microsoft’s own security researchers were telling us about this. And yet, as we’ll see in the articles below from February [27], Microsoft insists that vulnerabilities in its software played no role at all in the hack and all such reports are misinformation.
A week into the SolarWinds hack disclosure, the US Treasury Department gives an update. We’re told the department’s hack started in July. And in another indication that the hackers had the ability to authenticate the credential needed to extract data from Microsoft’s Office 365 email software, we’re told that’s exactly what they were doing on the Treasury’s network. So both SolarWinds and the US Treasury were giving us strong hints early on that the story of the SolarWinds mega-hack is the story of a still-unrecognized Microsoft mega-hack [23]:
The New York Times
Treasury Department’s Senior Leaders Were Targeted by Hacking
The disclosure was the first acknowledgment of a specific intrusion in the vast cyberattack. At the White House, national security leaders met to assess how to deal with the situation.
By David E. Sanger and Alan Rappeport
Published Dec. 21, 2020 Updated Jan. 6, 2021WASHINGTON — The Russian hackers [90] who penetrated United States government agencies broke into the email system used by the Treasury Department’s most senior leadership, a Democratic member of the Senate Finance Committee said on Monday, the first detail of how deeply Moscow burrowed into the Trump administration’s networks.
In a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.”
The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.
The department learned of the breach not from any of the government agencies whose job is to protect against cyberattacks, but from Microsoft, which runs much of Treasury’s communications software, Mr. Wyden said. He said that “dozens of email accounts were compromised,” apparently including in what is called the departmental offices division, where the most senior officials operate.
“Treasury still does not know all of the actions taken by hackers, or precisely what information was stolen,” he said.
An aide to Mr. Wyden said the department’s officials indicated that Treasury Secretary Steven Mnuchin’s email account had not been breached.
The newest disclosures underscored the administration’s conflicting messages about the source of the attacks and the extent of the damage as more reports about the targets leak out. A Treasury Department spokeswoman did not immediately respond to a request for comment.
Mr. Mnuchin addressed the hacking earlier on Monday and said the department’s classified systems had not been breached.
“At this point, we do not see any break-in into our classified systems,” he said in an interview with CNBC. “Our unclassified systems did have some access.”
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.
“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
Mr. Mnuchin was among several top officials in the government who met with national security officials for the first time at the White House on Monday to assess the damage and discuss how to deal with it.
The meeting was a principals committee session led by Robert C. O’Brien, the national security adviser. It was held two days after Mr. Trump said the attack on federal networks was “under control,” [91] was being exaggerated by the news media and might have been carried out by China rather than Russia, which has been identified by intelligence agencies, other government officials and cybersecurity firms as the almost certain source of the hacking.
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
But on Monday there was no public declaration attributing the hacking to Russia, perhaps reflecting Mr. Trump’s reluctance to confront Moscow over the issue and the doubts he has expressed about the seriousness of the attack.
The meeting, according to one senior administration official, was intended to “take stock of the intelligence, the investigation and the actions being taken to remediate” the attack. Absent from that description was any preparation for imposing a cost on the attacker. Mr. Trump did not attend the meeting.
...
The list of attendees at the meeting was notable because it provided some indication of which parts of the government might have been affected. White House officials said Treasury Secretary Steven Mnuchin, Commerce Secretary Wilbur Ross, the acting homeland security secretary Chad F. Wolf and Energy Secretary Dan Brouillette were present. All of those agencies were previously identified by news organizations as targets of the hacking.
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
General Nakasone, an experienced cyberwarrior who is responsible for the defense of national security systems, has been silent since the hacking was revealed. At the N.S.A. and Cyber Command, officials said, there was extraordinary embarrassment that a private company, FireEye, had been the first to alert the government that it had been hacked.
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.
That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
Formally determining who was responsible for a hacking like this one can be time-consuming work, though the administration did so twice in Mr. Trump’s first year in office, pointing to North Korea for the so-called WannaCry attack [92] on the British health care system and Russia for the “NotPetya” attack [93] that cost Maersk, Federal Express and other major corporations hundreds of millions of dollars [94].
In this case, officials say, a formal declaration of who was responsible for the attack — which is needed to start any form of retaliation — may not come until after Mr. Biden is inaugurated. That would leave the Trump administration to focus on damage control but skip the hard questions of how to deter Moscow from future attacks.
Capt. Katrina J. Cheesman, a spokeswoman for Cyber Command, said that so far the military had found “no evidence of compromises” in the Pentagon’s network. She said that parts of the Defense Department’s “software supply chain source have disclosed a vulnerability within their systems, but we have no indication the D.O.D. network has been compromised.”
———–
“The Treasury Department ranks among the most highly protected corners of the government because of its responsibility for market-moving economic decisions, communications with the Federal Reserve and economic sanctions against adversaries. Mr. Wyden said the hackers had gained access to the email system by manipulating internal software keys.”
It’s the second early indication that the SolarWinds hackers have some advanced Microsoft email exploits: Less than two weeks after the initial FireEye disclosure, the Treasury Department informs us that it was the manipulation of internal software keys that enabled access to the agency’s emails after the hackers entered the government networks via the SolarWinds backdoor. Specially Microsoft Office 365 identity tokens:
...
According to the details released by Mr. Wyden, once the Russian hackers used the SolarWinds software update to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network.That counterfeiting enabled them to fool the system into thinking they were legitimate users — and to sign on without trying to guess user names and passwords. Microsoft said last week that it had fixed the flaw that the Russians had exploited, but that did not answer the question of whether the hackers used their access to bore through other channels into the Treasury Department or other systems.
...
So claims about Microsoft’s Office 365 email vulnerabilities being exploited as part of the SolarWinds hack were coming from not just the SolarWinds company itself but also the US Treasury Department. Claims Microsoft continued to vociferously dispute for months.
And just note again how soon and definitive the attributions to Russia were coming from the Trump administration: they couldn’t explain how the hackers evaded detection for months, but everyone was ready to join Mike Pompeo in declaring that Moscow was almost certainly behind it. No reasons are given. None are necessary. It’s just a given: if there’s a major hack that hits Western 0government agencies, it’s either Russia or China. Because of course it is. Who else could it be? It’s the unquestioned operating paradigm for contemporary cyberattribution:
...
Mr. Mnuchin said that the hacking was related to third-party software. He added that there had been no damage or large amounts of information displaced as a result of the attack and that the agency had robust resources to protect the financial industry.“I can assure you, we are completely on top of this,” he said. He did not explain how the Russian presence was not detected in the system for more than four months.
His statement came on the same day that Attorney General William P. Barr, at his final news conference before stepping down, sided with Secretary of State Mike Pompeo in saying that Moscow was almost certainly behind the hacking. The intrusion went through a commercial network management software package made by SolarWinds, a company based in Austin, Texas, and allowed the hackers broad access to government and corporate systems.
“I agree with Secretary Pompeo’s assessment: It certainly appears to be the Russians,” Mr. Barr said, further undercutting President Trump’s effort to cast doubt on whether the government of President Vladimir V. Putin of Russia was behind the attack. Mr. Trump appears to be alone in the administration in his contention that China might have been the source of the hacking.
...
The session was classified, but if it was like the briefings to Congress in recent days, the intelligence officials expressed little doubt that the attack was most likely carried out by hackers associated with the S.V.R., Russia’s premier intelligence agency.
...
John Ratcliffe, the director of national intelligence, participated in the meeting; so did Gina Haspel, the C.I.A. director, and Gen. Paul M. Nakasone, the director of the National Security Agency and the commander of the United States Cyber Command. Secretary of State Mike Pompeo, who was the first high-ranking administration official to acknowledge that Russia was the most likely source of the attack before he was undercut by Mr. Trump, did not attend. His deputy, Stephen E. Biegun, stood in for him.
...
Keep in mind how disturbing these warnings about Microsoft vulnerabilities were at the time. We already knew by that point that someone planted backdoors on 18,000 of the companies and organizations around the world, including numerous government agencies. But we didn’t necessarily know what the hackers could do on all those networks after they walked through the backdoors. Learning about these Microsoft exploits told us at least some of what they could do on those networks. And given how ubiquitous Microsoft’s software is in large organizations, it’s a safe assumption that a large number of those SolarWinds clients were running Microsoft services on those networks.
SolarWinds Update: ‘It Started with a Zero-Day Microsoft Exploit.’ Microsoft Counter-Update: ‘No it Didn’t.’ CISA Update: ‘It’s Not Just SolarWinds.’
It was early February, less than two months after the initial FireEye disclosure, when we got a confirmation of sorts. The question of whether or not the Microsoft Office 365 email vulnerability characterized as an “attack vector” by SolarWinds in December was actually used to execute the initial hack of SolarWinds. SolarWinds CEO Sudhakar Ramakrishna appeared to confirm that, yes, a Microsoft vulnerability was used in the initial hack of the SolarWinds Orion software developer. A zero-day vulnerability never seen before. Although SolarWinds didn’t identify the specific Office 365 vulnerability.
But we also got another updated from Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency: Roughly 30 percent of the victim organizations that found the backdoor malware on their network had no connection to SolarWinds. Other methods for creating backdoors were being deployed by these hackers. So we learn that the SolarWinds hack likely started with a Microsoft exploit and also that the hackers are infecting other networks through means other than the infected SolarWinds software. It’s not great news for Microsoft users [25]:
CRN
SolarWinds CEO Confirms Office 365 Email ‘Compromise’ Played Role In Broad-Based Attack
SolarWinds CEO Sudhakar Ramakrishna has verified suspicious activity in its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles.
By Michael Novinson
February 04, 2021, 07:28 AM ESTSolarWinds CEO Sudhakar Ramakrishna verified Wednesday “suspicious activity” in its Office 365 environment allowed hackers to gain access to and exploit the SolarWinds Orion development environment.
Hackers most likely entered SolarWinds’s environment through compromised credentials and/or a third-party application that capitalized on a zero-day vulnerability, Ramakrishna said [95].
“We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles,” he said in the blog post. “By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.”
The beleaguered Austin, Texas-based IT infrastructure management vendor said a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.
By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.
SolarWinds’s investigation has not identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street Journal that one of several theories [96] the company was pursuing is that the hackers used an Office 365 account compromise as the initial point of entry into SolarWinds.
Microsoft declined to comment to CRN. Ramakrishna said SolarWinds has analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, as part of its investigation. The SolarWinds hack [97] is believed to be the work of the Russian foreign intelligence service.
“While it’s widely understood any one company could not protect itself against a sustained and unprecedented nation-state attack of this kind, we see an opportunity to lead an industry-wide effort that makes SolarWinds a model for secure software environments, development processes, and products,” Ramakrishna wrote in a blog post Wednesday.
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised [98] to infect other firms the way SolarWinds was.
SolarWinds’s investigations will be ongoing for at least several more weeks [99], and possibly months, due to the sophistication of the campaign and actions taken by the hackers to remove evidence of their activity, he said. SolarWinds has not determined the exact date hackers first gained unauthorized access to the company’s environment, though innocuous code changes were first made to Orion in October 2019.
The hackers deleted programs following use to avoid forensic discovery and masqueraded file names and activity to mimic legitimate applications and files, he said. The hackers had automated dormancy periods of two weeks or more prior to activation and utilized servers outside the monitoring authority of U.S. intelligence, he said.
...
———–
“By compromising the credentials of SolarWinds employees, Ramakrishna said the hackers were able to gain access to and exploit the development environment for the SolarWinds Orion network monitoring platform. SolarWinds was first notified by Microsoft about a compromise related to its Office 365 environment on Dec. 13, the same day news of the hack went public.”
It’s more or less confirmed: The SolarWinds hacked started with the exploitation of a vulnerability in Microsoft’s Office 365 email. The vulnerability gave the hackers access to the SolarWinds Orion software development environments. That’s where it all started.
Or at least that’s where the SolarWinds hack all started. As they note, some 30 percent of the victims of this hack don’t actually have a direct connection to SolarWinds, raising the possibility of that the SolarWinds hacks is really part of an even larger hack being executed by a group of actors with numerous powerful Microsoft exploit. In other words, we might not be looking at the SolarWinds mega-hack but instead a Microsoft mega-hack that just includes a large SolarWinds component:
...
Some 30 percent of the private sector and government victims of the colossal hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, told The Wall Street Journal Friday. But he said investigators haven’t identified another company whose products were broadly compromised [98] to infect other firms the way SolarWinds was.
...
So if 30 percent of the victims weren’t running SolarWinds’s Orion software, what was the attack vector in their cases? That’s a mystery, but we have a pretty obvious clue if the SolarWinds hack started with a Microsoft exploit. It’s no wonder Microsoft’s public relations team was is hyper-damage-control mode, denying all reports going back to December that it’s products played any role at all in the attack. Recall [21] how it was Microsoft’s own security team that was telling us back in December how the hackers were modifying credentials to read emails from Microsoft Exchange Online (the cloud Exchange service). But once it started looked like the SolarWinds mega-hack was really the Microsoft mega-hack, it was a complete denial from Microsoft. The company has nothing to do with any of this and anyone saying anything to the contrary they are misinterpreting or misreading the available data [27]:
CRN
Microsoft: No Evidence SolarWinds Was Hacked Via Office 365
‘The wording of the SolarWinds 8K [regulatory] filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,’ Microsoft said Thursday.
By Michael Novinson
February 05, 2021, 06:52 AM ESTMicrosoft said its investigation hasn’t found any evidence that SolarWinds was attacked through Office 365, meaning the hackers gained privileged credentials in some other way.
The Redmond, Wash.-based software giant said a Dec. 14 regulatory filing [100] by SolarWinds gave the impression that SolarWinds was investigating an attack vector related to Microsoft Office 365. In the filing, SolarWinds said it’s aware of an attack vector [21] used to compromise the company’s Office 365 emails that may have provided access to other data contained in the company’s office productivity tools.
“The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.
SolarWinds’s investigation hasn’t identified a specific vulnerability in Office 365 that would have allowed the hackers to enter the company’s environment through Office 365, CEO Sudhakar Ramakrishna said Wednesday. A day earlier, he told The Wall Street Journal one of several theories the firm was pursuing is hackers used an Office 365 account compromise [96] as the initial point of entry into SolarWinds.
Ramakrishna said Wednesday that SolarWinds has confirmed suspicious activity related to its Office 365 environment, with a company email account compromised and used to access accounts of targeted SolarWinds staff in business and technical roles. By compromising the credentials of SolarWinds staff, he said the hackers were able to gain access to and exploit the SolarWinds development environment.
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers [101], Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.
In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues [98] to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds [102], with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday [103]. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code [104] in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
The company also responded Thursday to criticism for not disclosing attack details as soon as Microsoft knew about them, saying that the company is restricted from sharing details in cases where Microsoft is providing investigative support to other organizations. In these types of engagements, Microsoft said the victim organizations have control in deciding what details to disclose and when to disclose them.
Investigators can additionally discover early indicators that require further research before they are actionable, Microsoft said. Taking the time to thoroughly investigate incidents is necessary to provide the best possible guidance to customers, partners, and the broader security community, Microsoft said.
...
———–
““The wording of the SolarWinds 8K filing was unfortunately ambiguous, leading to erroneous interpretation and speculation, which is not supported by the results of our investigation,” the Microsoft Security Team wrote in a blog post Thursday.”
The denials can’t get any stronger. A day after SolarWinds CEO Sudhakar Ramakrishna seem to more or less public confirm that a vulnerability in Microsoft’s Office 365 email played a direct role in the initial attack, Microsoft reiterates that all reports of Microsoft vulnerabilities playing any role in the SolarWinds hack of unsubstantiated and false. That’s the line.
And note how the company acknowledges its products were hacked in many cases on the SolarWinds victims network as part of the second phase of the hack, but Microsoft insists that the gained privileged credentials in another way. Now, in fairness, it’s possible Microsoft systems could be hacked on client networks for reasons that have nothing to do with vulnerabilities in Microsoft’s code and are instead the fault of misconfigured software on the client end. But that’s what Microsoft was insisting at that point in early February, a day after SolarWinds’s CEO seemed to confirm a Microsoft Office 365 email exploit was used to initiate the hack and well after the US government confirmed the SolarWinds hackers used a Microsoft Office 365 email exploit during its plundering of the Treasury Department’s networks. The plausible deniability of Microsoft’s insistence that client configuration issues were the cause of the hacked Microsoft products was rapidly dwindling. Microsoft’s insistence held strong:
...
Although data hosted in Microsoft services such as email was sometimes targeted by the SolarWinds hackers [101], Microsoft insists the attacker gained privileged credentials in another way. The Cybersecurity and Infrastructure Security Agency (CISA) isn’t aware of cloud software other than Microsoft’s targeted in the SolarWinds attack, Acting Director Brandon Wales told The Wall Street Journal Jan. 29.In many of their break-ins, the SolarWinds hackers took advantage of known Microsoft configuration issues [98] to trick systems into giving them access to emails and documents stored on the cloud, The Wall Street Journal said. Hackers can go from one cloud-computing account to another by taking advantage of little-known idiosyncrasies in the way software authenticates itself on the Microsoft service.
...
Reuters reported Dec. 17 that Microsoft was compromised via SolarWinds [102], with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN at the time that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.
“No, it [the Reuters article] is not accurate,” the Microsoft Security Team wrote in its blog post Thursday [103]. “As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.”
Microsoft acknowledged Dec. 31 that a company account compromised by the SolarWinds hackers had been used to view source code [104] in a number of source code repositories. The compromised Microsoft account, however, didn’t have permissions to modify any code or engineering systems, and an investigation confirmed no changes were made, Microsoft said at the time.
...
“As we said at the time, and based upon all investigations since, we have found no indications that our systems were used to attack others.” Have fun interpreting that one. But as a public statement, it sounds definitive. There were no Microsoft software vulnerabilities involved at all with the SolarWinds hack. Period. End of story.
Another Update from Microsoft: We Were Hacked and Our Source Code Was Viewed. Including for Microsoft Exchange. But Don’t Worry, Nothing was Compromised and Everything is Fine on Our End Now.
Two weeks later, the story got another update. From Microsoft: the SolarWinds hackers rooted around in Microsoft’s networks through January and managed to download some source code for its Azure, Exchange and Intune cloud-based products. Again, keep in mind that Microsoft will be forced to disclose the Microsoft Exchange mega-hack in a couple of weeks following this update, and in that new mega-hack it was the self-hosted non-cloud version of Microsoft Exchange that got hacked. So the hackers stole code pretty closely-related to the very system that got mega-hacked. We’re also going to learn that the Microsoft Exchange mega-hack apparently started in January, the same month the SolarWinds hackers were presumably (hopefully) kicked out of Microsoft’s networks. And we’ve already seen that the SolarWinds hackers have impressive never-before-seen abilities to trick Microsoft’s credential systems. That’s all part of what makes this latest update to the SolarWinds story so ominous: It sure seems like it’s related to the Microsoft Exchange mega-hack that Microsoft will disclose in March, even though Microsoft assures us it’s not and that’s a completely separate hack by different Chinese hackers [29]:
CRN
SolarWinds Hackers Kept Going After Microsoft Until January
The SolarWinds hackers first viewed a file in a Microsoft source repository in November, and were able to download source code for its Azure, Exchange and Intune cloud-based products.
By Michael Novinson
February 19, 2021, 06:34 AM ESTThe SolarWinds hackers continued efforts to infiltrate Microsoft until early January, keeping up the assault even after Microsoft revealed its source code had been compromised [104].
The likely Russian hackers first viewed a file in a Microsoft source repository in late November, and the Redmond, Wash.-based software giant detected unusual activity in some internal accounts the next month. The hackers lost source repository access after Microsoft secured its compromised accounts, but the threat actor kept making unsuccessful attempts to regain access all the way until early January.
“A concerning aspect of this attack is that security companies were a clear target,” Vasu Jakkal, Microsoft’s corporate vice president of security, compliance and identity, wrote in a blog post Thursday. “Microsoft, given the expansive use of our productivity tools and leadership in security, of course was an early target.”
Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.
Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
Microsoft said the SolarWinds hackers weren’t able to access its privileged credentials or leverage Security Access Markup Language (SAML) techniques against the company’s corporate domains. But outside of Microsoft, U.S. investigators said one of the principal ways the hacker has collected victim information is by compromising the SAML signing certificate using escalated Active Directory privileges.
Organizations that delegate trust to on-premises components in deployments that connect on-premises infrastructure and the cloud end up with an additional seam they need to secure, the MSRC wrote. As a result, if an on-premises environment is compromised, Microsoft said there’s an opportunity for hackers to target cloud services.
“When you rely on on-premises services, like authentication server, it is up to a customer to protect their identity infrastructure,” Jakkal wrote in her blog post [105]. “With a cloud identity, like Azure Active Directory, we protect the identity infrastructure from the cloud.”
At the same time, Jakkal said the SolarWinds hackers took advantage of abandoned app accounts with no multi-factor authentication to access cloud administrative settings with high privilege. As organizations transition from implicit trust to explicit verification, Jakkal said they first must focus on protecting identities, especially privileged user accounts.
“Gaps in protecting identities (or user credentials) like weak passwords or lack of multifactor authentication are opportunities for an actor to find their way into a system, elevate their status, and move laterally across the environments targeting email, source code, critical databases and more,” Jakkal said.
The SolarWinds hackers tried and failed to get into CrowdStrike and read their emails via a Microsoft reseller’s Azure account that was responsible for managing CrowdStrike’s Microsoft Office licenses. If a customer buys a cloud service from a reseller and allows the reseller to retain administrative access, then a compromise of reseller credentials would grant access to the customer’s tenant, Microsoft said.
But the abuse of administrative access wouldn’t be a compromise of Microsoft’s services themselves, the company told CRN on Dec. 24.
———–
“Microsoft admitted the SolarWinds hackers were able to download some source code for its Azure, Exchange and Intune cloud-based products. The downloaded Azure source code was for subsets of its service, security and identity components, according to Microsoft.”
It’s more than a little ominous. In February, weeks before the Microsoft Exchange mega-hack was disclosed, the company gave us an update on its SolarWinds investigation: source code was stolen. Source code involve the cloud-based versions of Azure, Intune, and Exchange. Sure, it sounds like it was only the self-hosted Exchange servers that got in the mega-hack, not the cloud-based Exchange systems. But when Microsoft admits the SolarWinds hackers obtained source code for Exchange’s cloud-based service, and then a couple weeks later we’re told the largest hack on record took place when virtually all of Exchange’s self-hosted servers got hacked in a zero-day exploit, it’s kind of hard to avoid suspicions the two events are related. And yet Microsoft assures us SolarWinds was the work of ‘Cozy Bear’ and the Exchange hack was from previously unknown state Chinese hackers. It’s all quite convenient for Microsoft. The kind of explanation that avoids a lot of messy questions:
...
The search terms used by the SolarWinds hackers indicates they were attempting to find secrets such as API keys, credentials, and security tokens that may have been embedded in the source code, according to Microsoft. But the company said it has a development policy that prohibits storing secrets in source code and runs automated tools to verify compliance.Microsoft said it subsequently confirmed that both current and historical branches of its source code repositories don’t contain any live production credentials. For nearly all the Microsoft code repositories accessed by the SolarWinds hackers, only a few individual files were viewed as a result of a repository search, according to the company.
...
But, again, keep in mind another major reason Microsoft might want to assure the world that it’s Russian and Chinese state actors who carried out these mega-hacks: state actors are far more likely hack for espionage purposes. And when you hack for espionage purposes you probably won’t sell the information you hacked. Criminal actors, on the other hand, have very different motivations. So for the general public, learning that Russia or China hacked into your organization is far less alarming that learning some criminal elite hacker group did it. Although, as we’ll see, the hackers we’re told are Chinese state hackers actually run their own personal for-profit ransom schemes.
A New(?) Mega-Hack is Upon Us: The Microsoft Exchange Mega-Hack. Which, Microsoft Promises, is Definitely Totally Unrelated to the SolarWinds Mega-Hack
Do you or your organization own a self-hosted Microsoft Exchange email server that was connected to the internet between January and March of this year? Congrats! It was hacked. Basically all of them got hacked. A global ransacking that was arguably larger than the SolarWinds hack. And much like the SolarWinds hack, these hackers had the potential to seed victim networks with backdoors or worse. So it’s another mega-hack that sets the hackers up for even bigger mega-hacks in the future. Another Microsoft mega-hack [31]:
Krebs on Security
At Least 30,000 U.S. Organizations Newly Hacked Via Holes in Microsoft’s Email Software
March 5, 2021
At least 30,000 organizations across the United States — including a significant number of small businesses, towns, cities and local governments — have over the past few days been hacked by an unusually aggressive Chinese cyber espionage unit that’s focused on stealing email from victim organizations, multiple sources tell KrebsOnSecurity. The espionage group is exploiting four newly-discovered flaws in Microsoft Exchange Server email software, and has seeded hundreds of thousands of victim organizations worldwide with tools that give the attackers total, remote control over affected systems.
On March 2, Microsoft released emergency security updates [106] to plug four security holes in Exchange Server versions 2013 through 2019 that hackers were actively using to siphon email communications from Internet-facing systems running Exchange.
Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium [107],” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.
In the three days since then, security experts say the same Chinese cyber espionage group has dramatically stepped up attacks on any vulnerable, unpatched Exchange servers worldwide.
In each incident, the intruders have left behind a “web shell,” an easy-to-use, password-protected hacking tool that can be accessed over the Internet from any browser. The web shell gives the attackers administrative access to the victim’s computer servers.
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email.
Microsoft’s initial advisory about the Exchange flaws [108] credited Reston, Va. based Volexity [109] for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021 [32], a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol [110].
But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
Reached for comment, Microsoft said it is working closely with the U.S. Cybersecurity & Infrastructure Security Agency (CISA), other government agencies, and security companies, to ensure it is providing the best possible guidance and mitigation for its customers.
“The best protection is to apply updates as soon as possible across all impacted systems,” a Microsoft spokesperson said in a written statement. “We continue to help customers by providing additional investigation and mitigation guidance. Impacted customers should contact our support teams for additional help and resources.”
Meanwhile, CISA has issued an emergency directive [111] ordering all federal civilian departments and agencies running vulnerable Microsoft Exchange servers to either update the software or disconnect the products from their networks.
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
White House press secretary Jen Psaki told reporters today [112] the vulnerabilities found in Microsoft’s widely used Exchange servers were “significant,” and “could have far-reaching impacts.”
“We’re concerned that there are a large number of victims,” Psaki said.
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
Security researchers have published several tools for detecting vulnerable servers. One of those tools, a script from Microsoft’s Kevin Beaumont [113], is available from Github [114].
KrebsOnSecurity has seen portions of a victim list compiled by running such a tool, and it is not a pretty picture. The backdoor web shell is verifiably present on the networks of thousands of U.S. organizations, including banks, credit unions, non-profits, telecommunications providers, public utilities and police, fire and rescue units.
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
Another government cybersecurity expert who participated in a recent call with multiple stakeholders impacted by this hacking spree worries the cleanup effort required is going to be Herculean.
“On the call, many questions were from school districts or local governments that all need help,” the source said, speaking on condition they were not identified by name. “If these numbers are in the tens of thousands, how does incident response get done? There are just not enough incident response teams out there to do that quickly.”
When it released patches for the four Exchange Server flaws on Tuesday, Microsoft emphasized that the vulnerability did not affect customers running its Exchange Online service (Microsoft’s cloud-hosted email for businesses). But sources say the vast majority of the organizations victimized so far are running some form of Internet-facing Microsoft Outlook Web Access (OWA) email systems in tandem with Exchange servers internally.
“It’s a question worth asking, what’s Microsoft’s recommendation going to be?,” the government cybersecurity expert said. “They’ll say ‘Patch, but it’s better to go to the cloud.’ But how are they securing their non-cloud products? Letting them wither on the vine.”
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks [115], in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.
“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
————-
“Microsoft said the Exchange flaws are being targeted by a previously unidentified Chinese hacking crew it dubbed “Hafnium [107],” and said the group had been conducting targeted attacks on email systems used by a range of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.”
Somehow Microsoft determined this hack was carried out by a previously unidentified Chinese hacking crew. Again, we have no idea how they know this group was Chinese or how they know it’s not the same group behind the SolarWinds hack or all sorts of other hacks. We just know Microsoft was very confidently declaring this mega-hack with extreme parallels to SolarWinds wasn’t carried out by the same crew. Instead, we’re confidently assured it’s a Chinese nation-state-backed hacking group that has uncharacteristically decided to carry out what may be the largest hack ever, even larger than SolarWinds. We just have to trust Microsoft:
...
Speaking on condition of anonymity, two cybersecurity experts who’ve briefed U.S. national security advisors on the attack told KrebsOnSecurity the Chinese hacking group thought to be responsible has seized control over “hundreds of thousands” of Microsoft Exchange Servers worldwide — with each victim system representing approximately one organization that uses Exchange to process email....
The government cybersecurity expert said this most recent round of attacks is uncharacteristic of the kinds of nation-state level hacking typically attributed to China, which tends to be fairly focused on compromising specific strategic targets.
“Its reckless,” the source said. “It seems out of character for Chinese state actors to be this indiscriminate.”
...
It’s also worth noting that Microsoft didn’t catch this vulnerability. It was Volexity, which detected the first major attack coinciding with the January 6 far right insurrection. We are told that the Chinese hackers quietly first started the hack during the insurrection but transitioned towards an open smash-and-grab a few days later. So that’s some pretty interesting timing, but Volexity had an update. They found signs cyberoperations with this zero-day exploit on January 3, 2021 [32]. So the timing with the Capitol insurrection isn’t quite as interesting as early reporting indicates.
Also recall how Volexity was the first company to identify the SolarWinds malware on their clients’ networks back in July of 2020. Their warnings were ignored but they were the first to find it, at least on record. Volexity is apparently the one company capable of finding these current mega backdoor hacks:
...
Microsoft’s initial advisory about the Exchange flaws [108] credited Reston, Va. based Volexity [109] for reporting the vulnerabilities. Volexity President Steven Adair said the company first saw attackers quietly exploiting the Exchange bugs on Jan. 6, 2021 [32], a day when most of the world was glued to television coverage of the the riot at the U.S. Capitol [110].But Adair said that over the past few days the hacking group has shifted into high gear, moving quickly to scan the Internet for Exchange servers that weren’t yet protected by the security updates Microsoft released Tuesday.
....
And in case the scale of the hack wasn’t clear, note how it appears to be virtually every single self-hosted Outlook Web Access (OWS) server on the planet connected to the internet. Every single one. It’s a global digital nightmare scenario:
...
“We’ve worked on dozens of cases so far where web shells were put on the victim system back on Feb. 28 [before Microsoft announced its patches], all the way up to today,” Adair said. “Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server. The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”
...
Adair said he’s fielded dozens of calls today from state and local government agencies that have identified the backdoors in their Exchange servers and are pleading for help. The trouble is, patching the flaws only blocks the four different ways the hackers are using to get in. But it does nothing to undo the damage that may already have been done.
...
By all accounts, rooting out these intruders is going to require an unprecedented and urgent nationwide clean-up effort. Adair and others say they’re worried that the longer it takes for victims to remove the backdoors, the more likely it is that the intruders will follow up by installing additional backdoors, and perhaps broadening the attack to include other portions of the victim’s network infrastructure.
...
“It’s police departments, hospitals, tons of city and state governments and credit unions,” said one source who’s working closely with federal officials on the matter. “Just about everyone who’s running self-hosted Outlook Web Access and wasn’t patched as of a few days ago got hit with a zero-day attack.”
...
And finally, it’s hard to avoid marveling at the rather stunning assurances given by Microsoft at this point regarding the SolarWinds hack and the role Microsoft vulnerabilities played in that event: Microsoft tells us, “We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services.” This was what Microsoft was telling the public in March of 2021. As we saw in the previous article excerpt, which was published about 6 weeks later, the exploitation of Microsoft products was the defining feature of the second phase the SolarWinds attack. First the SolarWinds Orion software deployed backdoors on all of the SolarWinds customer networks. Then the hackers used those backdoors to roam the network, looking for valuable information to steal. And that meant exploiting Microsoft vulnerabilities, which they apparently did with abandon. To claim there was no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services just a lie. A lie that conveniently helped Microsoft avoid the uncomfortable questions about whether or not this Microsoft Exchange mega-backdoor and the SolarWinds mega-backdoor hack were part of some sort joint mega-backdoor hack run by the same group of people:
...
Microsoft has said the incursions by Hafnium on vulnerable Exchange servers are in no way connected to the separate SolarWinds-related attacks [115], in which a suspected Russian intelligence group installed backdoors in network management software used by more than 18,000 organizations.“We continue to see no evidence that the actor behind SolarWinds discovered or exploited any vulnerability in Microsoft products and services,” the company said.
Nevertheless, the events of the past few days may well end up far eclipsing the damage done by the SolarWinds intruders.
...
And while Microsoft was aggresively distancing itself and this hack from the SolarWinds hack early on, within a week it was starting to look like SolarWinds was the company that should be doing the distancing. Because this hack was looking much more than SolarWinds. Like an automatable SolarWinds that was plundered to the full extent available by a variety of criminal actors. It was ‘Hafnium’ who quietly and exclusively used this zero-day exploit starting from January 3 until the Microsoft announced the patch on March 2, at which point a criminal free-for-all that involved at least a half dozen other hacking groups ensued to ransack any unpatched servers.
But perhaps the most scandalous aspect of all this is that zero-day exploit that enabled all this has apparently been sitting in Microsoft’s code for at least a decade. How much do you want to bet Jan 3 wasn’t the first time this exploit was exploited? [35]:
Data Center Knowledge
Microsoft Exchange Hack Could Be Worse Than SolarWinds
The massive hack’s scope keeps growing. Unlike the SolarWinds exploit, this one can be automated.
Maria Korolov | Mar 10, 2021
The scope of damage from the newly public Microsoft Exchange vulnerability keeps growing, with some experts saying that it is “worse than SolarWinds.”
As of last count, more than 60,000 organizations have fallen victim to the attack.
“The scale of the attack is the biggest threat at this time,” said Mark Goodwin, managing senior analyst at security consulting firm Bishop Fox.
Government institutions have been attacked, large corporations, and small local businesses, he told DCK. According to the internet scanning tool Shodan, more than 250,000 servers are vulnerable, he added.
Unlike the SolarWinds breach [116], the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.
The problem is so severe that Microsoft has released patches even for older servers that are no longer supported, Goodwin said.
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers.
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.
“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
The big problem is that Microsoft Exchange is designed to be accessed by external users, which means servers can be accessible via the internet – and attackers can find them when they scan for vulnerabilities.
“There are ways to scan everything connected to the internet to find vulnerable systems,” said Jethro Beekman, technical director at cybersecurity firm Fortanix. “This has an enormous threat of misuse.”
As a result, the Department of Homeland Security last week issued an emergency directive [117] for federal agencies, warning that the Microsoft Exchange vulnerability is being actively exploited and ordering them to take defensive action.
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”
This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs [118]). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg [119]
— Chris Krebs (@C_C_Krebs) March 6, 2021 [120]
Also on Friday, security firm Huntress released a report of its analysis of 3,000 servers, most of which had antivirus or endpoint security solutions installed. Of those, 800 were still not patched, and there were more than 350 malicious webshells already installed by attackers.
“This has seemingly slipped past a majority of preventative security products,” said Huntress senior security researcher John Hammond in a report [121].
The number of affected enterprises is so much higher with this attack than with SolarWinds because this attack can be highly automated, Attivo’s Vissamsetti told DCK.
“With something like this, attackers can mobilize within a day,” he said. “They can script the whole thing in just a few hours.”
Cleanup Will Be Messy
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
“It will be messy to clean up,” said Oliver Tavakoli, CTO at Vectra Networks. “It will effectively require backing up data, re-imaging the Exchange server, scrubbing the backup of any accounts which should not be present, resetting all passwords and secrets, and restoring the remaining backup data.”
This is while security teams are already stretched thin by the SolarWinds attack, he added.
“This hack will compete for the same investigative and remediation resources,” he told DCK. “So, having two such broad attacks occur near the same time places exorbitant strain on the resources.”
And even if the Exchange servers are patched, back doors shut down, and attackers fully cleaned out, that’s not the end of it, said Adrien Gendre, chief product and services officer at Vade Secure.
“Based on our knowledge of prior incidents,” he said, “expect to see a rise in spear phishing attacks in the coming weeks.”
The attackers will be able to use the information they’ve collected while in the system, such as emails and other documents, to craft extremely targeted and credible scam emails, he said.
Time to Ditch Microsoft Exchange
Experts recommend that companies replace on-prem deployments of Microsoft Exchange with cloud-based alternatives like Office 365, which are not vulnerable to the attack.
And if there is an attack, the SaaS vendor simply installs the patch themselves. There’s no need for every single customer to install their own patches, dramatically simplifying security.
If that’s not an option, the Exchange servers can be put behind VPNs, Fortanix’s Beekman told DCK.
“And there are web application firewalls that you can insert between the server and the internet,” he added.
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.
This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
The Timeline of the Microsoft Exchange Hack
Security experts began noticing signs of compromise in early January, with the first attacks [32] on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches [122] on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.
“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
———–
“Unlike the SolarWinds breach [116], the Microsoft Exchange vulnerability can be exploited in an automated way. If a data center has an Exchange server accessible via the public internet, assume it’s been compromised, he said.”
Not only is this hack the kind of hack that any common hacker criminal is capable of executing once they know the exploit, but it’s the kind of hack that a single hacker could theoretically turn into a mega-hack with a simple script because this is an automatable hack. That’s why you should assume you got hit if you were exposed. Everyone exposed got hit because it was easy for anyone to hit everyone.
But everyone wasn’t hit at first. It was “Hafnium” who quietly started hacking targets, with Volexity first detecting the usage of the zero-day exploit on January 3 (not Jan 6 as earlier indicated). It was after Microsoft released the patches on March 2 that other criminal groups went on a global spree, hitting every remaining unpatched Exchange server on the planet connected to the internet. As we’re going to see, when the US and its Western allies all issue coordinated formal statements in mid-July, formally accusing China of executing the hack, we are told by unnamed sources familiar with the investigation that it is suspected that Hafnium knew Microsoft was going to close the zero-day vulnerabilities (which were no-longer zero-days at that point) and at that point handed the exploits over to criminals [60]. But we have no idea why that particular scenario was suspected, as opposed to Hafnium being a criminal actor who sold their exploit to other actors once the patch was released. Or another actor pretending to be a Chinese state actor, although it’s unclear what if any ‘Chinese’ indicators are being left by “Hafnium”. Microsoft told us it was a never-before Chinese state-backed group called Hafnium and that declaration alone is treated as adequate evidence. As with the SolarWinds hack, it’s faith-based public attributions, which is a big part of the reason the reading-the-tea-leaves behind-the-scenes methods of attribution are so problematic. That’s what we’re supposed to have faith in. Tea-leave-reading with huge conflicts of interest:
...
And, unlike the SolarWinds breach, which was primarily exploited by a single state-sponsored group, reportedly from Russia, the Microsoft Exchange vulnerability is open to everybody. Originally associated with a Chinese state-sponsored group, Hafnium, at last count half a dozen different groups are actively attacking organizations with vulnerable servers....
Security experts began noticing signs of compromise in early January, with the first attacks [32] on January 3, according to security firm Volexity.
At first, these attacks, which exploited a zero-day vulnerability, were limited to Hafnium.
Then, after Microsoft finally released patches [122] on March 2, other criminal groups started using it in a race to attack as many servers as possible before they were patched.
...
Also observer how Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, was trying to make sense of the incredibly aggressive nature of this hack by questioning on Twitter if this was the work of an out of control cybercrime gang or contractors gone wild. Krebs is generally considered a pretty credible word on these matters. So he was not ready to jump on board the China-did-it bandwagon at this point when we were being assured by Microsoft and others that yes, China did it. Just take their word for it. Krebs wasn’t taking their word:
...
“This is a crazy huge hack,” said Chris Krebs, the former director of the Cybersecurity and Infrastructure Security Agency, in a Tweet on Friday. “The numbers I’ve heard dwarf what’s reported.”This is a crazy huge hack. The numbers I’ve heard dwarf what’s reported here & by my brother from another mother (@briankrebs [118]). Why, though? Is this a flex in the early days of the Biden admin to test their resolve? Is it an out of control cybercrime gang? Contractors gone wild? pic.twitter.com/cA4lkS4stg [119]
— Chris Krebs (@C_C_Krebs) March 6, 2021 [120]
...
But it isn’t just the automatable nature of this hacking technique that makes it so scary. It’s also the fact that the hackers could leverage the complete control over the Exchange server to compromise the Active Directory servers and that potentially gives you the opportunity to conduct a “golden ticket” attack on the Active Directory and the hackers can give themselves super-user privileges. That’s the highest level. This is a potentially devastating hack. Complete control is an apt description of what it can confer. Thanks in part to a lot of Microsoft exploits:
...
The Microsoft Exchange vulnerability gives hackers full access to Microsoft Exchange servers which in turn can be leveraged to compromise Active Directory servers.“Once you compromise Active Directory, you can go after anything you want,” said Srikant Vissamsetti, senior VP of engineering at Attivo Networks, a cybersecurity vendor. “You get the keys to the kingdom.”
...
Patching the Microsoft Exchange server is not enough if an organization has been compromised.
Enterprises can look for indicators of compromise in log files, but smart attackers may erase those traces as well.
Then, attackers may have installed back doors or created accounts for themselves with high levels of access, or even conducted a “golden ticket” attack on Active Directory.
“Once you have a golden ticket attack, you pretty much have to start over,” said Vissamsetti. “Changing passwords is not sufficient. They’ve got a super admin.”
And the possibilities for damage are nearly endless, he added.
...
It’s also worth noting another potentially devastating aspect of this nightmare and the fact that super-user admin privileges can be obtained by the hackers: data centers running Microsoft Exchange servers may have those super-user admin privileges stolen too. And that potentially threatens all the data in that data center:
...
Data center providers that offer managed servers to clients are particularly vulnerable, because if they themselves use a vulnerable Microsoft Exchange server and their environment is compromised, client infrastructure could potentially be at risk, he added.This is where security approaches like zero trust and micro segmentation can be used to restrict lateral movement, he said.
...
Finally, and significantly, note how long this vulnerability has existed in Microsoft’s code: a decade! As one security expert astutely asks, “One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox”:
...
But the vulnerability has been present in the Microsoft Exchange codebase for a decade, said Ed Hunter, CISO at Infoblox, a cybersecurity company.“One has to wonder how long this vulnerability has been a closely held – and used – tool in this threat actor’s toolbox,” he told DCK.
...
For the last 10 years, anyone with access to that code could have potentially spotted this vulnerability. Keep this in mind when Microsoft assures us that the theft of its code by the SolarWinds hackers is of no consequence.
SolarWinds Sanctions Arrive. Along With a Lesson in How Attribution Works By CrowdStrike’s Adam Meyers: Surprise! It’s a Hunt for “Cultural Artifacts” ‘Accidentally’ Left Behind
In the span of just four months the world was introduced to the two largest hacks on record. Quite a few lessons were hopefully learned. And if we listen to Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike who led the SolarWinds investigation, it was a master class in hacking. That’s what Meyers expressed in a highly revealing NPR interview in April. A master class in how to obscure one’s tracks.
As we’ll see, Meyers gives us further confirmation of something that has long been clear but is rare said out loud so clearly: contemporary cyberattribution really does rely heavily on ‘clues’ like Cyrillic characters or Mandarin in the code and such ‘clues’ are frequently found. At least that’s how Adam Meyers, the vice president for threat intelligence at CrowdStrike, described his approach to determining the identity of the SolarWinds hackers. Meyers expresses dismay at how thorough the hackers were. Thorough in the sense that there was no ‘cultural artifact’ like Cyrillic or Mandarin. Meyers describe the lack of anything that a human might have inadvertently left behind as a clue as “mind-blowing”. His response to the tiny piece of malware used in the initial SolarWinds hack — distributed to all 18,000 clients via the Orion software — and it’s lack of clues as “the craziest f***ing thing I’d ever seen.” Take a moment to process that.
So this April update on the SolarWinds investigation includes an update on the general state of affairs in cyberattribution. A state of affairs where malware that’s cleaned and lacks a ‘cultural artifact’ is “the craziest f***ing thing I’d ever seen.” And yet, as we saw, there was virtually no hesitancy in attributing the hack to ‘Cozy Bear’/APT29/‘Nobelium’. This is a good time to recall that the story of the Shadow Brokers and the CIA’s hacking toolkit that included features like leaving Cyrillic or Mandarin characters to leave a false lead [6] was confirmed just four years ago.
Oh, and the US government was ready to announce sanctions against Russia for the hack. So at the same time sanctions were announced, we got an interview that further confirmed the cyberattribution industry is predicated on lunatic assumptions. It really does seem to be the case that everyone really is playing dumb here. Double yikes. [7]:
National Public Radio
A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack
Dina Temple-Raston
April 16, 2021 10:05 AM ET“This release includes bug fixes, increased stability and performance improvements.”
The routine software update may be one of the most familiar and least understood parts of our digital lives. A pop-up window announces its arrival and all that is required of us is to plug everything in before bed. The next morning, rather like the shoemaker and the elves, our software is magically transformed.
Last spring, a Texas-based company called SolarWinds made one such software update available to its customers. It was supposed to provide the regular fare — bug fixes, performance enhancements — to the company’s popular network management system, a software program called Orion that keeps a watchful eye on all the various components in a company’s network. Customers simply had to log into the company’s software development website, type a password and then wait for the update to land seamlessly onto their servers.
The routine update, it turns out, is no longer so routine.
Hackers believed to be directed by the Russian intelligence service, the SVR, used that routine software update to slip malicious code into Orion’s software and then used it as a vehicle for a massive cyberattack against America.
“Eighteen thousand [customers] was our best estimate of who may have downloaded the code between March and June of 2020,” Sudhakar Ramakrishna, SolarWinds president and CEO, told NPR. “If you then take 18,000 and start sifting through it, the actual number of impacted customers is far less. We don’t know the exact numbers. We are still conducting the investigation.”
On Thursday, the Biden administration announced a roster of tough sanctions [123] against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach.
NPR’s months-long examination of that landmark attack — based on interviews with dozens of players from company officials to victims to cyber forensics experts who investigated, and intelligence officials who are in the process of calibrating the Biden administration’s response — reveals a hack unlike any other, launched by a sophisticated adversary who took aim at a soft underbelly of digital life: the routine software update.
By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it. “The speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye,” one senior administration said during a background briefing from the White House on Thursday. “And a defender cannot move at that speed. And given the history of Russia’s malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern.”
“The tradecraft was phenomenal”
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.
“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
When cybersecurity experts talk about harm, they’re thinking about something like what happened in 2017, when the Russian military launched a ransomware attack known as NotPetya. It, too, began with tainted software, but in that case the hackers were bent on destruction. They planted ransomware that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers. Even this much later, it is considered the most destructive and costly cyberattack [124] in history.
Intelligence officials worry that SolarWinds might presage something on that scale. Certainly, the hackers had time to do damage. They roamed around American computer networks for nine months, and it is unclear whether they were just reading emails and doing the things spies typically do, or whether they were planting something more destructive for use in the future.
“When there’s cyber-espionage conducted by nations, FireEye is on the target list,” Kevin Mandia, CEO of the cybersecurity firm FireEye, told NPR, but he believes there are other less obvious targets that now might need more protecting. “I think utilities might be on that list. I think health care might be on that list. And you don’t necessarily want to be on the list of fair game for the most capable offense to target you.”
The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”
The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
The technique reminded Meyers of old fears around trick-or-treating. For decades, there had been an urban myth that kids couldn’t eat any Halloween candy before checking the wrapper seal because bad people might have put razor blades inside. What the hackers did with the code, Meyers said, was a little like that.
“Imagine those Reese’s Peanut Butter Cups going into the package and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese’s Peanut Butter Cup,” he said. Instead of a razor blade, the hackers swapped the files so “the package gets sealed and it goes out the door to the store.”
The update that went out to SolarWinds’ customers was the dangerous peanut butter cup — the malicious version of the software included code that would give the hackers unfettered, undetected access to any Orion user who downloaded and deployed the update and was connected to the Internet.
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet.
Picking and choosing targets
Meyers said it’s hard not to admire just how much thought the hackers put into this operation. Consider the way they identified targets. The downside of breaking into so many customer networks all at once is that it is hard to decide what to exploit first. So the hackers created a passive domain name server system that sent little messages with not just an IP address, which is just a series of numbers, but also with a thumbnail profile of a potential target.
“So they could then say, ‘OK, we’re going to go after this dot gov target or whatever,’ ” Meyers said. “I think later it became clear that there were a lot of government technology companies being targeted.”
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
“Upwards of 90[%] to 95% of threats are based on known techniques, known cyberactivity,” Krebs explained. “And that’s not just criminal actors, that’s state actors, too, including the Russian intelligence agencies and the Russian military. This was a previously unidentified technique.”
And there is something else that Einstein doesn’t do: It doesn’t scan software updates. So even if the hackers had used code that Einstein would have recognized as bad, the system might not have seen it because it was delivered in one of those routine software updates.
The National Security Agency and the military’s U.S. Cyber Command were also caught flat-footed. Broadly speaking, their cyber operators sit in foreign networks looking for signs of cyberattacks before they happen. They can see suspicious activity in much the same way a satellite might see troops amassing on the border. Critics said they should have seen the hackers from the Russian intelligence service, the SVR, preparing this attack.
“The SVR has a pretty good understanding that the NSA is looking out,” Krebs said. “What the SVR was able to do was make the transition from wherever they were operating from into the U.S. networks. They move like ghosts. They are very hard to track.”
The hackers didn’t do anything fancy to give them the domestic footprint, officials confirmed. In fact, they just rented servers from Amazon and GoDaddy.
Early warnings
There were some indications, elsewhere, though, that something was wrong.
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”
Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts [125] and wrote: “I’m afraid this is all we have to help at this time.”
“Just 3,500 lines long”
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.
The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
What his team discovered over the course of several weeks was that not only was there an intruder in its network, but someone had stolen the arsenal of hacking tools FireEye uses to test the security of its own clients’ networks. FireEye called the FBI, put together a detailed report, and once it had determined the Orion software was the source of the problem, it called SolarWinds.
Brown, vice president of security at SolarWinds, took the Saturday morning phone call. “He said, ‘Essentially, we’ve decompiled your code. We found malicious code,’ ” Brown said. FireEye was sure SolarWinds “had shipped tainted code.”
The tainted code had allowed hackers into FireEye’s network, and there were bound to be others who were compromised, too. “We were hearing that different reporters had the scoop already,” Mandia said. “My phone actually rang from a reporter and that person knew and I went, OK, we’re in a race.”
Mandia thought they had about a day before the story would break.
After that, events seemed to speed up. SolarWinds’ chief security officer, Brown, called Ron Plesco, a lawyer at the firm DLA Piper, and told him what had happened. One of the first things companies tend to do after cyberattacks is hire lawyers, and they put them in charge of the investigation. They do this for a specific reason — it means everything they find is protected by attorney-client privilege and typically is not discoverable in court.
Plesco, who has made cybercrimes a specialty of his practice, knew that once the story broke it would be saying “to the world that, ready, set, go, come after it,” Plesco said. “So that puts you on an accelerated timeline on two fronts: Figure out what happened if you can and get a fix out as soon as possible.”
The company worked with DHS to craft a statement [126] that went out on Dec. 13.
To investigate a hack, you have to secure a digital crime scene. Just as detectives in the physical world have to bag the evidence and dust for prints for the investigation later, SolarWinds had to pull together computer logs, make copies of files, ensure there was a recorded chain of custody, all while trying to ensure the hackers weren’t inside its system watching everything they did.
“I’ve been in situations where, while you’re in there doing the investigation, they’re watching your email, they’re compromising your phone calls or your Zooms,” Plesco said. “So they’re literally listening in on how you’re going to try to get rid of them.”
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Bigger attacks
“It’s one of the most effective cyber-espionage campaigns of all time,” said Alex Stamos, director of the Internet Observatory at Stanford University and the former head of security at Facebook. “In doing so, they demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate. ... This certainly is going to change the way that large enterprises think about the software they install and think about how they handle updates.”
Intelligence analysts, already years ahead of the rest of us, are paid to imagine the darkest of scenarios. What if the hackers planted the seeds of future attacks during that nine months they explored SolarWinds’ customer networks — did they hide code for backdoors that will allow them to come and go as they please at a time of their choosing? When hackers shut down the Ukraine’s power grid in 2015 and disabled a Saudi refinery with computer code a year later, they showed it was possible to jump from a corporate network to system controls. Will we find out later that the SolarWinds hack set the stage for something more sinister?
Even if this was just an espionage operation, FireEye’s Mandia said, the attack on SolarWinds is an inflection point. “We ... kind of mapped out the evolution of threats and cyber,” he said. “And we would have landed at this day sooner or later, that at some point in time, software that many companies depend on is going to get targeted and it’s going to lead to exactly what it led to,” Mandia said. “But to see it happen, that’s where you have a little bit of shock and surprise. OK, it’s here now, nations are targeting [the] private sector, there’s no magic wand you can shake. ... It’s a real complex issue to solve.”
...
“This was an intelligence collection operation meant to steal information, and it’s not the last time that’s going to happen,” CrowdStrike’s Meyers warned. “This is going to happen every day. ... And I think there’s a lot that we all need to do to work together to stop this from happening.”
———–
“The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.”
A hacker master class. They were so smooth they wiped the crime scene of any evidence that could definitely prove who did it. The US government nonetheless has said unequivocally that Russian intelligence was behind the hack. Without delay. Funny how that works.
And with that unequivocal attribution came new US sanctions against Russia in retaliation for a hack that was so massive even the Cybersecurity and Infrastructure Security Agency got hacked:
...
On Thursday, the Biden administration announced a roster of tough sanctions [123] against Russia as part of what it characterized as the “seen and unseen” response to the SolarWinds breach....
For that reason, Ramakrishna figures the Russians successfully compromised about 100 companies and about a dozen government agencies. The companies included Microsoft, Intel and Cisco; the list of federal agencies so far includes the Treasury, Justice and Energy departments and the Pentagon.
The hackers also found their way, rather embarrassingly, into the Cybersecurity and Infrastructure Security Agency, or CISA — the office at the Department of Homeland Security whose job it is to protect federal computer networks from cyberattacks.
...
And note who led this investigation into the SolarWinds hack: Adam Meyers, the vice president for threat intelligence at the cybersecurity firm CrowdStrike. Our understanding of the SolarWinds hack is largely controlled by CrowdStrike, the firm that pioneered the contemporary “pattern recognition” cyberattribution paradigm [1]. It’s one of the many clues that this investigation is compromised:
...
Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius.“It’s really your worst nightmare,” Tim Brown, vice president of security at SolarWinds, said recently. “You feel a kind of horror. This had the potential to affect thousands of customers; this had the potential to do a great deal of harm.”
...
“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”
Like razor blades in peanut butter cups
Meyers is the vice president for threat intelligence at the cybersecurity firm CrowdStrike, and he’s seen epic attacks up close. He worked on the 2014 Sony hack, when North Korea cracked into the company’s servers and released emails and first-run movies. A year later, he was on the front lines when a suspected Kremlin-backed hacking team known as “Cozy Bear” stole, among other things, a trove of emails from the Democratic National Committee. WikiLeaks then released them in the runup to the 2016 election.
“We’re involved in all kinds of incidents around the globe every day,” Meyers said. Typically he directs teams, he doesn’t run them. But SolarWinds was different: “When I started getting briefed up, I realized [this] was actually quite a big deal.”
...
So what kind of evidence would have revealed the identities of these hackers that Meyers and the other people working on this case were looking for but never found? This is the part of the article where we get confirmation that it’s as stupid as we should have suspected. Because in the worlds of Meyers, a big part of what they found really frustrating — and shocking — about this case was the lack of ‘a big reveal’ that suddenly makes clear who was behind it. What kind of ‘big reveal’? As Meyers put it, “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing.” That’s considered to be a ‘big reveal’ from the CrowdStrike figure leading the investigation. The most obvious, easily planted ‘clues’. That’s what they were keenly looking out for to confidently make an attribution. But these devious super-hackers managed to ‘wash the code’ of any human artifact, a move described as “mind-blowing” by Meyers. It’s that stupid.
It’s also the kind of anecdote that doesn’t just raise massive questions about the veracity of the SolarWinds investigation but basically every other cyber investigation taking place these days. Could the entire industry be operating in this manner? Making conclusion based on a Cyrillic or Mandarin ‘big reveal’? Even after the Vault7 leak in 2017 demonstrated to the world that the CIA uses hacking tools built to leave ‘clues’ like Cyrillic and Mandarin characters [6]. It really is playing dumb professionally.
Don’t forget that businesses like CrowdStrike and FireEye aren’t just paid to remove malware and protect networks. They’re paid to name culprits too, ideally. Keep that in mind when assessing the credibility of this investigation. But also keep in mind that it was CrowdStrike that blazed the trail in the cyberattribution industry over the last decade of simply naming nation-states like China or Russia as the culprit for hacks without evidence as a means of addressing the fact that hacks are the type of crime that criminals can, in theory, execute in a fool-proof manner without leaving evidence [1]. Confidently declaring a geopolitical adversary like Russian, China, or North Korea were behind a hack based on ‘pattern recognition’ and ‘educated guesses’ is as good a service as the cybersecurity industry can provide. Cyberattributions are a real geopolitical tool/weapon and these companies offer those attributions as a commercial service. So that’s the service the world is getting: Educated guesses passed off as confident attributions based on ‘big reveal’ clues like Mandarin or Cyrillic in the code. Yes, that stupid. Professionally.
Also keep in mind that when CrowdStrike’s Adam Meyers was marveled at how these hackers left no trace of Cyrillic or Mandarin, he was marveling over that intentionally-compact 3,500 line piece of code. Like they’re going to have the ‘big reveal’ in their ultra-compact code. It raises the question of how often these cybersecurity companies like CrowdStrike or FireEye really do find a ‘big reveal’ like Cyrillic or Mandarin in the code of malware they’re investigating. Because it wouldn’t be surprised if hackers just routinely slip that in their at this point. Why not? It’s like a sure fire way to ensure your hack will get blamed on Russia or China. Maybe Iran if you use Persian. The folks at CrowdStrike will clearly be swayed by your ‘big reveal’ clues:
...
It was the cybersecurity firm FireEye that finally discovered the intrusion. Mandia, the company’s CEO, used to be in the U.S. Air Force Office of Special Investigations, so his specialty was criminal cases and counterintelligence. In the intervening years, the kinds of patterns he learned to recognize in special investigations kept appearing in his cyber security work.The first indication that hackers had found their way into FireEye’s networks came in an innocuous way. Someone on the FireEye security team had noticed that an employee appeared to have two phones registered on his network, so she called him. “And that phone call is when we realized, hey, this isn’t our employee registering that second phone, it was somebody else,” Mandia said.
Mandia had a security briefing a short time later and everything he heard reminded him of his previous work in the military. “There was a lot of pattern recognition from me,” he told NPR. “I spent from 1996 to 1998 responding to what I would equate to the Russian Foreign Intelligence Service, and there were some indicators in the first briefing that were consistent with my experience in the Air Force.”
He called a board meeting the same day. “It just felt like the breach that I was always worried about.”
...
By mid-January, Meyers and the CrowdStrike team had isolated what they thought was the attack’s tiny beating heart. It was an elegant, encrypted little blob of code “just 3,500 lines long,” he said. The best code is short and to the point, like a well-written sentence. This little encrypted strip, Meyers thought, might help them figure out who was behind the attack.
Little blobs of clues
Think of forensic cyber teams as digital detectives looking for patterns. Coding tics can sometimes help identify perpetrators or sometimes forensic teams find small cultural artifacts — such as Persian script, or Korean hangul. When an elite Russian hacking team took over the electrical grid in Ukraine in 2015, it had more literary aspirations: It sprinkled its malicious code with references to Frank Herbert’s Dune novels. That’s why CrowdStrike found that little blob of malicious code so intriguing.
After weeks of working with the code, Meyers convened a Zoom call with leaders at SolarWinds and members of his team from around the world. He shared his screen so everyone could all watch the encryption fall away in real time. He began walking the spectators through the code as it was revealed, like a play-by-play analysis of a game. Meyers kept watching for the big reveal. “We’re hoping it’s going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin to give us some clue who wrote this thing,” he said.
But as CrowdStrike’s decryption program chewed its way through the zeroes and ones, Meyers’ heart sank. The crime scene was a bust. It had been wiped down. “They’d washed the code,” Meyers said. “They’d cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that [they] had the wherewithal to hide anything that a human might have inadvertently left behind as a clue.”
Holy s***, he thought to himself, who does that?
...
Now, it’s worth pointing out that there has actually been some Russian-language artifacts apparently left by the SolarWinds hackers. That was in a report published by cybersecurity company Prodaft, which analyzed a command-and-control (C&C) server used in the SolarWinds hack. On that server they found an organization management forum used by the teams of hackers where various hacked targets were discussed for their potential value. Keep in mind they hacked like 18,000 organizations at once with the hack so whoever pulled this off probably really did have to have teams of hackers coordinating their efforts somewhere. In that report, where they call the group “SilverFish” instead of Nobelium, they state: “When taking its first look inside the C&C server, the PTI Team observed that main dashboard of the SilverFish C&C panel features a section named ”Active Teams”, involving several comments entered by different user groups such as Team 301, Team 302, etc. Such a design indicates that this infrastructure is meant for multiple teams. Most comments entered by attackers for each victim are mostly in English and Russian and include urban slang.” [127] So we can actually state that the hackers did leave behind English and Russian in their team organization software. And given how important these kinds of ‘clues’ are in making attributions it wouldn’t be surprising if those Russian comments on that server are a major part of what the ‘Russia did it’ attribution is based on. But it was the kind of evidence the hackers had to realize was left out in the open, at least once the server is seized by authorities, a scenario they had to realize was very possible. It happened, after all. Keep in mind this was the biggest hack ever and these are clearly experienced hackers. They must realize command-and-control servers might be found by investigators which means comments made on that forum are going to be done with the realization that artifacts like the language used to make the comments could be used later for attribution purposes. These kinds of ‘clues’ play a huge role in modern cyberattribution, as Meyers made abundantly clear with his dismay at the lack of a ‘cultural artifact’ to make his attribution on. And as the CIA’s hacking tool-kit, with its Russian and Chinese language artifact-leaving features, exposed by the ShadowBroker leak made abundantly clear [128]. These little language clues are stupidly taken very seriously and the cyberattribution industry doesn’t even hide it. So did the super sophisticated hacking group that pull off the biggest hack ever leave their Russian language clues consciously or without realizing it? That’s what we are being asked to believe, although it’s not actually clear if the Russian language comments left in this command-and-control forum were the primary basis for the attribution of the SolarWinds hack to Russia (as opposed to China) because we still have no idea what the attribution was ultimately based on. It’s faith-based.
But there are technical details about that attack that are more than just speculation: We are told that the attack effective began on Sept 12, 2019, when someone appeared to execute a proof-of-concept trial run of the plan that merely injected an innocuous snippet of code into the SolarWinds update package. The hackers were testing whether or not the code could be inserted into the next SolarWinds update and distributed to its customer networks without SolarWinds detecting it and they accomplished this feat by injecting the code at the very last opportunity — during the compilation process — which effectively bypassed all of the standard security measures deployed by SolarWinds to ensure only the intended code is delivered to its thousands of customers. It was a successful proof-of-concept test. The innocuous update was delivered to SolarWinds’s clients around the world. Five months later, in February of 2020, the hackers returned to repeat the trick with malicious code that inserted a compact 3,500 line payload that introduced a backdoor into the SolarWinds software itself on the clients’ systems. A backdoor that could be remotely accessed. That’s how the hackers turned the hack of SolarWinds into the mega-hack of the thousands of corporations and government agencies. The only thing holding back the hackers was the abundance of opportunity and limitations of time.
So we have a decent understanding of how this attack worked technically and when it happened but no clue who did it. No ‘big reveal’ clue was left in the code and they somehow managed to avoid leaving any Cyrillic or Mandarin elsewhere on the SolarWinds network during this long period of time when the hackers clearly had deep access. But despite all that, they’re pretty sure it was Russia. It’s how cyberattribution works in the modern age. Gut feelings about the culprit. Reading the digital tea leaves and arriving at a gut feeling about the culprit and then confidently declaring it to the world. Or just making it up and confidently declaring it to the world. Confident declarations are the important part. The underlying facts the declarations are based not so much:
...
The attack began with a tiny strip of code. Meyers traced it back to Sept. 12, 2019. “This little snippet of code doesn’t do anything,” Meyers said. “It’s literally just checking to see which processor is running on the computer, if it is a 32- or 64-bit processor and if it is one or the other, it returns either a zero or a one.”The code fragment, it turns out, was a proof of concept — a little trial balloon to see if it was possible to modify SolarWinds’ signed-and-sealed software code, get it published and then later see it in a downloaded version. And they realized they could. “So at this point, they know that they can pull off a supply chain attack,” Meyers said. “They know that they have that capability.”
After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.
To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.
They began by implanting code that told them any time someone on the SolarWinds development team was getting ready to build new software. They understood that the process of creating software or an update typically begins with something routine such as checking a code out of a digital repository, sort of like checking a book out of the library.
Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.
They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.
But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.
...
Then there’s the ominous observation they made about the malware that surreptitiously slipped the backdoor malware into the Orion client update software: the malware that added the backdoor at the last moment during the compilation process “could have been reconfigured for any number of software products” that rely on the same compiler, raising the distinct possibility of this same attack being used against other software developers. All the hackers would need is access to the developers’ computers when they’re compiling the code. And what did they gain from the SolarWinds hack? Backdoors onto the network of every SolarWinds client. In other words, not only can the hackers use this same compiler trick to embed backdoors in other developers software but they gained the incredible opportunity to do exactly that from the SolarWinds hack. Thousands of SolarWinds clients were undoubtedly developing their own software using the same compiler and the hackers could have deployed the same trick. Maybe they embed a backdoor. Maybe something else. It’s an ominous observation and part of the reason the identities of the real hackers really is a serious global concern. Whoever did this had the opportunity to plant the seeds from something orders of magnitude more devastating involving a wide array of different software tools being developed around the world:
...
But there was something else about that code that bothered Meyers: It wasn’t just for SolarWinds. “When we looked at [it], it could have been reconfigured for any number of software products,” Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don’t know it yet....
The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion’s syntax and formats. What that did is allow the hackers to look like they were “speaking” Orion, so their message traffic looked like a natural extension of the software.
“So once they determined that a target was of interest, they could say, ‘OK, let’s go active, let’s manipulate files, let’s change something,’ ” Meyers said, and then they would slip in unnoticed through the backdoor they had created. “And there is one other thing I should mention: This backdoor would wait up to two weeks before it actually went active on the host. This was a very patient adversary.”
None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS’ current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just “too novel.”
...
And note the timing here in the lead up to the December 13, 2020, public announcement by SolarWinds about acknowleging the hack: We are told that the first clue something was up took place in early July 2020, when Volexity found suspicious activity on a client’s computer traced back to an update with SolarWinds. We’re then told the second clue came several months later when Palo Alto Networks contacted SolarWinds about a malicious back door that appeared to be emanating from the Orion software. SolarWinds then tells us the company work with Palo Alto Networks for several months before giving up and closing the ticket. If that’s all true, that ticket must have been closed just days before FireEye contacted SolarWinds about its ominous discovery. Because if the first call from Palo Alto Networks came ‘several months’ after an ‘early July’ first tip from Volexity, that call would have had to be around mid-to-late September to early October if we interpret ‘several months’ to be 10–13 weeks. And if Palo Alto Networks and SolarWinds then spent another ‘several months’ studying the problem before giving up, that would put the ‘giving up’ point at early December at the earliest. So when exactly did that ticket get closed in relation to FireEye’s tip about the larger hack? SolarWinds didn’t tell us and Palo Alto Networks isn’t talking:
...
In early July, Steven Adair, the founder of a Washington, D.C.-based cybersecurity company called Volexity, saw some suspicious activity on a client’s computers. “We traced it back, and we thought it might be related to a bad update with SolarWinds,” Adair told NPR. “We addressed the problem, made sure no one was in our customers’ systems, and we left it at that.”Adair said he didn’t feel he had enough detail to report the problem to SolarWinds or the U.S. government. “We thought we didn’t have enough evidence to reach out,” he said.
That was the first missed sign.
The second came three months later when a California-based cybersecurity company called Palo Alto Networks discovered a malicious backdoor that seemed to emanate from the Orion software.
In that case, according to SolarWinds’ Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. “None of us could pinpoint a supply chain attack at that point,” Ramakrishna told NPR. “The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back” to the hack.
Palo Alto Networks had agreed to speak to NPR about the incident last month and then canceled the interview just an hour before it was supposed to take place. A spokesperson declined to say why and sent a few blog posts [125] and wrote: “I’m afraid this is all we have to help at this time.”
...
All in all, it’s hard to say that NPR piece should make reader’s feel confident hacks like this aren’t going to happen again. Even when the hack was detected on client systems and investigations were started they still couldn’t find it. Only FireEye, itself a top tier security firm, was able to detect it on its own systems and all indications are the hack would be ongoing today had FireEye not found it.
The Atlantic Council Confirms The SolarWinds Hackers Could Spoof Microsoft Credentials. Microsoft Blames Clients
And just a week after that NPR piece, we got another big reminder that the SolarWinds hack wasn’t just a giant hack of the SolarWinds company. It was a giant hack of Microsoft’s products. That was the message in a new report put out by The Atlantic Council, which appeared to confirm what Microsoft had long been denying: Once the hackers used those backdoors to gain access to victims’ networks they continued to exploit more vulnerabilities. In particular Microsoft vulnerabilities involving how Microsoft products validate user identities. Now, part of the reason Microsoft vulnerabilities were heavily targeted was because, well, these vulnerabilities exist. But as the report notes, the other big reason Microsoft was targeted so heavily is that Microsoft has more than 85% of the market share for government and industry. In other words, the juiciest targets — especially government agencies — were almost all running Microsoft tools on their networks.
So what was Microsoft’s response to the Atlantic Council report? Microsoft continued to deflect blame, suggesting poorly configured software by the clients was the cause. But according to Senator Ron Wyden, the software Microsoft supplies to US federal agencies is itself poorly configured with default log settings that won’t capture the information needed to catch attacks while they’re in progress. As we can see, the SolarWinds blame game is increasingly becoming Microsoft vs the World [38]:
Associated Press
SolarWinds hacking campaign puts Microsoft in the hot seat
By FRANK BAJAK
April 23, 2021BOSTON (AP) — The sprawling hacking campaign [129] deemed a grave threat to U.S. national security came to be known as SolarWinds, for the company whose software update was seeded by Russian intelligence agents with malware to penetrate sensitive government and private networks.
Yet it was Microsoft whose code the cyber spies persistently abused in the campaign’s second stage, rifling through emails and other files of such high-value targets as then-acting Homeland Security chief Chad Wolf — and hopping undetected among victim networks.
This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.
Seeking to assuage concerns, Microsoft this past week offered all federal agencies a year of “advanced” security features at no extra charge. But it also seeks to deflect blame, saying it is customers who do not always make security a priority.
Risks in Microsoft’s foreign dealings also came into relief when the Biden administration imposed sanctions [130] Thursday on a half-dozen Russian IT companies it said support Kremlin hacking. Most prominent was Positive Technologies, which was among more than 80 companies that Microsoft has supplied with early access to data on vulnerabilities detected in its products. Following the sanctions announcement, Microsoft said Positive Tech was no longer in the program and removed its name from a list of participants on its website.
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.
The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture [131] — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. [132] That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, [133] an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
Microsoft President Brad Smith told a February congressional hearing that just 15% of victims were compromised through an authentication vulnerability first identified in 2017 [134] — allowing the intruders to impersonate authorized users by minting the rough equivalent of counterfeit passports.
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.
“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
When Microsoft on Wednesday announced a year of free security logging for federal agencies, [135] for which it normally charges a premium, Wyden was not appeased.
“This move is far short of what’s needed to make up for Microsoft’s recent failures,” he said in a statement. “The government still won’t have access to important security features without handing over even more money to the same company that created this cybersecurity sinkhole.”
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
And remember, many security professionals note, Microsoft was itself compromised [136] by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
Across the industry, Microsoft’s investments in security are widely acknowledged. It is often first to identify major cybersecurity threats, its visibility into networks is so great. But many argue that as the chief supplier of security solutions for its products, it needs to be more mindful about how much it should profit off defense.
“The crux of it is that Microsoft is selling you the disease and the cure,” said Marc Maiffret, a cybersecurity veteran who built a career finding vulnerabilities in Microsoft products and has a new startup in the works called BinMave.
Last month, Reuters reported that a $150 million payment to Microsoft for a “secure cloud platform” was included in a draft outline for spending the $650 million appropriated for the Cybersecurity and Infrastructure Security Agency in last month’s $1.9 trillion pandemic relief act.
A Microsoft spokesperson would not say how much, if any, of that money it would be getting, referring the question to the cybersecurity agency. An agency spokesman, Scott McConnell, would not say either. Langevin said he didn’t think a final decision has been made.
In the budget year ending in September, the federal government spent more than half a billion dollars on Microsoft software and services.
Many security experts believe Microsoft’s single sign-on model, emphasizing user convenience over security, is ripe for retooling to reflect a world where state-backed hackers now routinely run roughshod over U.S. networks.
Alex Weinert, Microsoft’s director of identity security, said it offers various ways for customers to strictly limit users’ access [137] to what they need to do their jobs. But getting customers to go along can be difficult because it often means abandoning three decades of IT habit and disrupting business. Customers tend to configure too many accounts with the broad global administrative privileges that allowed the SolarWinds campaign abuses, he said. “It’s not the only way they can do it, that’s for sure.”
In 2014–2015, lax restrictions on access helped Chinese spies steal sensitive personal data on more than 21 million current, former and prospective federal employees from the Office of Personnel Management. [138]
Curtis Dukes was the National Security Agency’s head of information assurance at the time.
The OPM shared data across multiple agencies using Microsoft’s authentication architecture, granting access to more users than it safely should have, said Dukes, now the managing director for the nonprofit Center for Internet Security.
“People took their eye off the ball.”
———–
“This has put the world’s third-most valuable company in the hot seat. Because its products are a de facto monoculture in government and industry — with more than 85% market share — federal lawmakers are insisting that Microsoft swiftly upgrade security to what they say it should have provided in the first place, and without fleecing taxpayers.”
If you want to hack the US government, be ready to hack Microsoft products. That’s the undeniable reality. Microsoft is basically the software supplier for the US government and other governments around the world. So it should come as no surprise to learn that the second phase of the SolarWinds hack was basically the exploitation of Microsoft product weaknesses after the hackers gained access to client networks. In particular, vulnerabilities in Microsoft’s identity and access architecture which validates users’ identities and grants them access to email, documents and other data. The SolarWinds hackers were repeatedly impersonating legitimate users and creating counterfeit credentials that let them grab data stored remotely by Microsoft Office. So the SolarWinds hack didn’t just involve the pilfering of victims’ networks but also the data stored remotely accessible through Microsoft Office. Those sound like some massive vulnerabilities. The SolarWinds hack wasn’t just the creation and exploitation of backdoors placed on 18,000 client networks. It was the exploitation of the information stored remotely via Microsoft Office for those clients too:
...
The SolarWinds hackers took full advantage of what George Kurtz, CEO of top cybersecurity firm CrowdStrike, called “systematic weaknesses” in key elements of Microsoft code to mine at least nine U.S. government agencies — the departments of Justice and Treasury, among them — and more than 100 private companies and think tanks, including software and telecommunications providers.The SolarWinds hackers’ abuse of Microsoft’s identity and access architecture [131] — which validates users’ identities and grants them access to email, documents and other data — did the most dramatic harm, the nonpartisan Atlantic Council think tank said in a report. [132] That set the hack apart as “a widespread intelligence coup.” In nearly every case of post-intrusion mischief, the intruders “silently moved through Microsoft products “vacuuming up emails and files from dozens of organizations.”
Thanks in part to the carte blanche that victim networks granted the infected Solarwinds network management software in the form of administrative privileges, the intruders could move laterally across them, even jump among organizations. They used it to sneak into the cybersecurity firm Malwarebytes and to target customers of Mimecast, [133] an email security company.
The campaign’s “hallmark” was the intruders’ ability to impersonate legitimate users and create counterfeit credentials that let them grab data stored remotely by Microsoft Office, the acting director of the Cybersecurity Infrastructure and Security Agency, Brandon Wales, told a mid-March congressional hearing. “It was all because they compromised those systems that manage trust and identity on networks,” he said.
...
But it gets worse for Microsoft because the hackers didn’t simply exploit vulnerabilities in Microsoft’s products. They also rifled through Microsoft’s treasured source code looking for the code that valideates users’ identities and grants them access to email, documents, and other data. So these super-hackers likely learned hack to become even more super. At least more super against Microsoft:
...
And remember, many security professionals note, Microsoft was itself compromised [136] by the SolarWinds intruders, who got access to some of its source code — its crown jewels. Microsoft’s full suite of security products — and some of the industry’s most skilled cyber-defense practitioners — had failed to detect the ghost in the network. Not until alerted to the hacking campaign by FireEye, the cybersecurity firm that detected it in mid-December, did Microsoft responders discover the related breach of their systems.
...
But perhaps worst of all is how long these security deficiencies have been plaguing Microsoft. This isn’t a new problem. Which is why it’s so problematic and scandalous that, as Senator Wyden angrily pointed out during a recent congressional hearing, that Microsoft has been providing the US governing with products that have the default “event logging” settings turned off. So by default, the US federal government doesn’t log these hacks when they happen. That’s apparently the case, according to Senator Wyden. The US government’s cyber-defenses have to been flying blind by default thanks to Microsoft:
...
Microsoft officials stress that the SolarWinds update was not always the entry point; intruders sometimes took advantage of vulnerabilities such as weak passwords and victims’ lack of multi-factor authentication. But critics say the company took security too lightly. Sen. Ron Wyden, D‑Ore., verbally pummeled Microsoft for not supplying federal agencies with a level of “event logging” that, if it had not detected the SolarWinds hacking in progress, would at least have provided responders with a record of where the intruders were and what they saw and removed.“Microsoft chooses the default settings in the software it sells, and even though the company knew for years about the hacking technique used against U.S. government agencies, the company did not set default logging settings to capture information necessary to spot hacks in progress,” Wyden said. He was not the only federal lawmaker who complained.
...
Even the highest level of logging doesn’t prevent break-ins, though. It only makes it easier to detect them.
...
Of course, keep in mind that a big advantage for the victims of hacks when of no event-logging was employed: the less information you have about what actually happened, the more you’re forced to speculate about what happened and the easier it is to just say it was probably Russia or China or whoever you want to blame. Ignorance can be both a cudgel and shield when cyberattribution is wielded as a weapon.
Finally note how we are told the ‘Chinese hackers’ behind the Microsoft Exchange hack used wholly different infection methods. Now, technically, yes, they may have used a different zero-day exploit target different Microsoft products. As we’ve seen, it was reportedly an Office 365 email exploit that the hackers used to initiate the hack on SolarWinds’s network and the US Treasury Department confirmed that an Office 365 email exploit was used after the hackers infiltrated their networks via the backdoor. Whereas in the Microsoft Exchange hack, it ws some sort of vulnerability in the Exchange software that was exploited. So yes, these are two different infection methods. But they both relied on manipulating Microsoft’s credentialing systems. From that perspective, it’s kind of the same underlying method:
...
The intruders in the unrelated hack of Microsoft Exchange email servers disclosed in March — blamed on Chinese spies — used wholly different infection methods. But they gained immediate high-level access to users’ email and other info.
...
Keep in mind that pointing out the different attack methods used in the SolarWinds and Microsoft Exchange hacks, and citing that as evidence of it being different hacking groups, is another example of how vague technical ‘digital fingerprints’ like the particular type of malware or exploit used in a hack are used for cyberattribution purposes. It’s the kind of cyberattribution phenomena that assumes the “commercial surveillance” industry isn’t supplying incredible zero-day attacks to dozens of governments around the world simultaneously.
The SolarWinds Hackers(?) Go Phishing. With USAID as the Bait.
The multifaceted ability of the SolarWinds hackers was on display again with a new announce from Microsoft at the end of May: Remember those warnings following the Microsoft Exchange hack about highly sophisticated and targeted phishing campaigns emerging from all the information the hackers were able to extract from all those stolen emails? Well, a new highly sophisticated and target phishing campaign was indeed unleashed. But we are told “Nobelium” — the name Microsoft gave to Cozy Bear/APT29 — was the culprit. Approximately 3,000 email accounts at more than 150 different organizations in 24 different countries received emails seemingly from the United States Agency For International Development (USAID), encouraging victims to download a file about election fraud. The hackers carried out the hack by breaking into an email marketing account for Constant Contact [41], which is used by USAID for official communications. From there, they launched the phishing attacks.
Microsoft assures us that no exploits of Microsoft products were involved with this phishing attempt. At the same time, we’re told nothing about how this Constant Contact email marketing account was broken into in the first place. In fact, it’s not actually clear at all what ties this phishing attack to the SolarWinds hack. And yet are assured by Microsoft, with high confidence, that Russia’s SVR is behind it and that it appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts. And since the SVR is also blamed for the SolarWinds hack, it’s therefore behind this phishing attempt. That appears to be the ‘logic’ at work here.
Now, if we view the Microsoft blog post on this hack, there is one technical fact that relates back to the SolarWinds hack: the use of zero-day exploits. Victims who fell for the phishing emails had four zero-day pieces of malware deployed on their computers [42] according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme [41] explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
But also keep in mind that the Microsoft Exchange mega-hack announced in March also utilized zero-day exploits and this hack started with the compromise of USAID’s Constant Contact’s email account. Is there an Exchange server involved with this service? It was be nice to know but, again, we aren’t told how the hack started. So how was Microsoft able to deduce that it was the SolarWinds hacks and no the Exchange hackers or some other group? We have no idea, but we are assured that Microsoft figured it all out. We’ll just have to blindly trust them on this. As always [40]:
Reuters
TechnologyMicrosoft says group behind SolarWinds hack now targeting government agencies, NGOs
Raphael Satter, Kanishka Singh
May 28, 2021 12:53 PM CDT UpdatedMay 28 (Reuters) — The group behind the SolarWinds (SWI.N) cyber attack identified late last year is now targeting government agencies, think tanks, consultants, and non-governmental organizations, Microsoft Corp (MSFT.O) said on Thursday.
“This week we observed cyberattacks by the threat actor Nobelium targeting government agencies, think tanks, consultants, and non-governmental organizations”, Microsoft said in a blog [139].
Nobelium, originating from Russia, is the same actor behind the attacks on SolarWinds customers in 2020, according to Microsoft.
The comments come weeks after a May 7 ransomware attack on Colonial Pipeline shut the United States’ largest fuel pipeline network for several days, disrupting the country’s supply.
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.
While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.
In statements issued Friday, the Department of Homeland Security and USAID both said they were aware of the hacking and were investigating.
The hack of information technology company SolarWinds, which was identified in December, gave access to thousands of companies and government offices that used its products. Microsoft President Brad Smith described the attack as “the largest and most sophisticated attack the world has ever seen”. read more [140]
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
The company said it was in the process of notifying all of its targeted customers and had “no reason to believe” these attacks involved any exploitation or vulnerability in Microsoft’s products or services.
————–
“Nobelium launched this week’s attacks by breaking into an email marketing account used by the United States Agency For International Development (USAID) and from there launching phishing attacks on many other organisations, Microsoft said.”
As Microsoft announced in May, the SolarWinds attacks continue. Sort of. This wasn’t an extension of the SolarWinds attack. At least we aren’t told so. Instead, we’re told that the same hackers, Nobelium, who carried out the SolarWinds attack also carried out this new attack targeting the email marketing firm, , that handles the emails for USAID. Somehow, the hackers were able to send out emails to 3,000 email accounts at more than 150 different organizations that looked like they came from USAID, and if victims clicked on the links in the emails they received sophisticated malware like was deployed in the SolarWinds attack. Again, Nobelium is Microsoft’s name for APT29/Cozy Bear, the group accused of the 2015 DNC hack (the first DNC hack of the 2016 election seasons).
Now how did the Microsoft arrive at the conclusion that this phishing attack was carried out by the same “Nobelium” SolarWinds hackers? As we should expect, it’s entirely unclear. Microsoft first dubbed the SolarWinds hackers “Nobelium” back in March of 2020 in a blog post describing the comand-and-control malware from the SolarWinds hack. ‘Zero-day’ Malware that had never been seen before, adding to the perceived sophistication of the hacker [141]. Of course, as we’re going to see with the NSO Group story, ultra-sophisticated ‘zero-day’ hacks that have ‘never been seen before’ are effectively for sale to governments around world. Any government with permission to buy this software would suddenly become an ultra-sophisticated actor with an armory of zero-day exploits never seen before.
So were more zero-day exploits found in this latest USAID phishing hack? Yes, there were four zero-day pieces of malware deployed [42] according to a second Microsoft blog post about the attack. So the technical traits shared between this phishing attack in the earlier SolarWinds hack are the use of multiple zero-day exploits. But different exploits. The Microsoft blog post describing this USAID phishing scheme [41] explicitly states that this new attack bears very little technical similarities to the SolarWinds hack and suggests the hackers intentionally changed their tactics after the discovery of the SolarWinds hack. So the possession of multiple zero-day exploits is apparently being used as a technical indicator for attributions. If a hacker is sporting lots of zero-day exploits, it’s assumed to be the same hacker who ran the last hack with lots of zero-day exploits. And since zero-day exploits are widely assumed to largely be the exclusive property of well-financed nations (the US, Russian, China, Israel, etc), when a hack involved lots of zero-day exploits the list of suspects gets narrowed down to that list. That appears to be the pattern playing out here. A pattern that ignores the existence of a robust industry selling zero-day exploits to dozens of governments around the world.
And note how, while this attack clearly involves USAID, it’s not actually targeting USAID. It was an attack that used USAID’s persona to targeting 150 different organizations in at least 24 countries. And only around a quarter of those targeted organisations were involved in international development, humanitarian issues and human rights work. And yet Microsoft confidently tells us this hack is a continuation of an SVR espionage campaign targeting government agencies involved in foreign policy. It’s a remarkably cherry-picked assessment:
...
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations”, Microsoft said on Thursday.While organisations in the United States received the largest share of attacks, targeted victims came from at least 24 countries, Microsoft said.
At least a quarter of the targeted organisations were involved in international development, humanitarian issues and human rights work, Microsoft said in the blog.
...
The United States and Britain have blamed Russia’s Foreign Intelligence Service (SVR), successor to the foreign spying operations of the KGB, for the hack which compromised nine U.S. federal agencies and hundreds of private sector companies.
The attacks disclosed by Microsoft on Thursday appeared to be a continuation of multiple efforts to target government agencies involved in foreign policy as part of intelligence gathering efforts, Microsoft said.
...
So we have the SolarWinds mega-hack discovered in December 2020 initially attributed to a previously unknown group — that governments nonetheless assure us are the SVR — but later attributed to Cozy Bear/APT29 aka Nobelium. Then a May 2021 phishing campaign that doesn’t actually share any of the technical traits of the SolarWinds hack other than the use of different zero-day exploits is also attributed to Cozy Bear. Why exactly it’s been determined that these two separate attacks were done by the same group is never explained, let alone why they’ve determined that group is Russia’s SVR.
The SolarWinds Hackers(?) Can’t Stop, Won’t Stop...Hacking Microsoft
It’s always a ‘trust us’ narrative. A narrative that sounds awfully similar to the story we got a month later in the last week of June, when Microsoft announced a new Nobelium/Cozy Bear attack. Although it’s more like an update on the May phishing attack. Like with the May phishing attack report, Microsoft assured us that this new attack is unrelated to the SolarWinds hack. And yet Microsoft also assured us that the same group was behind it, Nobelium. The reason for this attribution to Nobelium is never given. It’s another phishing attack that isn’t technically related to the SolarWinds hack but they’re still sure it’s the same group. The reasons never given. Sounding familiar yet?
But this June attack appears to differ from the May phishing attack in a potentially significant way: one of Microsoft’s own agents was hacked and customer information about Microsoft services were stolen, allowing for tailored phishing attacks. So whoever pulled this off demonstrated an eerily similar ability to exploit previously unknown Microsoft vulnerabilities. An ability demonstrated by both the SolarWinds and Exchange hackers.
Microsoft didn’t answer questions of whether or not its agent was hacked during the initial SolarWinds hack. But we are told that Microsoft discovered this phishing campaign and the hacking of its agent as a result of its investigation into the earlier SolarWinds hacks. Part of the reason this is potentially significant is that it once again raises the question of whether or not this new hack of the Microsoft agent — where customer service information was somehow accessed and used to tailor phishing emails — was executed with some sort of exploit targeting Microsoft systems. And if that’s the case, we have to ask why these are necessarily the SolarWinds hackers and not the Exchange hackers. Both possessed Microsoft zero-day exploits.
But beyond the potential relationship between the SolarWinds and Exchange hackers, it’s hard to ignore the story of NSO Group, Candiru, and the existence of the private industry that creates and sells cutting edge malware bristling with zero-day exploits — including zero-day exploits targeting Microsoft products — that are sold to dozens of governments around the world. And yet ignoring the existence of this private industry that makes cutting edge zero-day exploits available to dozens of governments around the world is exactly what we are asked to do. Over and over. Every time there’s a new hack that shows a reasonable degree of sophistication or that hits a government agency (even if many more non-government agencies are hit too), it’s treated as if the only possible actors in the world who could have pulled off the hack were Russia, China, Iran or North Korea. It is systematically ignored that dozens of governments around the world can and do buy the necessary ‘zero-day’ malware toolkits to pull off these hacks. Would Saudi Arabia attempt a SolarWinds-style mega-hack if if they new it was going to be blamed on Russia or China? There’s no way to responsibly avoid asking these kind of questions when we know Saudi Arabia and dozens of other countries have already purchased the ability to do so.
So we have a second phishing attack attributed to Nobelium/Cozy Bear. But unlike the previous phishing attack, where Microsoft acknowledged there was no apparent technical link back to the earlier SolarWinds hack, this phishing attack appears to have employed some sort of vulnerability in Microsoft’s products. And at the same time Microsoft assures us this wasn’t technically related to the SolarWinds hack, Microsoft also reminds of us of what was disclosed months agao: that data and insights were stolen from Microsoft during the initial SolarWinds attack, including software instructions governing how Microsoft verifies user identities. Were any of those stolen vulnerabilities used in this hack? Microsoft isn’t saying. And that’s a big part of the larger story here: extremely serious allegations about who was behind these cyberattacks are being made — with all fingers pointing towards the Russian or Chinese governments — with almost no information being released regarding why and how those attributions are made. The entire cyberattribution industry is rooted in a ‘just trust us on this’ ethos [44]:
Reuters
Microsoft says new breach discovered in probe of suspected SolarWinds hackers
Joseph Menn
June 25, 2021 8:59 PM CDT UpdatedSAN FRANCISCO, June 25 (Reuters) — Microsoft (MSFT.O) said on Friday an attacker had won access to one of its customer-service agents and then used information from that to launch hacking attempts against customers.
The company said it had found the compromise during its response to hacks by a team it identifies as responsible for earlier major breaches at SolarWinds (SWI.N) and Microsoft.
Microsoft said it had warned the affected customers. A copy of one warning seen by Reuters said the attacker belonged to the group Microsoft calls Nobelium and that it had access during the second half of May.
“A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.
When Reuters asked about that warning, Microsoft announced the breach publicly.
After commenting on a broader phishing campaign it said had compromised a small number of entities, Microsoft said it had also found the breach of its own agent, who it said had limited powers.
The agent could see billing contact information and what services the customers pay for, among other things.
“The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign,” Microsoft said.
Microsoft warned affected customers to be careful about communications to their billing contacts and consider changing those usernames and email addresses, as well as barring old usernames from logging in.
Microsoft said it was aware of three entities that had been compromised in the phishing campaign.
It did not immediately clarify whether any had been among those whose data was viewed through the support agent, or if the agent had been tricked by the broader campaign.
Microsoft did not say whether the agent was at a contractor or a direct employee.
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code.
In the SolarWinds attack, the group altered code at that company to access SolarWinds customers, including nine U.S. federal agencies.
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
A White House official said the latest intrusion and phishing campaign was far less serious than the SolarWinds fiasco.
“This appears to be largely unsuccessful, run-of-the-mill espionage,” the official said.
...
————
““A sophisticated Nation-State associated actor that Microsoft identifies as NOBELLIUM accessed Microsoft customer support tools to review information regarding your Microsoft Services subscriptions,” the warning reads in part. The U.S. government has publicly attributed the earlier attacks to the Russian government, which denies involvement.”
Nobelium “accessed Microsoft customer support tools to review information.” That’s the language used by Microsoft to describe the hacking of its agent and use of the obtained information to run targeted phishing campaigns. That’s what we know. What we don’t know is how the agent got hacked in the first place. Was is simply exploiting a backdoor created by the SolarWinds hack? Microsoft isn’t saying. But we know Microsoft has previously disclosed that ‘Nobelium’ stole code involving Microsoft’s user verification. And DHS tells us these same hackers are taking advantage of weaknesses in the way Microsoft programs were configured. A lot of arrows are pointing in the direction of another Microsoft vulnerability being exploited but as always we’re forced to guess:
...
A spokesman said the latest breach by the threat actor was not part of Nobelium’s previous successful attack on Microsoft, in which it obtained some source code....
At the SolarWinds customers and others, the attackers also took advantage of weaknesses in the way Microsoft programs were configured, according to the Department of Homeland Security.
Microsoft later said the group had compromised its own employee accounts and taken software instructions governing how Microsoft verifies user identities.
...
The bad news stories just keep piling up. What’s next?
Backdoors aren’t Just Backdoors. They’re Digital Bombs Too.
What might be next is the question ominously answered in a CBS News piece from July 4 that includes commentary from Jon Miller, a former hacker who now runs a company called Boldend tjat designs and sells cutting-edge cyber weapons to US intelligence agencies. According to Miller, what stood out for him in the SolarWinds hack wasn’t the sophistication malware. Miller claims to create much more sophisticated malware in his own work. What surprised him was the scope of the attack. Whoever did this didn’t even bother trying to hide it and seemed to execute it with no regard to the damage caused or potential consequences.
And then Miller drops the bomb: when asked if the hackers were capable of doing more damage than they did and, for example, destroy all the computers on the network, Miller tells us that not only would that be possible but it would be trivial. A few dozen additional lines of code. So if the SolarWinds hacks — or Microsoft Exchange hackers — wanted to destroy the computer systems of organizations around the world, they could have done so. Easily.
The piece also include an interview of Brad Smith, president of Microsoft. Smith points to the numerous government agencies to make the case that it must be a foreign intelligence operation‑, an observation that systematically ignores all the non-government commercial victims that also got hit. Smith goes on to make an interesting defense of the US government’s inability to detect and stop the SolarWinds hack: because the hackers launched the hack from US-based servers the NSA wasn’t legally allowed to observe and prevent it. Domestic network security in the US is the responsibility of the private sector. How those policies change in response to these mega-hacks will be something to watch [142].
Then Smith issues a warning that, when combined with Miller’s warnings about digital bombs, should send chills down the spines of system administrators everywhere: Smith warns that its almost certain the SolarWinds hackers planted additional backdoors and spread to other networks. Keep in mind that Microsoft has been one of the lead investigators on this, so when Microsoft tells us the SolarWinds hackers are probably still residing on these hacked networks and spread to others that’s the kind of warning we should take seriously. So if you were hoping the discovery of the SolarWinds hack meant the closing of all these backdoors on the networks of thousands organizations around the world your hopes should be dashed by now. Microsoft was basically telling us they don’t think they can realistically expel the hackers from all these networks. So if these hackers do decide to actually destroy tens of thousands of hacked networks around the world, or conduct a global ransomware attack, they could probably still do so [46]:
CBS News
SolarWinds: How Russian spies hacked the Justice, State, Treasury, Energy and Commerce Departments
Bill Whitaker reports on how Russian spies used a popular piece of software to unleash a virus that spread to 18,000 government and private computer networks.
Correspondent Bill Whitaker
2021 Jul 04When Presidents Biden and Putin met in Geneva last month – it was the first time that the threat of cyber war eclipsed that of nuclear war between the two old super-powers… and “SolarWinds” was one big reason why. Last year, in perhaps the most audacious cyber attack in history, Russian military hackers sabotaged a tiny piece of computer code buried in a popular piece of software called SolarWinds. As we first reported in February, the hidden virus spread to 18,000 government and private computer networks by way of one of those software updates we all take for granted. After it was installed, Russian agents went rummaging through the digital files of the U.S. departments of Justice, State, Treasury, Energy, and Commerce –among others—and for nine months, they had unfettered access to top-level communications, court documents, even nuclear secrets.
Brad Smith: I think from a software engineering perspective, it’s probably fair to say that this is the largest and most sophisticated attack the world has ever seen.
Brad Smith is president of Microsoft. He learned about the hack after the presidential election this past November. By that time, the stealthy intruders had spread throughout the tech giants’ computer network and stolen some of its proprietary source code used to build its software products. More alarming: how the hackers got in… piggy-backing on a piece of third party software used to connect, manage and monitor computer networks.
Bill Whitaker: What makes this so momentous?
Brad Smith: One of the really disconcerting aspects of this attack was the widespread and indiscriminate nature of it. What this attacker did was identify network management software from a company called SolarWinds. They installed malware into an update for a SolarWinds product. When that update went out to 18,000 organizations around the world, so did this malware.
“SolarWinds Orion” is one of the most ubiquitous software products you probably never heard of, but to thousands of I.T. departments worldwide, it’s indispensable. It’s made up of millions of lines of computer code. 4,032 of them were clandestinely re-written and distributed to customers in a routine update, opening up a secret backdoor to the 18,000 infected networks. Microsoft has assigned 500 engineers to dig in to the attack. One compared it to a Rembrandt painting, the closer they looked, the more details emerged.
Brad Smith: When we analyzed everything that we saw at Microsoft, we asked ourselves how many engineers have probably worked on these attacks. And the answer we came to was, well, certainly more than 1,000.
Bill Whitaker: You guys are Microsoft. How did Microsoft miss this?
Brad Smith: I think that when you look at the sophistication of this attacker there’s an asymmetric advantage for somebody playing offense.
Bill Whitaker: Is it still going on?
Brad Smith: Almost certainly, these attacks are continuing.
The world still might not know about the hack if not for FireEye, a three-and-a-half billion dollar cybersecurity company run by Kevin Mandia, a former Air Force intelligence officer.
...
They discovered the malware inside SolarWinds and on December 13 informed the world of the brazen attack.
Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.
Bill Whitaker: So, what does that target list tell you?
Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
Brad Smith: I do think this was an act of recklessness. The world runs on software. It runs on information technology. But it can’t run with confidence if major governments are disrupting and attacking the software supply chain in this way.
Bill Whitaker: That almost sounds like you think that they went in to foment chaos?
Brad Smith: What we are seeing is the first use of this supply chain disruption tactic against the United States. But it’s not the first time we’ve witnessed it. The Russian government really developed this tactic in Ukraine.
...
Bill Whitaker: It’s hard to downplay the severity of this.
Chris Inglis: It is hard to downplay the severity of this. Because it’s only a stone’s throw from a computer network attack.
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.
Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.
Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
———–
“Much of the damage had already been done. The U.S. Justice Department acknowledged the Russians spent months inside their computers accessing email traffic – but the department won’t tell us exactly what was taken. It’s the same at Treasury, Commerce, the NIH, Energy. Even the agency that protects and transports our nuclear arsenal. The hackers also hit the biggest names in high tech.”
The SolarWind hackers spent months inside numerous US government agency networks. Presumably from February 2020 until December 2020. 10 or so months of emails. That’s a lot of government emails. It makes the “Hillary’s emails” stories sound like a sweet lullaby of yesteryear.
But the SolarWinds hack was obviously not just targeting the US government. Thousands of companies were hit too. And yet, when asked, the President of Microsoft insists, “I think this target list tells us that this is clearly a foreign intelligence agency”. It’s what it looks like when everyone plays dumb professionally:
...
Bill Whitaker: So, what does that target list tell you?Brad Smith: I think this target list tells us that this is clearly a foreign intelligence agency. It exposes the secrets potentially of the United States and other governments as well as private companies. I don’t think anyone knows for certain how all of this information will be used. But we do know this: It is in the wrong hands.
And Microsoft’s Brad Smith told us it’s almost certain the hackers created additional backdoors and spread to other networks.
The revelation this past December came at a fraught time in the U.S. President Trump was disputing the election, and tweeted China might be responsible for the hack. Within hours he was contradicted by his own secretary of state and attorney general. They blamed Russia. The Department of Homeland Security, FBI and intelligence agencies concurred. The prime suspect: the SVR, one of several Russian spy agencies the U.S. labels “advanced persistent threats.” Russia denies it was involved.
...
Also note how the fact that the SolarWinds hack was conducted with US-based servers, and the fact that the NSA isn’t mandated with monitoring US networks, is turning into an argument for giving the NSA authority to monitor US networks. This is a good to recall the story from earlier this year about the DARPA projects involving the creation of autonomous anti-virus software that can traverse networks that sound awfully similar to the “Project TURBINE” plan for mass automated malware implantation [143]. Automated ‘anti-malware’ delivered by goodware. As questions about the constituionality of NSA monitoring of domestic networks get raised, don’t be surprised if automated ‘goodware’ solutions are offered:
...
Chris Inglis spent 28 years commanding the nation’s best cyber warriors at the National Security Agency – seven as its deputy director – and now sits on the Cyberspace Solarium Commission – created by Congress to come up with new ideas to defend our digital domain.Bill Whitaker: Why didn’t the government detect this?
Chris Inglis: The government is not looking on private sector networks. It doesn’t surveil private sector networks. That’s a responsibility that’s given over to the private sector. FireEye found it on theirs, many others did not. The government did not find it on their network, so that’s a disappointment.
Disappointment is an understatement. The Department of Homeland Security spent billions on a program called “Einstein” to detect cyber attacks on government agencies. The Russians outsmarted it. They circumvented the NSA, which gathers intelligence overseas, but is prohibited from surveilling U.S. computer networks. So the Russians launched their attacks from servers set up anonymously in the United States.
Bill Whitaker: This hack happened on American soil. It went through networks based in the United States. Are our defense capabilities constrained?
Chris Inglis: U.S. Intelligence Community, U.S. Department of Defense, can suggest what the intentions of other nations are based upon what they learn in their rightful work overseas. But they can’t turn around and focus their unblinking eye on the domestic infrastructure. That winds up making it more difficult for us.
...
Finally note the assessment about the relative sophistication of the SolarWinds source code by Jon Miller, the former hacker who now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies. Miller wasn’t impressed by the sophistication. He admits to building things much more sophisticated (that is presumably sold to US intelligence agencies). What surprised Miller was the scale of the attack and that someone actually did something that created so much damage. It’s the kind of response from an industry professional (who isn’t playing dumb professionally) that points towards a reality where large scale hacks of this nature have long been possible, but assumed to be too inflammatory to execute without inciting inviting serious repercussions. As Miller pointed out, this attack potentially tainted the entire global software supply chain. The same compiler attack that snuck the backdoor into SolarWinds’s Orion client tool could be reapplied to the software being developed by the tens of thousands of SolarWinds corporate and government clients. It really was a massive attack. But he’s not surprised someone was able to pull it off technically. He’s surprised someone actually did it. It’s an important distinction to keep in mind when assessing the nature of this attack. Thankfully, another possible nightmare scenario wasn’t executed. That being a scenario where malware is deployed that actually causes these networks to physically destroy themselves. But it they could have if they wanted to:
...
It’s not everyday you meet someone who builds cyber weapons as complex as those deployed by Russian intelligence. But Jon Miller, who started off as a hacker and now runs a company called Boldend, designs and sells cutting-edge cyber weapons to U.S. intelligence agencies.Jon Miller: I build things much more sophisticated than this. What’s impressive is the scope of it. This is a watershed style attack. I would never do something like this. It creates too much damage.
Miller says with the SolarWinds attack, Russia has demonstrated that none of the software we take for granted is truly safe, including the apps on our telephones, laptops, and tablets. These days, he says, any device can be sabotaged.
Jon Miller: When you buy something from a tech company, a new phone or a laptop, you trust that that is secure when they give it to you. And what they’ve shown us in this attack is that is not the case. They have the ability to compromise those supply chains and manipulate whatever they want. Whether it’s financial data, source code, the functionality of these products. They can take control.
Bill Whitaker: So, for instance, they could destroy all the computers on a network?
Jon Miller: Oh, easily. The malware that they deployed off of SolarWinds, it didn’t have the functionality in it to do that. But to do that is trivial. Couple dozen lines of code.
...
Miller is absolutely correct. SolarWinds wasn’t just the mega-hack of SolarWinds and its thousands of clients. It was potentially the hack of the global technological supply chain. Someone executed a very very big hack.
CitizenLab Issues a Warning to the World: Someone is Hacking the Sh*t Out of Microsoft. Legally. Meet Candiru
It was the middle of July this year when the stories of the mega-hacks took a sudden turn. After months of disclosing (and denying) one hack after another involving a Microsoft vulnerability, CitizenLab had a dramatic, and thematically appropriate, new security warning: a mercenary spyware company has been selling an exploit used against Windows users in several countries, including Iran, Lebanon, Spain and the United Kingdom. Beyond that, the malware has been found targeting activists, which isn’t particularly surprising given the fact that Candiru’s clients are governments. Candiru’s exploits aren’t solely against Microsoft products. Google’s popular Chrome browser is also a target. But it sounds like Candiru specializes Microsoft products.
Microsoft fixed the vulnerabilities identified in CitizenLab’s report. Curiously, in its report on the fix, Microsoft never refers to Candiru by name. Instead, it refers to it as an “Israel-based private sector offensive actor” which the company codenamed Sourgum. Google also issued a report on Candiru’s targeting of activists and the zero-day exploits discovered used against activists. Google also didn’t refer to Candiru by name.
So at least one Candiru customer — but perhaps more than one — was running around using zero-day exploits against activists and they got caught. Because it was blamed on Candiru it couldn’t be attributed to Russia or China. So who got blamed for these discovered hacks against activists? No one [48]:
Reuters
TechnologyMicrosoft says Israeli group sold tools to hack Windows
Christopher Bing
July 15, 2021 4:45 PM CDT
UpdatedJuly 15 (Reuters) — An Israeli group sold a tool to hack into Microsoft Windows, Microsoft and technology human rights group Citizen Lab said on Thursday, shedding light on the growing business of finding and selling tools to hack widely used software.
The hacking tool vendor, named Candiru, created and sold a software exploit that can penetrate Windows, one of many intelligence products sold by a secretive industry that finds flaws in common software platforms for their clients, said a report by Citizen Lab.
Technical analysis by security researchers details how Candiru’s hacking tool spread around the globe to numerous unnamed customers, where it was then used to target various civil society organizations, including a Saudi dissident group and a left-leaning Indonesian news outlet, the reports by Citizen Lab and Microsoft show.
...
Evidence of the exploit recovered by Microsoft Corp (MSFT.O) suggested it was deployed against users in several countries, including Iran, Lebanon, Spain and the United Kingdom, according to the Citizen Lab report.
“Candiru’s growing presence, and the use of its surveillance technology against global civil society, is a potent reminder that the mercenary spyware industry contains many players and is prone to widespread abuse,” Citizen Lab said in its report.
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.
“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser.
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
Those types of covert systems cost millions of dollars and are often sold on a subscription basis, making it necessary for customers to repeatedly pay a provider for continued access, people familiar with the cyber arms industry told Reuters.
“No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.
———–
“Microsoft says Israeli group sold tools to hack Windows” by Christopher Bing; Reuters; 07/15/2021 [48]
““No longer do groups need to have the technical expertise, now they just need resources,” Google wrote in its blog post.”
Are you a government with cash to burn? Welcome to the world of elite hackers. Just be sure to maintain your subscription fees.
Google’s researchers weren’t exaggerating. It really is just a matter of having the resources — and permission from the Israeli (and US?) government(s?) — for a government to go from having virtually no cyber capabilities to having a suite of zero-day exploits capable of defeating the top technology firms in the world.
And yet it’s kind of interesting that both Google and Microsoft didn’t actually name Candiru in their reports. Microsoft refers to Candiru with its own made up codename Sourgum. Although Microsoft does point out in its report that Citizen Lab identified the Sourgum as Candiru [144]. But that’s the only reference to Candiru in the report. And Google’s report on Candiru just refers to a “commercial surveillance company.” Recall that this is the same language Google used in its report on the three zero-day exploits discovered targeting Armenia activists [52]. So Google and Microsoft appear to go out of their way to avoid naming names in its reports when the culprit is a private company:
...
Microsoft fixed the discovered flaws on Tuesday through a software update. Microsoft did not directly attribute the exploits to Candiru, instead referring to it as an “Israel-based private sector offensive actor” under the codename Sourgum.“Sourgum generally sells cyberweapons that enable its customers, often government agencies around the world, to hack into their targets’ computers, phones, network infrastructure, and internet-connected devices,” Microsoft wrote in a blog post. “These agencies then choose who to target and run the actual operations themselves.”
...
On Wednesday, Google (GOOGL.O) released a blog post where it disclosed two Chrome software flaws that Citizen Lab found connected to Candiru. Google also did not refer to Candiru by name, but described it as a “commercial surveillance company.” Google patched the two vulnerabilities earlier this year.
...
Also note how Candiru’s toolkit doesn’t just include an array of Microsoft exploits. It also hits other common non-Microsoft apps like Google’s Chrome. And as the article notes, cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits. In other words, these toolkits have to consists of numerous zero-day exploits. That’s the underlying product these companies are selling: toolkits that chain together mulitple zero-day exploits:
...
Candiru’s tools also exploited weaknesses in other common software products, like Google’s Chrome browser....
Cyber arms dealers like Candiru often chain multiple software vulnerabilities together to create effective exploits that can reliably break into computers remotely without a target’s knowledge, computer security experts say.
...
Days after Microsoft was forced to patch these vulnerabilities, the company issued an update on the actions it was taking against Candiru’s malware as well as the scope of the use of this malware: Microsoft claimed it blocked tools used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents. Politicians got hit too. It’s not surprising, but a notable admission. Precision attacks were identified in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore.
Intriguling, Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter. So the next time you hear about a Black Lives Matter website and it’s automatically attributed to Russian and the Internet Research Agency, keep this ‘feature’ in mind. Candiru was selling tools specifically to mimic left-wing organizations. Also keep in mind that it’s Amnesty International that releases a big NSO Group expose days after Candiru’s malware is revealed, so there’s probably quite a few people in the cybersecurity industry itself with an interest in spying on people affiliated with Amnesty International [50]:
Associated Press
Microsoft says it blocked spying on rights activists, others
By ALAN SUDERMAN
July 15, 2021RICHMOND, Va. (AP) — Microsoft said Thursday it has blocked tools [144] developed by an Israeli hacker-for-hire company that were used to spy on more than 100 people around the world, including politicians, human rights activists, journalists, academics and political dissidents.
Microsoft issued a software update and worked with the Citizen Lab [145] at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.
Microsoft said people targeted in “precision attacks” by the spyware were located in the Palestinian territory, Israel, Iran, Lebanon, Yemen, Spain, the United Kingdom, Turkey, Armenia, and Singapore. Microsoft did not name the targets but described them generally by category.
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
The reports by Microsoft and Citizen Lab shine new light on an opaque and lucrative industry of selling sophisticated hacking tools to governments and law enforcement agencies. Critics say such tools are often misused by authoritarian governments against innocent people.
“A world where private sector companies manufacture and sell cyberweapons is more dangerous for consumers, businesses of all sizes and governments,” Microsoft said in a blog post.
...
Microsoft said the business model for companies such as Candiru is to sell its services to government agencies, which then likely choose the targets and run the operations themselves.
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.
Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
Thursday’s disclosure by Microsoft was part of what the company said was a broader effort to “address the dangers” caused by hacker-for-hire companies. Microsoft is supporting Facebook in its lawsuit [146] against NSO Group, which is also based in Israel and is perhaps the most prominent private offensive spyware company.
Facebook filed a federal civil suit in 2019 allegedly that NSO Group targeted some 1,400 users of Facebook’s encrypted messaging service WhatsApp with highly sophisticated spyware.
————-
“Microsoft issued a software update and worked with the Citizen Lab [145] at the University of Toronto to investigate the secretive Israeli company behind the hacking efforts. Citizen Lab said the company goes by several names including Candiru, which according to legend is a parasitic fish found in the Amazon that attacks human private parts.”
Candiru is so secretive it uses secret identities. Secrecy that’s probably driven, in part, by the fact that it’s crafting the digital infrastructure governments are using to hack civil society. Organizations like Black LIves Matter and Amnesty International. That’s the kind of activity one might hide from. Presumably the utility of these fake websites is to direct people there to deliver the malware which implies the targets of this malware were at least sympathetic to Black Lives Matter and Amnesty International. Just think about how many schemes targeting Black Lives Matter attributed to Russian since 2016 [147] that were actually a product of Candiru’s ready-to-use toolkit. Or some other “commercial surveillance vendor” selling similar tools:
...
Citizen Lab said Candiru’s spyware infrastructure included websites “masquerading as advocacy organizations” such as Amnesty International and Black Lives Matter.
...
And note the price. Yeah, your average person can’t handle these kinds of subscription fees. But basically every government on the planet can. Easily:
...
Citizen Lab published parts of what it said were a leaked proposal by Candiru for hacking services that offered a la carte hacking options. For 16 million euros ($18.9 million), the company would allow the customer to monitor 10 devices simultaneously in a single country. For an extra 5.5 million euros ($6.5 million), 25 additional devices could be monitored in five more countries.Citizen Lab said Candiru’s spyware targets computers, mobile devices and cloud accounts.
...
It’s too bad CitizenLab couldn’t get the actual subscription information for Candiru’s many clients to see just how many devices governments are paying to hack. It’s almost $2 million per hacked device. That’s probably a lot of people. And a lot of profit for Candiru’s investors.
2021: Year of the Zero-Day
Just how much money is being made by this mercenary spyware industry? We’ll obviously never know. But if the discovery of new zero-day exploits are any indication of the industry’s work, we can say 2021 has been a robust year for the industry. As the following Threatpost piece from July 15 describes, there were 33 zero-day exploits reported by that date this year compared to 22 zero-day exploits in 2021 in total. At this point, 2021 will have triple the number of zero-day exploits of 2020, and 2020 was a record year. There’s simply been an explosion of discovered zero-days. For example, at the same time Google issued its own mid-July report on Candiru’s malware being used against activist, it also disclosed a new zero-day flaw against the iOS Safari browser that was targeting Western European government officials. They note in the report that ‘Russian-language actors’ were using the exploit at the same time ‘Nobelium’ was targeting users on Windows devices to deliver Cobalt Strike, suggesting the two are related.
Putting aside the already addressed problems with placing an emphasis on the ‘cultural artifact’ language clues hackers leave, it’s worth noting that the Nobelium hack targeting users on Windows devices was a reference to the USAID phishing attack. As we saw, Microsoft reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack [42]. But Microsoft also reported the deployment of Cobalt Strike in its initial post about the phishing attack a day earlier [42]. Which should come as no surprise. Cobalt Strike, a legitimate security tool that finds vulnerabilities in networks, has exploded in popularity and gone mainstream among criminals [148]. In other words, we can’t infer much from the fact that both this iOS Safari hack and a hack attributed to Nobelium both deployed Cobalt Strike. Cobalt Strike is what savvy cybercriminals use these days, and therefore not a trademark indicator of a particular actor. What is a notable coincidence between the USAID phishing hacks and the Safari hack is that both involve zero-day exploits. That’s the primary meaningful technical indicator shared between all of the hacks we are discussing here: Zero-day exploits were deployed. And yet, we can only infer so much. We don’t know who is developing or deploying all these zero-days. We just know it could be a much broader range of actors than just Russian and China [52]:
Threatpost
Safari Zero-Day Used in Malicious LinkedIn Campaign
Author: Elizabeth Montalbano
July 15, 2021 7:04 amResearchers shed light on how attackers exploited Apple web browser vulnerabilities to target government officials in Western Europe.
Threat actors used a Safari zero-day flaw to send malicious links to government officials in Western Europe via LinkedIn before researchers from Google discovered and reported the vulnerability.
That’s the word from researchers from Google Threat Analysis Group (TAG) and Google Project Zero, who Wednesday posted a blog [149] shedding more light on several zero-day flaws that they discovered so far this year. Researchers in particular detailed how attackers exploited the vulnerabilities—the prevalence of which are on the rise–before they were addressed by their respective vendors.
TAG researchers discovered the Safari WebKit flaw, tracked as CVE-?2021–1879 [150], on March 19. The vulnerability allowed for the processing of maliciously crafted web content for universal cross site scripting and was addressed by Apple in an update [151] later that month.
Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.
“If the target visited the link from an iOS device, they would be redirected to an attacker-controlled domain that served the next-stage payloads,” they wrote.
The exploit, which targeted iOS versions 12.4 through 13.7, would turn off Same-Origin-Policy [152] protections on an infected device to collect authentication cookies from several popular websites–including Google, Microsoft, LinkedIn, Facebook and Yahoo–and then send them via WebSocket to an attacker-controlled IP, researchers wrote. The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report [153] posted online in May, the researchers added.
...
Other Zero-Day Attacks
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley [154]. Two of those vulnerabilities–CVE-2021–21166 [155] and CVE-2021–30551 [156]—were found in Chrome, and one, tracked as CVE-2021–33742 [157], in Internet Explorer.
CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
When prospective victims clicked the link, they were redirected to a webpage that would fingerprint their device, collect system information about the client, and generate ECDH keys to encrypt the exploits, researchers wrote. This info—which included screen resolution, timezone, languages, browser plugins, and available MIME types—would then be sent back to the exploit server and used by attackers to decide whether or not an exploit should be delivered to the target, they said.
Researchers also identified a separate campaigned in April that also targeted Armenian users by leveraging CVE-2021–26411, an RCE bug found in Internet Explorer (IE). The campaign loaded web content within IE that contained malicious Office documents, researchers wrote.
“This happened by either embedding a remote ActiveX object using a Shell.Explorer.1 OLE object or by spawning an Internet Explorer process via VBA macros to navigate to a web page,” Stone and Lecigne explained.
At the time, researchers said they were unable to recover the next-stage payload, but successfully recovered the exploit after discovering an early June campaign from the same actors. Microsoft patched the flaw later that month, they said.
Why There is an Increase in Zero-Days?
All in all, security researchers have identified 33 zero-day flaws [158] so far in 2021, which is 11 more than the total number from 2020, according to the post.
While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits [159] for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities [160] for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
Finally, the maturation of security protections and strategies also inspires sophistication on the part of attackers as well, boosting the need for them to use zero-day flaws to convince victims to install malware, researchers noted.
“Due to advancements in security, these actors now more often have to use 0‑day exploits to accomplish their goals,” Stone and Lecigne wrote.
———-
“Before the fix, researchers assert Russian-language threat actors were exploiting the vulnerability in the wild by using LinkedIn Messaging to send government officials from Western European countries malicious links that could collect website-authentication cookies, according to the post by Maddie Stone and Clement Lecigne from Google TAG.”
Russian-language threat actors are behind the big vulnerability found in Safari targeting iPhones, according to Google’s Threat Assessment Group (TAG). Malicious links were sent via the LinkedIn Messaging app to Western European government officials that, when clicked, stole the authentication credentials for sites like Google, Microsoft, LinkedIn, Facebook and Yahoo. The kind of hack that opens the victims up to more hacks, along with any organizations they work for. And based on the timing of this hacking campaign, and the fact that it coincided with the ‘Nobelium’ USAID phishing campaign in May against Windows systems that delivered Cobalt Strike, suggests it’s the same actor behind both attacks.
But there’s a more significant technical link between the Safari hacking campaign targeting Western government officials and the USAID phishing campaign: both deployed zero-days. Microsoft reported the deployment of Cobalt Strike in its initial post about the hack [42] but later reported multiple zero-day pieces of malware deployed on the victims’ networks from the USAID attack [42]. That’s the real ‘clue’ tying these two hacks. It was someone sophisticated enough to have an abundance of zero-day hacks. Except, with it’s not really much of a clue the existence of an industry filled with secretive companies like Candiru. Numerous actors on the stage have access to cutting-edge zero-days. For all we know the Safari zero-day campaign and USAID phishing campaigns could both be different Candiru customers using ‘Russian language’ features to leave those ‘clues’ for CrowdStrike and others to find:
...
Moreover, the campaign targeting iOS devices coincided with others from the same threat actor—which Microsoft has identified as Nobelium–targeting users on Windows devices to deliver Cobalt Strike, researchers wrote. Security firm Volexity described one of these attacks in a report [153] posted online in May, the researchers added.
...
Also note that the Microsoft zero-day exploits identified in a separate campaign in April targeting Armenian activists is a references to the same Candiru exploits CitizenLab was reporting on. They aren’t all Microsoft vulnerabilities. Google’s Chrome browser was hit. But we’re hearing about vulnerabilities in Internet Explorer, Office, and some other mystery payload that couldn’t even be recovered initially. That’s a lot of Microsoft holes. It’s fits the Candiru ‘pattern’:
...
Google researchers also linked three additional zero-day flaws they identified this year to a commercial surveillance vendor, according to Google TAG’s Shane Huntley [154]. Two of those vulnerabilities–CVE-2021–21166 [155] and CVE-2021–30551 [156]—were found in Chrome, and one, tracked as CVE-2021–33742 [157], in Internet Explorer.CVE-2021–21166 and CVE-2021–30551, two Chrome rendered remote-code execution (RCE) flaws, were identified separately but later believed to be used by the same actor, researchers wrote in the blog. Google researchers discovered the former in February and the latter in June.
“Both of these 0‑days were delivered as one-time links sent by email to the targets, all of whom we believe were in Armenia,” Stone and Lecigne wrote. “The links led to attacker-controlled domains that mimicked legitimate websites related to the targeted users.”
...
All in all, it’s been such a parade of zero-day exploits that we’ve heard about this year hitting Microsoft that it should come as no surprise to learn that, just over mid way through this year there’s already been 50 percent more zero-days exploits announced than the entire year of 2020. That’s triple the pace of 2020 and 2020 was a record year. Why is this happening? Well, more reporting is no doubt a factor. But as the Google security researcher admit, commercial vendors are selling more access to zero-day exploits than they were a decade ago. There are simply many more zero-day pieces of malware in existence and a growing number of actors with the ability to deploy them:
...
All in all, security researchers have identified 33 zero-day flaws [158] so far in 2021, which is 11 more than the total number from 2020, according to the post.While that trend reflects an increase in the number of these types of vulnerabilities that exist, Google researchers “believe greater detection and disclosure efforts are also contributing to the upward trend,” they wrote.
Still, it’s highly possible that attackers are indeed using more zero-day exploits [159] for a few reasons, researchers noted. One is that the increase and maturation of security technologies and features means attackers also have to level up, which in turn requires more zero-day vulnerabilities [160] for functional attack chains, they said.
The growth of mobile platforms also has resulted in an increase in the number of products that threat actors want to target—hence more reason to use zero-day exploits, researchers observed. Perhaps inspired by this increase in demand, commercial vendors also are selling more access to zero-days than in the early 2010s, they said.
...
We’ve seen a lot of ominous cyber warnings this year. But that stat of zero-days at triple last year’s rate is meta-ominous. It’s like the cyber version of the point in Marvel movies where the universe on the cusp of exploding. Or imploding. Something really bad.
NSO Group: It’s Not Just a Cybermercenary. It’s a Tool of Israel’s Foreign Policy. A Very Important Tool MBS Covets
A couple days later, we get our first big NSO Group update of July. The New York Times has a piece giving us a big update on the consequences NSO Group paid over the role its Pegasus software played in the killing of Saudi dissident Jamal Khashoggi. The company did pay a price. Or the owners. Although they were paid actually: Following Khashoggi’s killing, NSO Group investigation the Saudi’s use of its software and determined the contract should be canceled. And it was canceled, at which point the full diplomatic nature of these ‘export licenses’ became more apparent. The Israeli government pressured NSO Group to renewed the Pegasus contract. When that didn’t happen, the owners sold to a European private equity group and the Saudi subscription to NSO Group’s tools was renewed [10]. At the end of it all, the one party involved with the Jamal Khashoggi killing to pay a price was Khashoggi [54]:
The New York Times
Israeli Companies Aided Saudi Spying Despite Khashoggi Killing
Ignoring concerns that Saudi Arabia was abusing Israeli spyware to crush dissent at home and abroad, Israel encouraged its companies to work with the kingdom.
By Ronen Bergman and Mark Mazzetti
July 17, 2021TEL AVIV — Israel secretly authorized a group of cyber-surveillance firms to work for the government of Saudi Arabia despite international condemnation of the kingdom’s abuse of surveillance software to crush dissent, even after the Saudi killing of the journalist Jamal Khashoggi, government officials and others familiar with the contracts said.
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.
But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.
NSO is by far the best known of the Israeli firms, largely because of revelations in the last few years that its Pegasus program was used by numerous governmens to spy on [161], and eventually imprison, human rights activists.
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
It is not publicly known whether Saudi Arabia used Pegasus or other Israeli-made spyware in the plot to kill Mr. Khashoggi. NSO has denied that its software was used.
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week [144] of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
Microsoft, which conducted its investigation in tandem with Citizen Lab, a research institute at the University of Toronto, said Candiru had used malware to exploit a vulnerability in Microsoft products, enabling its government clients to spy on perceived enemies.
Candiru has had at least one contract with Saudi Arabia since 2018.
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.
If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.
Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia [162] using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.
Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
In one case that has come to light, three dozen phones belonging to journalists at Al Jazeera, which Saudi Arabia considers a threat, were hacked using NSO’s Pegasus software last year, according to Citizen Lab. Citizen Lab traced 18 of the attacks back to Saudi intelligence.
After the revelation of the attack on Al Jazeera journalists, NSO recently shut down the system, and at a meeting in early July, the company’s board decided to declare new deals with Saudi Arabia off limits, according to a person familiar with the decision.
Israel’s defense ministry is currently fighting lawsuits by Israeli rights activists demanding that it release details about its process for granting the licenses.
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
These business ties came as Israel was quietly building relationships directly with the Saudi government.
Benjamin Netanyahu, then Israel’s prime minister, met several times with Saudi Arabia’s day-to-day ruler, Crown Prince Mohammed bin Salman, and military and intelligence leaders of the two countries meet frequently.
While Saudi Arabia was not officially party to the Abraham Accords — the diplomatic initiatives during the end of the Trump administration normalizing relations between Israel and several Arab countries — Saudi leaders worked behind the scenes to help broker the deals.
————–
“The fact that Israel’s government has encouraged its private companies to do security work for the kingdom — one of its historic adversaries and a nation that still does not formally recognize Israel — is yet more evidence of the reordering of traditional alliances in the region and the strategy by Israel and several Persian Gulf countries to join forces to isolate Iran.”
It wasn’t just a national security tool. Pegasus was effectively being used as a diplomatic tool. A diplomatic tool to help bring Saudi Arabia and other Persian Gulf neighors into an alliance against Iran. Which, we’ll recall, was the meta-theme throughout the #TrumpRussia adventures involving Michael Flynn, Eric Prince, Michael Cohen, and the Saudi/UAE scheme to build nuclear power plants across the Middle East (except for Iran) [12]. The security relationship between the US, Israel, Saudi Arabia, and the UAE got a lot deeper over the last decade and it’s hard to avoid suspicions that sharing access to super spyware tools like NSO Group’s Pegasus was part of that deepening relationship. Just look at the language the Israeli Defense Ministry used when describing the process that goes into approving one of these licenses: ““a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.” That’s one way to put it:
...
Israel insists that if any Israeli spyware were used to violate civil rights that it would revoke the company’s license.If the Defense Ministry “discovers that the purchased item is being used in contravention of the terms of the license, especially after any violation of human rights, a procedure of cancellation of the defense export license or of enforcing its terms is initiated,” the ministry said in a statement in response to questions from The New York Times.
The ministry declined to respond to specific questions about the licenses it gave to the Israeli firms, but said that “a wide range of security, diplomatic and strategic considerations are taken into account” when considering whether to grant a license to export offensive cyber technology.
...
And as we saw, NSO Group isn’t the only company with hacking tools the Israeli government was licensing to Saudi Arabia at this time. One company, Quadream, even signed its contracts with Saudi Arabia after Khoshoggi’s killing. So when the NSO Group claims that it canceled the Saudi contracts in the wake of the Khashoggi killings, but were then encourage by the Israeli government to continue working with Saudi Arabia, it’s not an implausible scenario. The licensing of cutting-edge hacking tools is clearly part of the Israeli diplomatic playbook. Which isn’t a surprise. It’s a powerful diplomatic tool. Crazy dangerous, but powerful:
...
After the murder of Mr. Khashoggi in 2018, one of the firms, NSO Group, canceled its contracts with Saudi Arabia amid accusations that its hacking tools were being misused to abet heinous crimes.But the Israeli government encouraged NSO and two other companies to continue working with Saudi Arabia, and issued a new license for a fourth to do similar work, overriding any concerns about human rights abuses, according to one senior Israeli official and three people affiliated with the companies.
Since then, Saudi Arabia has continued to use the spyware to monitor dissidents and political opponents.
...
NSO sold Pegasus to Saudi Arabia in 2017. The kingdom used the spyware as part of a ruthless campaign to crush dissent inside the kingdom and to hunt down Saudi dissidents abroad.
...
Israel’s Ministry of Defense also licensed for Saudi work a company called Candiru, which Microsoft accused last week [144] of helping its government clients spy on more than 100 journalists, politicians, dissidents and human rights advocates around the world.
...
Israel has also granted licenses to at least two other firms, Verint, which was licensed before the Khashoggi killing, and Quadream, which signed a contract with Saudi Arabia after the killing.
A fifth company, Cellebrite, which manufactures physical hacking systems for mobile phones, has also sold its services to the Saudi government, but without ministry approval, according to the newspaper Haaretz.
...
The Israeli government also imposes strict secrecy on the companies that receive the licenses, threatening to revoke them if the companies speak publicly about the identity of their clients.
...
But, again, the sale of this kind of super-hacking software to governments around the world probably wasn’t just an Israeli government project. The US government would almost surely have involved in giving its approval, if informally. So we shouldn’t be surprised to learn NSO Group hired DC-based Beacon Global Strategies — led by figures US national security state community figureheads like Jeremy Bash — to effectively give its blessings to NSO Group’s more controversial clients. The picture that emerges from the various accounts of NSO Group’s internal deliberations is a picture where NSO Group wanted to drop the contract but was feeling like it was effectively being asked by the Israeli government and Trump administration to continue the Saudi contract:
...
Revelations about the abuses of NSO products led the company to hire a group of outside consultants in 2018 to provide advice about which new clients NSO should take on and which to avoid. The group included Daniel Shapiro, the former Obama administration ambassador to Israel, and Beacon Global Strategies, a Washington strategic consulting firm.Beacon is led by Jeremy Bash, a former C.I.A. and Pentagon chief of staff; Michael Allen, a former staff director for the House Intelligence Committee; and Andrew Shapiro, a former top State Department official.
While the group’s mandate was to vet potential new clients, the international outrage over Mr. Khashoggi’s killing in October 2018 led the group to advise NSO to cancel its Saudi contracts and shut down NSO systems in the kingdom.
Separately, NSO conducted an internal investigation into whether any of its tools were used by Saudi officials for the Khashoggi operation and concluded that they were not. However a lawsuit against NSO by a friend of Mr. Khashoggi’s claims that his phone had been hacked by Saudi Arabia [162] using Pegasus, and that hack gave Saudi officials access to his conversations with Mr. Khashoggi, including communications about opposition projects.
Over several days in late 2018, executives both of NSO and the private equity firm that owned it at the time, Francisco Partners, met in Washington with the advisory group.
According to several people familiar with the meetings, the NSO executives argued that the Israeli government was strongly encouraging the company to weather the storm and continue its work in Saudi Arabia. They also said that Israeli officials had indicated to them that the Trump administration also wanted NSO’s work with Saudi Arabia to continue.
....
And then, at the end of all that consulting about what to do about its Saudi contract, NSO Group canceled the contract. Months later the company is sold to a new private equity group [10] and the contract is re-opened. The commitment on behalf of the Israeli government and Trump administration to providing Saudi Arabia with these hacking tools was so intense that NSO Group somehow found a new owner who was open to that Saudi contract:
...
In the end, NSO management heeded the advice of the outside group and canceled its contracts with Saudi Arabia in late 2018. Mr. Shapiro, the former ambassador to Israel, ended his work for the company shortly afterward.Months later, however, after another private equity firm bought NSO, the company was once again doing business with Saudi Arabia.
NSO’s new owner, Novalpina, rejected the advice of the outside advisory group and NSO resumed its work in Saudi Arabia in mid-2019. Around that time, Beacon ended its work with NSO.
The new contract with the Saudis came with some restrictions. For example, NSO set up its system to block any attempts by Saudi officials to hack European telephone numbers, according to a person familiar with the programming.
But it is clear that Saudi Arabia has continued to use NSO software to spy on perceived opponents abroad.
...
It’s worth keeping in mind that it’s possible Saudi Arabia was task with a similar role to one Israel has long played in the Western alliance: spying on other Western allies. Might that be part of the reason Israel and the US were insistent Saudi Arabia get access to these tools? Outsource the outsource ally-spying? Perhaps.
It’s also possible the Saudis were making access to NSO Group tools a requirement for the broader Middle East peace plan the Trump administration and Jared Kushner were working on [163] and this story reflects those unusual circumstances the US and Israel were acquiescing to those demands. But these aren’t normal demands. These are tools approaching the NSA and GCHQ capabilities in many respects. It’s hard to imagine the US and Israel casually giving this kind of power away, even to a long-standing military ally like Saudi Arabia. That’s part why questions about deeper intelligence-sharing pacts and/or illicit quid-pro-quo spying arrangements are so intriguing in this story. NSO Group was peddling digital nuclear weapons. That couldn’t have been treated lightly by the US and Israel. And yet 40 or so governments got their hands on these digital nuclear weapons. What kind of arrangements were made to ensure the inevitable abuses of these tools don’t target US and Israeli interests? A promise not to abuse it? It’s a massive question looming over this story (and the answers point towards little more than promises).
NSO Group’s Worst Nightmare: Sunshine. Lots of Sunshine on Its Shady Activities from Forbidden Stories and Amnesty International
A day after that explosive NY Times report, the Washington Post brings us a write up of a huge new investigation released by Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, based on thousands phone numbers leaked that were purportedly the target phone numbers of NSO Group’s feared Pegasus spyware. Phone numbers that, as we’ll see, include major world leaders like Emmanuel Macron. And if those thousands of numbers really are an accurate target list, it was rampant abuse, with activists and rival politicians frequently on the target list. There’s also a new unstoppable zero-day exploit that worked simply by sending a SMS text message or iMessage to smartphones. 60 government agencies in 40 countries were allowed to buy subscriptions to the software and, again, they policed themselves. It started with Mexico getting a subscription in 2011. So the Pegasus super spyware has been sold for a decade now to a growing list of government agencies. Those unlucky Armenian activists had a lot of company.
What is NSO Group’s response to this report? By pointing out that it’s up to the governments to decide who gets targeted and NSO Group doesn’t know. And while that may not be the best response to the criticism since it’s more or less an admission the abuse allegations are likely true, it’s an entirely plausible response. NSO Group’s tools are probably entirely controlled by the governments who buy these subscriptions. It’s absurd to expect governments to hand information like their intelligence targets over to NSO Group. That’s part of what’s so scandalous about this industry supply super-spyware to governments: it’s hard to imagine a scenario where there’s meaningful oversight possible. It’s an industry built for unchecked secrecy by the clients and that’s an industry built for abuse.
And yet we are told there are geolocation restrictions on the software and US-based smartphones can’t be targeted by NSO Group’s tools. The phone number list in the report appears to bear that out. So there is some degree of oversight, solely based on location. But that’s it. All other oversight is up to the client, hence all the activists, journalists, and political opponent phone numbers that show up on the target list [56]:
The Washington Post
Private Israeli spyware used to hack cellphones of journalists, activists worldwide
NSO Group’s Pegasus spyware, licensed to governments around the globe, can infect phones without a click
By Dana Priest, Craig Timberg and Souad Mekhennet
Updated July 18 at 8:15 p.m. Originally published July 18, 2021
Military-grade spyware licensed by an Israeli firm to governments for tracking terrorists and criminals was used in attempted and successful hacks of 37 smartphones belonging to journalists, human rights activists, business executives and two women close to murdered Saudi journalist Jamal Khashoggi, according to an investigation by The Washington Post and 16 media partners.
The phones appeared on a list of more than 50,000 numbers that are concentrated in countries known to engage in surveillance of their citizens and also known to have been clients of the Israeli firm, NSO Group, a worldwide leader in the growing and largely unregulated private spyware industry, the investigation found.
The list does not identify who put the numbers on it, or why, and it is unknown how many of the phones were targeted or surveilled. But forensic analysis of the 37 smartphones shows that many display a tight correlation between time stamps associated with a number on the list and the initiation of surveillance, in some cases as brief as a few seconds.
Forbidden Stories, a Paris-based journalism nonprofit, and Amnesty International, a human rights group, had access to the list and shared it with the news organizations, which did further research and analysis. Amnesty’s Security Lab did the forensic analyses on the smartphones.
The numbers on the list are unattributed, but reporters were able to identify more than 1,000 people spanning more than 50 countries through research and interviews on four continents: several Arab royal family members, at least 65 business executives, 85 human rights activists, 189 journalists, and more than 600 politicians and government officials — including cabinet ministers, diplomats, and military and security officers. The numbers of several heads of state and prime ministers also appeared on the list.
Among the journalists whose numbers appear on the list, which dates to 2016, are reporters working overseas for several leading news organizations, including a small number from CNN, the Associated Press, Voice of America, the New York Times, the Wall Street Journal, Bloomberg News, Le Monde in France, the Financial Times in London and Al Jazeera in Qatar.
The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.
The media consortium, titled the Pegasus Project, analyzed the list through interviews and forensic analysis of the phones, and by comparing details with previously reported information about NSO. Amnesty’s Security Lab examined 67 smartphones where attacks were suspected. Of those, 23 were successfully infected and 14 showed signs of attempted penetration.
For the remaining 30, the tests were inconclusive, in several cases because the phones had been replaced. Fifteen of the phones were Android devices, none of which showed evidence of successful infection. However, unlike iPhones, Androids do not log the kinds of information required for Amnesty’s detective work. Three Android phones showed signs of targeting, such as Pegasus-linked SMS messages.
Amnesty shared backup copies of data on four iPhones with Citizen Lab, which confirmed that they showed signs of Pegasus infection. Citizen Lab, a research group at the University of Toronto that specializes in studying Pegasus, also conducted a peer review of Amnesty’s forensic methods [164] and found them to be sound.
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless [165]. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.
After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
Forbidden Stories organized the media consortium’s investigation, and Amnesty provided analysis and technical support but had no editorial input. Amnesty has openly criticized NSO’s spyware business and supported an unsuccessful lawsuit against the company in an Israeli court seeking to have its export license revoked. After the investigation began, several reporters in the consortium learned that they or their family members had been successfully attacked with Pegasus spyware.
Beyond the personal intrusions made possible by smartphone surveillance, the widespread use of spyware has emerged as a leading threat to democracies worldwide, critics say. Journalists under surveillance cannot safely gather sensitive news without endangering themselves and their sources. Opposition politicians cannot plot their campaign strategies without those in power anticipating their moves. Human rights workers cannot work with vulnerable people — some of whom are victims of their own governments — without exposing them to renewed abuse.
For example, Amnesty’s forensics found evidence that Pegasus was targeted at the two women closest to Saudi columnist Khashoggi [166], who wrote for The Post’s Opinions section. The phone of his fiancee, Hatice Cengiz, was successfully infected during the days after his murder in Turkey on Oct. 2, 2018, according to a forensic analysis by Amnesty’s Security Lab. Also on the list were the numbers of two Turkish officials involved in investigating his dismemberment by a Saudi hit team. Khashoggi also had a wife, Hanan Elatr, whose phone was targeted by someone using Pegasus in the months before his killing. Amnesty was unable to determine whether the hack was successful.
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement [165] that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
The company denied that its technology was used against Khashoggi, or his relatives or associates.
...
Thomas Clare, a libel attorney hired by NSO, said that the consortium had “apparently misinterpreted and mischaracterized crucial source data on which it relied” and that its reporting contained flawed assumptions and factual errors.
“NSO Group has good reason to believe that this list of ‘thousands of phone numbers’ is not a list of numbers targeted by governments using Pegasus, but instead, may be part of a larger list of numbers that might have been used by NSO Group customers for other purposes,” Clare wrote.
In response to follow-up questions, NSO called the 50,000 number “exaggerated” and said it was far too large to represent numbers targeted by its clients. Based on the questions it was being asked, NSO said, it had reason to believe that the consortium was basing its findings “on misleading interpretation of leaked data from accessible and overt basic information, such as HLR Lookup services, which have no bearing on the list of the customers targets of Pegasus or any other NSO products … we still do not see any correlation of these lists to anything related to use of NSO Group technologies.”
The term HLR, or Home Location Register, refers to a database that is essential to operating cellular phone networks. Such registers keep records on the networks of cellphone users and their general locations, along with other identifying information that is used routinely in routing calls and texts. HLR lookup services operate on the SS7 system that cellular carriers use to communicate with each other. The services can be used as a step toward spying on targets.
Telecommunications security expert Karsten Nohl, chief scientist for Security Research Labs in Berlin, said that he does not have direct knowledge of NSO’s systems but that HLR lookups and other SS7 queries are widely and inexpensively used by the surveillance industry — often for just tens of thousands of dollars a year.
“It’s not difficult to get that access. Given the resources of NSO, it’d be crazy to assume that they don’t have SS7 access from at least a dozen countries,” Nohl said. “From a dozen countries, you can spy on the rest of the world.”
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.
“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.
Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
Many countries have laws pertaining to traditional wiretapping and interception of communications, but few have effective safeguards against deeper intrusions made possible by hacking into smartphones. “This is more devious in a sense because it really is no longer about intercepting communications and overhearing conversation. … This covers all of them and goes way beyond that,” Guarnieri said. “It has raised a lot of questions from not only human rights, but even national constitutional laws as to is this even legal?”
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
‘What a question!’
Some expressed outrage even at the suggestion of spying on journalists.
A reporter for the French daily Le Monde working on the Pegasus Project recently posed such a question to Hungarian Justice Minister Judit Varga during an interview about the legal requirements for eavesdropping:
“If someone asked you to tape a journalist or an opponent, you wouldn’t accept this?”
“What a question!” Varga responded. “This is a provocation in itself!” A day later, her office requested that this question and her answer to it “be erased” from the interview.
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
“Terror organizations, drug cartels, human traffickers, pedophile rings and other criminal syndicates today exploit off-the-shelf encryption capabilities offered by mobile messaging and communications applications.
“These technologies provide criminals and their networks a safe haven, allowing them to ‘go dark’ and avoid detection, communicating through impenetrable mobile messaging systems. Law enforcement and counterterrorism state agencies around the world have struggled to keep up.”
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
“Pegasus is very useful for fighting organized crime,” said Guillermo Valdes Castellanos, head of Mexico’s domestic intelligence agency CISEN from 2006 to 2011. “But the total lack of checks and balances [in Mexican agencies] means it easily ends up in private hands and is used for political and personal gain.”
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
In 2016 and 2017, more than 15,000 Mexicans appeared on the list examined by the media consortium, among them at least 25 reporters working for the country’s major media outlets, according to the records and interviews.
One of them was Carmen Aristegui, one of the most prominent investigative journalists in the country and a regular contributor to CNN. Aristegui, who is routinely threatened for exposing the corruption of Mexican politicians and cartels, was previously revealed as a Pegasus target in several media reports. At the time, she said in a recent interview, her producer was also targeted. The new records and forensics show that Pegasus links were detected on the phone of her personal assistant.
“Pegasus is something that comes to your office, your home, your bed, every corner of your existence,” Aristegui said. “It is a tool that destroys the essential codes of civilization.”
Unlike Aristegui, freelance reporter Cecilio Pineda was unknown outside his violence-wracked southern state of Guerrero. His number appears twice on the list of 50,000. A month after the second listing, he was gunned down while lying in a hammock at a carwash while waiting for his car. It is unclear what role, if any, Pegasus’s ability to geolocate its targets in real time contributed to his murder. Mexico is among the deadliest countries for journalists; 11 were killed in 2017, according to Reporters Without Borders.
“Even if Forbidden Stories were correct that an NSO Group client in Mexico targeted the journalist’s phone number in February 2017, that does not mean that the NSO Group client or data collected by NSO Group software were in any way connected to the journalist’s murder the following month,” Clare, NSO’s lawyer, wrote in his letter to Forbidden Stories. “Correlation does not equal causation, and the gunmen who murdered the journalist could have learned of his location at a public carwash through any number of means not related to NSO Group, its technologies, or its clients.”
Mexico’s Public Security Ministry acknowledged last year that the domestic intelligence agency, CISEN, and the attorney general’s office acquired Pegasus in 2014 and discontinued its use in 2017 when the license expired. Mexican media have also reported that the Defense Ministry used the spyware.
Snowden’s legacy
Today’s thriving international spyware industry dates back decades but got a boost after the unprecedented 2013 disclosure of highly classified National Security Agency documents by contractor Edward Snowden. They revealed that the NSA could obtain the electronic communications of almost anyone [167] because it had secret access to the transnational cables carrying Internet traffic worldwide and data from Internet companies such as Google and giant telecommunications companies such as AT&T.
Even U.S. allies in Europe were shocked by the comprehensive scale of the American digital spying, and many national intelligence agencies set out to improve their own surveillance abilities. For-profit firms staffed with midcareer retirees from intelligence agencies saw a lucrative market-in-waiting free from the government regulations and oversight imposed on other industries.
The dramatic expansion of end-to-end encryption by Google, Microsoft, Facebook, Apple and other major technology firms also prompted law enforcement and intelligence officials to complain they had lost access to the communications of legitimate criminal targets. That in turn sparked more investment in technologies, such as Pegasus, that worked by targeting individual devices.
“When you build a building, you want to make sure the building holds up, so we follow certain protocols,” said Ido Sivan-Sevilla, an expert on cyber governance at the University of Maryland. By promoting the sale of unregulated private surveillance tools, “we encourage building buildings that can be broken into. We are building a monster. We need an international norms treaty that says certain things are not okay.”
Without international standards and rules, there are secret deals between companies like NSO and the countries they service.
The unfettered use of a military-grade spyware such as Pegasus can help governments to suppress civic activism at a time when authoritarianism is on the rise worldwide. It also gives countries without the technical sophistication of such leading nations as the United States, Israel and China the ability to conduct far deeper digital cyberespionage than ever before.
‘Your body stops functioning’
Azerbaijan, a longtime ally of Israel, has been identified as an NSO client by Citizen Lab and others. The country is a family-run kleptocracy with no free elections, no impartial court system and no independent news media. The former Soviet territory has been ruled since the Soviet Union collapsed 30 years ago by the Aliyev family, whose theft of the country’s wealth and money-laundering schemes abroad have resulted in foreign embargoes, international sanctions and criminal indictments.
Despite the difficulties, roughly three dozen Azerbaijani reporters continue to document the family’s corruption. Some are hiding inside the country, but most were forced into exile where they are not so easy to capture. Some work for the Prague-based, U.S.-funded Radio Free Europe/Radio Liberty, which was kicked out of the country in 2015 for its reporting. The others work for an investigative reporting nonprofit called the Organized Crime and Corruption Reporting Project, which is based in Sarajevo, the Bosnian capital, and is one of the partners in the Pegasus Project.
The foremost investigative reporter in the region is Khadija Ismayilova, whom the regime has worked for a decade to silence: It planted a secret camera in her apartment wall, took videos of her having sex with her boyfriend and then posted them on the Internet in 2012; she was arrested in 2014, tried and convicted on trumped-up tax-evasion and other charges, and held in prison cells with hardened criminals. After global outrage and the high-profile intervention of human rights attorney Amal Clooney, she was released in 2016 and put under a travel ban.
“It is important that people see examples of journalists who do not stop because they were threatened,” Ismayilova said in a recent interview. “It’s like a war. You leave your trench, then the attacker comes in. … You have to keep your position, otherwise it will be taken and then you will have less space, less space, the space will be shrinking and then you will find it hard to breathe.”
Last month, her health failing, she was allowed to leave the country. Colleagues arranged to test her smartphone immediately. Forensics by Security Lab determined that Pegasus had attacked and penetrated her device numerous times from March 2019 to as late as May of this year.
She had assumed some kind of surveillance, Ismayilova said, but was still surprised at the number of attacks. “When you think maybe there’s a camera in the toilet, your body stops functioning,” she said. “I went through this, and for eight or nine days I could not use the toilet, anywhere, not even in public places. My body stopped functioning.”
She stopped communicating with people because whoever she spoke with ended up harassed by security services. “You don’t trust anyone, and then you try not to have any long-term plans with your own life because you don’t want any person to have problems because of you.”
Confirmation of the Pegasus penetration galled her. “My family members are also victimized. The sources are victimized. People I’ve been working with, people who told me their private secrets are victimized,” she said. “It’s despicable. … I don’t know who else has been exposed because of me, who else is in danger because of me.”
Is the minister paranoid or sensible?
The fear of widespread surveillance impedes the already difficult mechanics of civic activism.
“Sometimes, that fear is the point,” said John Scott-Railton, a senior researcher at Citizen Lab, who has researched Pegasus extensively. “The psychological hardship and the self-censorship it causes are key tools of modern-day dictators and authoritarians.”
When Siddharth Varadarajan, co-founder of the Wire, an independent online outlet in India, learned that Security Lab’s analysis showed that his phone had been targeted and penetrated by Pegasus, his mind immediately ran through his sensitive sources. He thought about a minister in Prime Minister Narendra Modi’s government who had displayed an unusual concern about surveillance when they met.
The minister first moved the meeting from one location to another at the last moment, then switched off his phone and told Varadarajan to do the same.
Then “the two phones were put in a room and music was put on in that room … and I thought: ‘Boy, this guy is really paranoid. But maybe he was being sensible,’ ” Varadarajan said in a recent interview.
When forensics showed his phone had been penetrated, he knew the feeling himself. “You feel violated, there’s no doubt about it,” he said. “This is an incredible intrusion, and journalists should not have to deal with this. Nobody should have to deal with this.”
————-
“The targeting of the 37 smartphones would appear to conflict with the stated purpose of NSO’s licensing of the Pegasus spyware, which the company says is intended only for use in surveilling terrorists and major criminals. The evidence extracted from these smartphones, revealed here for the first time, calls into question pledges by the Israeli company to police its clients for human rights abuses.”
It’s long been justifiably suspected that NSO Group doesn’t actually have safeguards in place to ensure its unstoppable hacking software isn’t being abused by its government clients. Dozens and dozens of government clients. But if the analysis of the lists of targeted phones and forensic analysis of a number of those phones by Forbidden Stories and Amnesty International is correct, we have that evidence. NSO Group’s Pegasus software has been wildly abused by its government clients. Because of course it was. You couldn’t give dozens of governments around the world super hacking tools and not expect them to target activists, journalists, academics, and other governments.
How much abuse has taken place? We don’t know. And if we believe NSO Group, they don’t really know either. They don’t operate the software for the clients and “has no insight” into their specific intelligence activities. That’s what the company itself is claiming in its defense. It doesn’t know how its software is actually used. That’s 60 intelligence, military and law enforcement agencies in 40 countries operating under that see-no-evil-because-we-are-blind oversight from the vendor.
And yet the company defends itself by pointing out how it terminated two contracts over allegations of abuses in the last 12 months. Note the term “allegations”. Not “investigation” or “routine audit”. The contracts were canceled after allegations. Against Saudi Arabia and Dubai. So NSO defended itself against charges that it was allowing its clients to abuse its software by pointing out that it canceled Saudi Arabia’s and Dubai’s contracts due to human rights concerns. Concerns obviously tied to the assassination of Jamal Khashoggi and all of the public scrutiny NSO received as a result. It’s not exactly proactive oversight:
...
In lengthy responses before publication, NSO called the investigation’s findings exaggerated and baseless [165]. It also said it does not operate the spyware licensed to its clients and “has no insight” into their specific intelligence activities.After publication, NSO chief executive Shalev Hulio expressed concern in a phone interview with The Post about some of the details he had read in Pegasus Project stories Sunday, while continuing to dispute that the list of more than 50,000 phone numbers had anything to do with NSO or Pegasus.
“The company cares about journalists and activists and civil society in general,” Hulio said. “We understand that in some circumstances our customers might misuse the system and, in some cases like we reported in [NSO’s] Transparency and Responsibility Report, we have shut down systems for customers who have misused the system.”
He said that in the past 12 months NSO had terminated two contracts over allegations of human rights abuses, but he declined to name the countries involved.
“Every allegation about misuse of the system is concerning me,” he said. “It violates the trust that we give customers. We are investigating every allegation.”
NSO describes its customers as 60 intelligence, military and law enforcement agencies in 40 countries, although it will not confirm the identities of any of them, citing client confidentiality obligations. The consortium found many of the phone numbers in at least 10 country clusters, which were subjected to deeper analysis: Azerbaijan, Bahrain, Hungary, India, Kazakhstan, Mexico, Morocco, Rwanda, Saudi Arabia and the United Arab Emirates. Citizen Lab also has found evidence that all 10 have been clients of NSO, according to Bill Marczak, a senior research fellow.
...
“This is nasty software — like eloquently nasty,” said Timothy Summers, a former cybersecurity engineer at a U.S. intelligence agency and now director of IT at Arizona State University. With it “one could spy on almost the entire world population. … There’s not anything wrong with building technologies that allows you to collect data; it’s necessary sometimes. But humanity is not in a place where we can have that much power just accessible to anybody.”
In response to detailed questions from the consortium before publication, NSO said in a statement [165] that it did not operate the spyware it licensed to clients and did not have regular access to the data they gather. The company also said its technologies have helped prevent attacks and bombings and broken up rings that trafficked in drugs, sex and children. “Simply put, NSO Group is on a life-saving mission, and the company will faithfully execute this mission undeterred, despite any and all continued attempts to discredit it on false grounds,” NSO said. “Your sources have supplied you with information that has no factual basis, as evidenced by the lack of supporting documentation for many of the claims.”
...
Clare, NSO’s attorney, attacked the forensic examinations as “a compilation of speculative and baseless assumptions” built on assumptions based on earlier reports. He also said, “NSO does not have insight into the specific intelligence activities of its customers.”
...
In the past, NSO has blamed its client countries for any alleged abuses. NSO released its first “Transparency and Responsibility Report” last month, arguing that its services are essential to law enforcement and intelligence agencies trying to keep up with the 21st century.
...
NSO also said it conducts rigorous reviews of potential customers’ human rights records before contracting with them and investigates reports of abuses, although it did not cite any specific cases. It asserted that it has discontinued contracts with five clients for documented violations and that the company’s due diligence has cost it $100 million in lost revenue. A person familiar with NSO operations who spoke on the condition of anonymity to discuss internal company matters noted that in the last year alone NSO had terminated contracts with Saudi Arabia and Dubai in the United Arab Emirates over human rights concerns.
...
Mexico was NSO’s first overseas client in 2011, less than a year after the firm was founded in Israel’s Silicon Valley, in northern Tel Aviv.
...
But then there’s the NSO Group’s more legitimate excuse for selling this kind of powerful software to governments known for human rights abuses: the Israeli Defense Ministry has to approve of the NSO Group’s contracts. Beyond that, NSO Group claims its software cannot be used on US-based phones, raising questions about whether or not the US government was also tacitly giving its approval for these contracts:
...
Pegasus was engineered a decade ago by Israeli ex-cyberspies with government-honed skills. The Israeli Defense Ministry must approve any license to a government that wants to buy it, according to previous NSO statements.“As a matter of policy, the State of Israel approves the export of cyber products exclusively to governmental entities, for lawful use, and only for the purpose of preventing and investigating crime and counterterrorism, under end-use/end user certificates provided by the acquiring government,” a spokesperson for the Israeli defense establishment said Sunday. “In cases where exported items are used in violation of export licenses or end-use certificates, appropriate measures are taken.”
The numbers of about a dozen Americans working overseas were discovered on the list, in all but one case while using phones registered to foreign cellular networks. The consortium could not perform forensic analysis on most of these phones. NSO has said for years that its product cannot be used to surveil American phones. The consortium did not find evidence of successful spyware penetration on phones with the U.S. country code.
“We also stand by our previous statements that our products, sold to vetted foreign governments, cannot be used to conduct cybersurveillance within the United States, and no customer has ever been granted technology that would enable them to access phones with U.S. numbers,” the company said in its statement. “It is technologically impossible and reaffirms the fact your sources’ claims have no merit.”
...
But by the biggest revelation in this story is the nature of these NSO Group exploits being sold with the Pegasus system: “zero-click” exploits that quietly deliver spyware simply by sending a message to the target’s phone. That is effectively an unstoppable attack. So NSO Group was selling unstoppable exploits that could target any smartphone in the world — with the possible exception of US phones if we believe the company’s assurances — to over 40 different governments around the world, starting in 2011 with the contract with Mexico. And as this investigation revealed, those unstoppable exploits were widely used by these governments for far more than just law enforcement and terrorism cases. That is a massive relevation, in part because it means governments around the world have been empowered to secretly hack each other for years now. But this wasn’t exactly a new revelation. We learned back in May 2019 about NSO Group’s unstoppable exploit that could infect a phone simply by calling them over the WhatsApp calling feature. The exploit worked when victims didn’t answer the call [168]. So the existence of ‘zero-click’ exploits isn’t exactly a new revelation, but it sounds like that WhatsApp exploit was far from the only one. They’ve figured out how to do it with SMS Text messages or iMessages too. That covers basically every smartphone, whether you have WhatsApp on it or not:
...
Some Pegasus intrusion techniques detailed in a 2016 report were changed in a matter of hours after they were made public, underscoring NSO’s ability to adapt to countermeasures.Pegasus is engineered to evade defenses on iPhones and Android devices and to leave few traces of its attack. Familiar privacy measures like strong passwords and encryption offer little help against Pegasus, which can attack phones without any warning to users. It can read anything on a device that a user can, while also stealing photos, recordings, location records, communications, passwords, call logs and social media posts. Spyware also can activate cameras and microphones for real-time surveillance.
“There is just nothing from an encryption standpoint to protect against this,” said Claudio Guarnieri, a.k.a. “Nex,” the Amnesty Security Lab’s 33-year-old Italian researcher who developed and performed the digital forensics on 37 smartphones that showed evidence of Pegasus attacks.
That sense of helplessness makes Guarnieri, who often dresses head-to-toe in black, feel as useless as a 14th-century doctor confronting the Black Plague without any useful medication. “Primarily I’m here just to keep the death count,” he said.
The attack can begin in different ways. It can come from a malicious link in an SMS text message or an iMessage. In some cases, a user must click on the link to start the infection. In recent years, spyware companies have developed what they call “zero-click” attacks, which deliver spyware simply by sending a message to a user’s phone that produces no notification. Users do not even need to touch their phones for infections to begin.
...
Unstoppable zero-day attacks and zero oversight. What could possibly go wrong?
Forget All Those NSO Group and Candiru Stories: The US and Western Allies Accuse China of the Microsoft Exchange Hack
So how are governments responding to this string of devastating reports. First Candiru’s zero-day malware gets exposed being used against activists around the world. Then NSO Group is revealed to be the cyber equivalent of a nuclear mercenary. And a diplomatic tool. It was a rough week of reporting on the “commercial surveillance” cyber industry. A lot of tough questions for raised. And we got our answer one day after the Washington Post’s report: The US and Western allies were finally formally accusing China of being behind the Microsoft Exchange hack first disclosed back in March. It was great timing.
And as we’ll see in the next article excerpt about the public accusations by the US and its fellow allies against China’s Ministry of State Security (MSS), China isn’t just accused of tolerating smash-and-grab raids. The MSS-backed hacker groups are also accused of tolerating ransomware attacks for their own personal profit. So the hacker groups accused of carrying out the Microsoft Exchange hack and other hacks attributed to China are also groups engaging in the kind of cyber-extortion and ransomware schemes for their own profit that are traditional associated with standard cyber criminals. That’s the evolving narrative in the face of evidence that the Microsoft Exchange hack was really many hacks involving multiple criminal groups on a rampant spree that also run cyber-extortion schemes: They were Chinese state-backed hackers who also run private extortive criminal hacks on their own because China’s government has decided to give zero-day exploits to groups that take those zero-day exploits and go on a global hacking spree. The Chinese government endorsed or at least tolerated that dramatic escalation. No longer espionage but global smash-and-grab sprees. That’s the new narrative. A new narrative that’s evolving in the face of the evidence that the people carrying out these mega-hacks are acting like traditional hackers and not state-backed espionage-focused groups.
Recall [35] how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2. At that point, multiple groups went on a global race to hit every unpatched server connected to the internet. So given that timeline, it’s likely that the groups that went on the race following the patch are the ones with a criminal for-profit track-record. And we are to assume “Hafnium”, a state-backed Chinese hacker group, handed this zero-day exploit over to these groups and gave its blessing to the global smash-and-grab. Which, if true, really would be a dramatic escalation in hacks from China. It’s the “if true” part that’s the catch. Notice how no one even bothers to provide a pretense of evidence for any of these claims.
Amusingly, the governments making these accusations against China hadn’t quite gotten their stories straight. Because as we just saw, much of the ostensible alarm over these accusations is that they signify a shift from quiet espionage to in-your-face smash-and-grab raids by Chinese state-backed hacker. And yet as we’ll see, U.K. Foreign Secretary Dominic Raab describe the attack “a reckless but familiar pattern of behaviour” by Chinese state-backed groups. So what is it? New reckless behavior? Or familiar reckless behavior? That part of the narrative has yet to be decided. But this was what major Western governments were talking about a day about that NSO Group report: China [58]:
Associated Press
Microsoft Exchange hack caused by China, US and allies say
By ERIC TUCKER
July 19, 2021WASHINGTON (AP) — The Biden administration and Western allies formally blamed China on Monday for a massive hack of Microsoft Exchange email server software [169] and asserted that criminal hackers associated with the Chinese government have carried out ransomware and other illicit cyber operations.
The announcements, though not accompanied by sanctions against the Chinese government, were intended as a forceful condemnation of activities a senior Biden administration official described as part of a “pattern of irresponsible behavior in cyberspace.” They highlighted the ongoing threat from Chinese hackers even as the administration remains consumed with trying to curb ransomware attacks from Russia-based syndicates that have targeted critical infrastructure.
The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack [170] from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
Unlike in April, when public finger-pointing of Russian hacking [171] was paired with a raft of sanctions against Moscow, the Biden administration did not announce any actions against Beijing. Nonetheless, a senior administration official who briefed reporters said that the U.S. has confronted senior Chinese officials and that the White House regards the multination shaming as sending an important message, even if no single action can change behavior.
President Joe Biden told reporters “the investigation’s not finished,” and White House press secretary Jen Psaki did not rule out future consequences for China, saying, “This is not the conclusion of our efforts as it relates to cyber activities with China or Russia.”
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities.
...
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
A spokesperson for the Chinese Embassy in Washington, Liu Pengyu, said in a statement that the “U.S. has repeatedly made groundless attacks and malicious smear against China on cybersecurity. Now this is just another old trick, with nothing new in it.” The statement called China “a severe victim of the US cyber theft, eavesdropping and surveillance.”
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies [172] by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
———-
“The broad range of cyberthreats from Beijing disclosed on Monday included a ransomware attack [170] from government-affiliated hackers that targeted victims — including in the U.S. — with demands for millions of dollars. U.S officials also alleged that criminal contract hackers associated with China’s Ministry of State Security have engaged in cyber extortion schemes and theft for their own profit.”
Criminal contract hackers. That’s who China’s Ministry of State Security is apparently hiring to carry out these mega hacks. That’s the accusation coming from the US and allies. What evidence this assertion is based is of course never given, but the parallel charges against four Chinese nationals accuse of working wit the MSS in a hacking campaign is presumably supposed to serve as a kind of proxy evidence:
...
Meanwhile, the Justice Department on Monday announced charges against four Chinese nationals who prosecutors said were working with the MSS in a hacking campaign that targeted dozens of computer systems, including companies, universities and government entities. The defendants are accused of targeting trade secrets and confidential business information, including scientific technologies and infectious-disease research.
...
But, again, observe how inconsistent the accusations are. The EU is referring to hacks that could be linked to Chinese hacking groups while the UK’s Foreign Secretary calls it “a reckless but familiar pattern of behaviour”. And look at he US’s explanation for why it took this long to make the attribution when Microsoft seemingly did it immediately: the discovery of ransomware and for-profit schemes by these same hackers delayed the attribution. In other words, Microsoft’s evidence-free initial assertion that the hack was the responsibility of the Chinese (and definitely completely unrelated to the SolarWinds hack!) got complicated after it was observed that the hackers were behaving like normal criminals and engaging in ransomware for-profit schemes. So they had to create a new narrative about how the Chinese government is now using contract criminal hackers to carry out their mega-hacks. Because why carry out a mega-hack on your own when you can share it with the criminal-underworld:
...
Even without fresh sanctions, Monday’s actions are likely to exacerbate tensions with China at a delicate time. Just last week, the U.S. issued separate stark warnings against transactions with entities that operate in China’s western Xinjiang region, where China is accused of repressing Uyghur Muslims and other minorities....
The European Union and Britain were among the allies who called out China. The EU said malicious cyber activities with “significant effects” that targeted government institutions, political organizations and key industries in the bloc’s 27 member states could be linked to Chinese hacking groups. The U.K.’s National Cyber Security Centre said the groups targeted maritime industries and naval defense contractors in the U.S. and Europe and the Finnish parliament.
In a statement, EU foreign policy chief Josep Borrell said the hacking was “conducted from the territory of China for the purpose of intellectual property theft and espionage.”
The Microsoft Exchange cyberattack “by Chinese state-backed groups was a reckless but familiar pattern of behaviour,” U.K. Foreign Secretary Dominic Raab said.
NATO, in its first public condemnation of China for hacking activities, called on Beijing to uphold its international commitments and obligations “and to act responsibly in the international system, including in cyberspace.” The alliance said it was determined to “actively deter, defend against and counter the full spectrum of cyber threats.”
That hackers affiliated with the Ministry of State Security were engaged in ransomware was surprising and concerning to the U.S. government, the senior administration official said. But the attack, in which an unidentified American company received a high-dollar ransom demand, also gave U.S. officials new insight into what the official said was “the kind of aggressive behavior that we’re seeing coming out of China.”
...
The majority of the most damaging and high-profile recent ransomware attacks have involved Russian criminal gangs. Though the U.S. has sometimes seen connections between Russian intelligence agencies and individual hackers, the use of criminal contract hackers by the Chinese government “to conduct unsanctioned cyber operations globally is distinct,” the official said.
...
The Microsoft Exchange hack that months ago compromised tens of thousands of computers around the world was swiftly attributed to Chinese cyber spies [172] by Microsoft.
An administration official said the government’s attribution to hackers affiliated with the Ministry of State Security took until now in part because of the discovery of the ransomware and for-profit hacking operations and because the administration wanted to pair the announcement with guidance for businesses about tactics that the Chinese have been using.
...
Also keep in mind that the criminal hacker groups didn’t appear in the Exchange hack until March 2 according to our known timeline, the day Microsoft also issued its report that blamed the hack on state-sponsored “Hafnium” [107]. So the criminal-like behavior of the groups with access to this exploit wasn’t necessarily apparent when Microsoft made its initial “Hafnium” attribution
But note the one consistent actor here: Dmitri Alperovitch — co-founder of CrowdStrike and the guy who pioneered the modern approach of making loud evidence-free hacking accusations against countries as a means of preventing future attacks [1] — is giving us exactly the response we should expect by asking why these accusations haven’t led to new sanctions against China:
...
Dmitri Alperovitch, the former chief technology officer of the cybersecurity firm Crowdstrike, said the announcement makes clear that MSS contractors who for years have worked for the government and conducted operations on its behalf have over time decided — either with the approval or the “blind eye of their bosses” — to ”start moonlighting and engaging in other activities that could put money in their pockets.”Given the scope of the attack, Alperovitch said it was “puzzling” that the U.S. did not impose sanctions.
“They certainly deserve it, and at this point, it’s becoming a glaring standout that we have not,” he said.
He added, in a reference to a large Russian cyberespionage operation discovered late last year, “There’s no question that the Exchange hacks have been more reckless, more dangerous and more disruptive than anything the Russians have done in SolarWinds.
...
Also note that Alperovitch is now the former CTO of Crowdstrike, having left the company in 2020 to start a non-profit “policy accelerator” focused on cybersecurity in a geopolitical context [173]. In other words, Alperovtich started a think-tank and lobby shop dedicated to push for the kind of hacking-based sanctions against Russian and China he’s long advocated for anyway.
The BBC has a bit more on the story that gives us a better idea of how the Western governments of theorizing China decided to carry out this global mega-hack using common cyber-criminals as co-conspirators: Hafnium knew Microsoft planned to deal with the weakness and so shared it with other China-based hackers. In other words, the Chinese state-backed hackers realized the jig was up and handed the zero-day exploit (which was no longer a zero-day) to criminals for some strategic reason.
Again, recall the timeline: Recall [35] how the known timeline of the Exchange hack is that it started on January 3 (Volexity’s first detected use of the zero-day exploit by “Hafnium). It was January 6, during the Capitol Insurrection, when Volexity first observed a large download to an unauthorized address. Hafnium quietly hit organizations until Microsoft issued a patch on March 2, the same day it blamed the hack on Hafnium, a state-backed Chinese hacker group. That’s the day we are told multiple criminal groups went on a global race to hit every unpatched server connected to the internet.
So what would be the motive for Hafnium to hand that zero-day exploit over to criminal groups and escalate the hack to the level of worst ever? Maximize damage? Cover their tracks? It’s unclear what the theorized rationale would be. Microsoft blamed the hack on “Hafnium” and called them a Chinese state-backed group during the initial security blog post that announced the Exchange patch to fix the exploit, which is when the criminal ransacking reportedly started. So it’s not like there was obvious track covering by Hafnium to be done at that point. But that’s what we’re told by these Western government sources: after getting caught with their quiet target hack, these state-backed hackers made a conscious decision to hand the super exploit over to criminals and tolerate a global ransacking [60]:
BBC News
China says Microsoft hacking accusations fabricated by US and allies
Published
7/20/2021China has denied allegations that it carried out a major cyber-attack against tech giant Microsoft.
The US and other Western countries on Monday accused China of hacking Microsoft Exchange — a popular email platform used by companies worldwide.
They said it was part of a broader pattern of “reckless” behaviour that threatened global security.
China says it opposes all forms of cyber-crime, and has called the claims “fabricated”.
China’s foreign ministry spokesman said the US had got its allies to make “unreasonable criticisms” against China.
The UK, EU, New Zealand, Australia and others joined the US to accuse Chinese state-sponsored hackers.
...
Microsoft blamed a Chinese cyber-espionage group for targeting a weakness in Microsoft Exchange, which allowed hackers to get into email inboxes.
It said the group, known as Hafnium, was state-sponsored and based in China.
Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
The UK Foreign Office said the Chinese government had “ignored repeated calls to end its reckless campaign, instead allowing state-backed actors to increase the scale of their attacks”.
US President Joe Biden said the Chinese government may not have been carrying out the attacks itself, but was “protecting those who are doing it. And maybe even accommodating them being able to do it”.
...
———–
“China says Microsoft hacking accusations fabricated by US and allies”; BBC News; 7/20/2021 [60]
“Western security sources believe Hafnium knew Microsoft had planned to deal with the weakness, and so shared it with other China-based hackers.”
It’s quite a scenario described by the Western security source for this article: Hafnium found out Microsoft planned on closing some vulnerabilities, prompting Hafnium to share the vulnerability with other China-based hackers. Recall how, as we saw above, Volexity witnessed what was a quiet infiltration of some systems — using the zero-day exploits — on January 6 during the Capitol insurrection. It was in the following days that the hack because much more widespread and open and aggressive. So we are probably being asked to assume that the second noisy phase of the hack was after Hafnium gave their incredible zero-day exploit to other criminal hackers around China. And this was all quietly sanctioned by the Chinese government. That’s the narrative we are being asked to believe, this time with Western governments making the assertions, not Microsoft. And as always, we have no idea what evidence this belief is based on. The one thing we can state with confidence is that a large number of the actors who used this exploit during that global ransacking phase appear to be criminal.
But if we take the state-backed criminal-super-hack narrative seriously, we have to treat this as a major escalation by the Chinese government. Which it very much would be if true. An insane escalation that could enrage the global business community. Not just governments:
...
The sources say the hack seems to signal a shift from a targeted espionage campaign to a smash-and-grab raid, leading to concerns that Chinese cyber-behaviour is escalating.
...
But, again, keep in mind that this entire discussion about Hafnium and criminal hacking groups was due to the US and its allies issue a big coordinated public rebuke of China’s involvement in the Exchange hack one day after the pair of NSO Group mega-scandal stories. Stories that raised enormous questions about the hacking attributions of the last decade, at a minimum.
Macron to the World: New Phone, Who Dis?
And a few days after that coordinated public rebuke of China over “Hafnium”, we get an update on the fallout from the NSO Group story: Emmanuel Macron changed his phone. As a precaution. His number was on Morocco’s target list. Awkward!
We also get an update from NSO Group on how its oversight system works: while it doesn’t know the identities of the people targeted by Pegasus, the company can retroactively acquire the target lists in the event of a complaint and unilaterally shut down the offending government’s subscription following an investigation. In other words, NSO Group could in theory do retrospective audits. But won’t unless there’s a complaint. A complaint about the super secret spyware you can’t find and don’t know about [62]:
Reuters
France’s Macron changes phone in light of Pegasus case
Michel Rose and Dan Williams
July 22, 2021 3:25 PM CDT UpdatedPARIS, July 22 (Reuters) — French President Emmanuel Macron has changed his mobile phone and phone number in light of the Pegasus spyware case, a presidency official said on Thursday, in one of the first concrete actions announced in relation to the scandal.
“He’s got several phone numbers. This does not mean he has been spied on. It’s just additional security,” the official told Reuters. Government spokesman Gabriel Attal said the president’s security protocols were being adapted in light of the incident.
A global outcry was triggered when several international media organisations reported that the Pegasus spyware was used in hacking smartphones belonging to journalists, human rights activists and government officials in several countries.
In Israel, home of Pegasus developer NSO Group, a senior lawmaker said a parliamentary panel may look into spyware export restrictions. NSO says its software is used to fight crime and terrorism and has denied any wrongdoing.
“Obviously we’re taking (this) very seriously,” Attal told reporters hours after an emergency cabinet meeting focused on the Pegasus allegations.
Le Monde newspaper and Radio France broadcaster reported on Tuesday [174] that Macron’s phone was on a list of potential targets for surveillance by Morocco. The two media said that they did not have access to Macron’s phone and could not verify if his phone had indeed been spied on.
Morocco has rejected these allegations.
A French lawyer for Morocco, Olivier Baratelli, said the government planned to lodge defamation lawsuits in Paris against nongovernmental organisations Amnesty International and Forbidden Stories, according to French news outlet franceinfo on Thursday. The two groups participated in the Pegasus probe and alleged Morocco had targeted French officials for surveillance with the spyware.
Amid mounting EU concern, German Chancellor Angela Merkel told reporters in Berlin that spyware should be denied to countries where there is no judicial oversight.
Hungarian prosecutors on Thursday launched an investigation into multiple complaints received in the wake of the reports.
Israel has appointed an inter-ministerial team [175] to assess reports based on an investigation by 17 media organisations that said Pegasus had been used in attempted or successful hacks of smartphones using malware that enables the extraction of messages, records calls and secretly activates microphones.
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.
The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.
Other world leaders among those whose phone numbers the news organisations said were on a list of possible targets include Pakistani Prime Minister Imram Khan and Morocco’s King Mohammed VI.
———-
“NSO says it does not know the specific identities of people against whom clients use Pegasus. If it receives a complaint of Pegasus having been misused by a client, NSO can retroactively acquire the target lists and, should the complaint prove true, unilaterally shut down that client’s software, the company says.”
NSO Group can retroactively acquire the target lists to investigate complaints. It’s the kind of description that sounds like NSO Group would need to go to the clients to retrieve the list of target phone numbers or emails. That’s the kind of oversight regime that raises questions about whether or not these clients have the capability to scrub those target lists before returning them to NSO Group. It’s also the kind of oversight regime that raises questions about how any sort of oversight could ever happen outside of instances when there’s a news report about NSO Group malware being discovered and a ‘retrospective investigation’ is conducted. Either an insider needs to leak about it or victims need to discover the malware. Those are the only viable scenarios that could realistically trigger an investigation and this is super-secret malware that operated without being detected for years. Almost nothing other than the investigative reporting done by Amnesty International and Forbidden Stories could realistically cause a client to have their subscription revoked.
And as we saw in the case of Saudi Arabia and the fallout from the Jamal Khashoggi assassination, the fallout — in the form of NSO Group canceling Saudi Arabia’s subscription, a move opposed by the Israeli government — was ultimately reversed after NSO Group was suddenly sold to new investors. That’s part of the context of Israel’s assurances that it will be look anew at the licenses granted for these subscription. It can’t look anew. It would be a diplomatic nightmare for Israel. And perhaps not something Israel can reasonably unilaterally decide on its own. If what we are looking at here is a broader Western-sanctioned global system for distributing limited super-hacker capabilities, the fate of NSO Group and the entire Israeli “commercial surveillance” sector suddenly becomes a much more multilateral affair:
...
“We certainly have to look anew at this whole subject of licences granted by DECA,” Ram Ben-Barak, head of the Knesset Foreign Affairs and Defence Committee, told Israel’s Army Radio, referring to the government-run Defence Export Controls Agency.The Israeli government team “will conduct its checks, and we will be sure to look into the findings and see if we need to fix things here”, said Ben-Barak. A former deputy chief of Mossad, he said proper use of Pegasus had “helped a great many people”.
DECA is within Israel’s Defence Ministry and oversees NSO exports. Both the ministry and the firm have said that Pegasus is meant to be used to track only terrorists or criminals, and that all foreign clients are vetted governments.
...
Will the Israeli government conduct a meaningful audit of its cyber mercenary export sector? The story of the NSO Group and Jamal Khashoggi’s murder suggests otherwise.
NSO Group and Candiru: Joined at the Founding Financial Hip
We’re now at the end of our article marathon. This one isn’t from December 2020-July 2021. It’s from October 2019. So it wasn’t old news as all of this as has been playing out. One mega-hack story after another. One Microsoft exploit after another. As the world turned to Microsoft to lead the investigation into this parade of Microsoft vulnerabilities (some might consider that a conflict of interest), the following story for October 2019 was systematically ignore: An introduction to Candiru, its powerful suite of Microsoft exploits, and the fact that its founders overlap with the NSO Group’s founders.
Yep, in the following Forbes piece we learn how Candiru has clients like Uzbekistan, Saudi Arabia, and the UAE. The main Candiru financial backer was Founders Group, which was co-founded by one of the three men who set up NSO Group, Omri Lavie. Additionally, one of the lead investors is Founders Group managing partner Isaac Zack. We’re also told that the industry is increasingly close to its financial backers because, well, it’s become so controversial there aren’t that many financial backers available. A hyper-secretive incestuous industry increasingly beholden to the shrinking number of people willing to go into something this explosively powerful [176]:
Forbes
Meet Candiru — The Mysterious Mercenaries Hacking Apple And Microsoft PCs For Profit
Thomas Brewster Forbes Staff
Cybersecurity
Associate editor at Forbes, covering cybercrime, privacy, security and surveillance.
Oct 3, 2019,06:06am EDTIsrael is home to scores of hacker-for-hire businesses, but one of the most clandestine has been Candiru. With no website and few records available, it’s operated largely under the radar.
But now a researcher is claiming the elite Tel Aviv-based firm sold cyber weapons to the government of Uzbekistan, while industry sources tell Forbes the company is hacking both Microsoft Windows and Apple Macs for various nation states.
In doing so it calls into question the company’s ethics for partnering with a government branded as an abuser of surveillance tools, just like the morals of its compatriot digital arms dealers have come under scrutiny over the last half decade.
Smashing Windows
Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.
Bartholomew detailed just how Uzbekistan was sloppy to Forbes ahead of the public release of his research at London’s Virus Bulletin conference on Thursday, though he couldn’t provide clear links between the leaked tools and the Israeli company.
Perhaps Uzbekistan’s biggest mistake was to set up a test computer, exposed on the internet, that tested its hacking tools against various antivirus systems like Kaspersky. Bartholomew’s team found that computer online and noted that it regularly connected to a single Web address. And here’s where the Uzbekistan government exposed itself: Not only was that address registered in Uzbekistan, but the registrant was the apparent leader of “Military Unit 02616.” Though there was little information on that division, Bartholemew soon discovered it was part of Uzbekistan’s surveillance agency, the National Security Service (NSS).
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team [177]. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.
But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported [178] hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
Raining down on Macs
Candiru specializes in hacking Windows, but it’s also working on tools to crack Apple’s MacOS operating system, according to Tal Dilian, who claims to have partnered with Candiru as part of his work with his own surveillance startup, Intellexer. Though not sure, he also said Candiru may also have a focus on iOS too.
Scott-Railton said he was also convinced that Candiru was developing exploits for both Apple and Microsoft technology.
Israel’s digital mercenaries unite
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.
As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
Companies like Candiru are being forced to go to investors with whom they’re already on friendly terms because of an increasing antipathy towards the industry from typical venture capital firms. “YL Ventures has not and will not invest in offensive cyber technology vendors,” said Yoav Leitersdorf, managing partner at YL Ventures. “The primary reason for this is ethical, since oftentimes the customers of these vendors end up using the technology in a way that violates human rights, with or without the vendors’ knowledge. Such usage goes directly against our values and the values of our limited partners.”
Israeli firms have found themselves at the center of an international controversy over the sale of spyware to repressive governments. Candiru has avoided the spotlight up until now, but its rival NSO Group has become embroiled in several controversies. In Mexico, the use of alleged NSO malware Pegasus by the government to monitor journalists, activists and lawyers working on the 2014 killing of 43 students caused a major political scandal. And in January, NSO chief Shalev Hulio had to state on the record that his firm had not worked with the Saudi government to monitor journalist Jamal Khashoggi in the months before his murder by Saudi agents.
...
————
“Candiru’s speciality, hacking Microsoft Windows for nation-state intelligence agencies, is one key revenue stream. And one of those Candiru customers is almost certainly Uzbekistan, according to Brian Bartholomew, a researcher at Russian cybersecurity company Kaspersky Lab. He claimed that a lapse in an Uzbekistan intelligence agency’s operational security allowed him to link multiple Windows vulnerabilities used in Uzbek attacks back to Candiru and two other customers: Saudi Arabia and the U.A.E.”
Uzbekistan, Saudi Arabia, and the UAE. Those were three of Candiru’s clients identified back in late 2019 when the company first received media exposure and it’s obviously a very incomplete client list. The kind of client list where we can be confident all sorts of other terrifying customers are being quietly serviced.
Also keep in mind that Uzbekistan’s hackers wouldn’t have any trouble leaving Russian ‘cultural artifact’ clues. They all speak Russian. Of course, as we saw with the ShadowBrokers story, the CIA’s hacking toolkit featured tools to inject Russian or Mandarin into the code to leave leave kinds of clues [128] so it’s not like a hacker necessarily needs to know Russian or Mandarin to leave these kinds of ‘clues’. But still, since such ‘clues’ are given so much weight when it comes to cyberattribution, it behooves us to note that the hackers working for the many former Soviet Republics are going to know Russian. At least enough to stick it in their code or on forums or wherever to make sure everyone knows it was the ‘Russians’. We now know all dozens of governments have been subscribing to these malware services over the last decade. What are the odds they haven’t been doing precisely what the CIA’s toolkits do and injecting their own ‘cultural artifacts’? What are the odds these subscription toolkits don’t already offer those exact features? Saudi Arabia and the UAE, for example, would probably really enjoy those features:
...
According to Bartholomew, the NSS is essentially the successor to the Soviet KGB contingent, which transferred power in the early 1990s. “They have loads of power. They can pretty much do what they want,” Bartholemew said. The NSS also has a history of buying malware from foreign dealers, as revealed in the leaked 2015 emails of Italian provider Hacking Team [177]. Hosted on Wikileaks, the emails contain frequent messages about deals between Hacking Team and the unit; Bartholomew believes Uzbekistan spent nearly $1 million on the Italian company’s services, looking at all the invoices in the leak.But because the agency exposed its Windows exploits on the web, Kaspersky researchers were able to link them to other malicious software Bartholomew says were created by Candiru, namely those that appeared to be controlled by Saudi Arabia and the U.A.E. “Sloppy customers are bad customers,” the researcher said.
Human rights experts have now raised the alarm about Candiru’s customer base and the potential for abuse. Bartholomew and another source with knowledge of the attacks said he discovered Candiru surveillance software was used in previously reported [178] hacks on Uzbek human rights activists and independent media.
“Each of these governments is a serial spyware abuser, and it is painfully predictable that civil society got targeted again,” said John Scott-Railton, a surveillance market researcher at the University of Toronto’s Citizen Lab. “For an industry that is trying to tell investors and regulators that it is working to clean up its act, providing spyware to these autocratic regimes is a guaranteed way to get it abused.”
...
And look at the remarkable relationship between NSO Group and Candiru: the main Candiru financial backer was Founders Group, co-founded by one of the three men who set up NSO, Omri Lavie, and one of the lead investors is Founders Group managing partner Isaac Zack:
...
Outside of Candiru’s apparent relationship with Dilian’s spyware enterprises—WiSpear and Intellexa—it has at least one tie to the most controversial of Israel’s surveillance providers: NSO Group. That’s because two industry sources said the main Candiru financial backer was Founders Group, cofounded by one of the three men who set up NSO, Omri Lavie.As surveillance industry sources also told Forbes, one of the lead investors is Founders Group managing partner Isaac Zack.. According to Pitchbook, Zack is also a board member at wireless charging startup Humavox and at Sepio Systems. The latter is a cybersecurity company, focused on doing the exact opposite of Candiru: protecting hardware from being turned into silent surveillance devices. Its board also includes Tamir Pardo, the former head of the Mossad, Israel’s intelligence agency.
...
So when we read about NSO Group and Candiru both being licensed out to countries like Saudi Arabia, it’s seems like kind of a package deal. You get Candiru for the Microsoft exploits and NSO Group for the other things.
********************************
Ok, we’re almost done with our excerpt marathon. A marathon that was almost all from just a seven month period starting in December 2020. FireEye delivers what felt like a nightmare at the time. And was and is a nightmare. Just not our worst nightmare. Not even close. Our nightmare scenario kept getting worse. Keeps going. It never ends.
And sure, it’s never going to end by definition. As long as there are computer there are going to be hack stories and some of them major hacks. But as we’ve seen, this is been an unusual seven month period. One mega-hack after another. It’s like cyber-climate change just started to become noticeable.
And throughout this wave of Microsoft mega-hacks, we’ve had Microsoft leading the way in attributions. It’s always a state-backed actor. Known within 24 to 48 hours. Conclusively. Russia or China. Don’t ask why. Just accept the conclusion. The highly self-serving easy conclusion that is far less terrifying than the idea of criminals carrying out these mega-hacks. Yes, the US government backs Microsoft on these attributions. Also without providing any hint of the evidence it’s based on. Just accept whatever attribution people come up with uncritically because, hey, they’re experts. They must know, right? That’s the climate of contemporary cyberattribution: Watching people engage it what appears to be reading the digital tea leaves to come up with the culprit, who then proclaim their findings like a forensic examination decisively concluded it. And for the most part this is absolutely unquestioned.
Now, it’s important to keep one thing in mind in terms of this cyberattribution regime: part of the reason Microsoft and governments make these attribution pronouncements without bothering to give any evidence and act as if we should just trust them is because we more or less have to do exactly that. We have to just trust Microsoft and governments and whoever else has access to the computer systems to study these hacks. Much of the evidence is private and someone has to go in and the forensic cyber-investigations examining malware, looking for ‘cultural artifacts’ or whatever. That’s all well and good and part of how a technologically complex society operates. It’s heavily trust-based.
But that’s precisely why the highly convenient and logically suspect narratives that continually pop up around these mega-hacks — where the culprit is always Russian or Chinese hackers, declared within days — is so problematic. We’re forced to trust the investigators because no evidence is ever given. And yet the conclusions always seem like they were conveniently made up and virtually never acknowledge the existence of a global industry of companies like NSO Group and Candiru. If activists are targeted, sure, a government running “commercial surveillance vendor” software might be suspected, as was the case with Candiru’s malware getting caught being used against activists. But that’s basically the only time we see this legal offensive cyber-for-hire industry come up in the attributions. It’s nearly always otherwise attributed to Russia, China, North Korea or Iran. Maybe criminals if no government networks got it. But that’s basically it. That’s contemporary cyberattribution regime. Those are the acceptable choices. Russia, China, North Korea Iran, maybe criminals. While at least 40 governments around the world have NSO Group subscriptions. And stories like the Vault7 hacking tools that planted foreign ‘cultural artifacts’ are less than a decade all. Each individual hack might by hard to assess, but taken together it’s just implausible.
To get a sense of how implausible, here’s our final quick excerpt. It’s from October 2020, about the finding in Microsoft Digital Defence Report, which you can download here [179]. The report includes a diagram (page 42) showing the percent breakdown of the different countries for the state-backed attributions made by Microsoft’s Microsoft’s Threat Intelligence Center (MSTC) study between July 2019 and June 2020. So this is Microsoft telling us what it’s own security experts found. There were just four countries on the entire chart. Guess which four: 52 percent of hacked attributed to state-backed actors were attributed to Russia, 25 percent to Iran, 12 to China, and 11 to North Korea. Now, take a moment to digest those numbers. 52 + 25 + 12+ 11 = 100. 100 percent of the state-backed attributions made between July 2019 and June 2020 by Microsoft were Russia, Iran, China, or North Korea. All of them. That’s why the ‘trust us’ attribution paradigm is slow problematic. It’s hard to trust an implausible narrative [180]:
The Independent
Russia responsible for over half of all state-sponsored hacking, Microsoft says
Attacks focused on political groups, rather than national infrastructure, in an attempt to affect other governments’ policy
Adam Smith
Friday 02 October 2020 14:57Russia is responsible for over half of all state-sponsored hacking, vastly more than any other state, according to a new report from Microsoft.
Russian activity made up 52 per cent of all attacks between July 2019 and June 2020, the software giant’s Digital Defence Report states [181].
It is followed by Iran, which makes up 25 per cent of the attacks monitored.
China is responsible for 12 per cent of attacks, while North Korea and other states make up the final 11 per cent.
The majority of their targets have been in the United States, which is targeted 69 per cent of the time. The United Kingdom is the next most popular victim, receiving 19 per cent of attacks, followed by Canada, South Kora, and Saudi Arabia.
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.
According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
————
Again, 52 + 25 + 12+ 11 = 100. Microsoft’s threat assessment team can apparently only determine hacks came from those four countries. Even at a time when dozens of governments have subscriptions software from companies like NSO Group and Candiru and none of this is really a secret. It’s shameless. No states decided to abuse their super spyware? None at all? Just Russian, Iran, China, and North Korea? Yes, that’s what we are being it’s to believe by Microsoft and Microsoft is the leading figure shaping this narrative. A narrative mostly about Microsoft vulnerabilities of late. Lots of Microsoft vulnerabilities and yet almost no mentions by Microsoft’s threat assessment teams of Candiru’s existence. The company exists to sell super Microsoft exploits to governments around the world and yet, in this entire collection of stories we looked it, it was only after CitizenLab publicly identified new Microsoft zero-day exploits Candiru’s clients were using against activists that we saw Microsoft even acknowledge the existence of Candiru.
But to really appreciate why this problematic cyberattribution narrative — where it’s always Russia, Iran, China, and North Korea — is so wildly dangerous to civilization, we have to appreciate how the SolarWinds hack and Microsoft Exchange mega-hacks relate to these seemingly soothing words from Microsoft back in October when it was assuaging concerns about attacks on critical infrastructure: nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly:
...
While there has been much concern over recent years that countries’ criticial national infastructure – such as the national grid of financial services – could be targeted by hackers, Microsoft says that is not the most common target.According to the software giant, 90 per cent of attacks from nation-states have been focused on “nongovernmental organisations (NGOs), advocacy groups, human rights organizations and think tanks focused on public policy, international affairs or security.”
The company suggests that nation-states are hoping to influence government policy through subtler means, rather than targeting infrastructure directly.
...
Microsoft was telling us this as the SolarWinds hack was ongoing and two months before it was revealed. And as we’ve seen, both the SolarWinds and Microsoft Exchange mega-hacks could arguably be considered attacks on critical infrastructure. They were a very big deal. Especially the Microsoft Exchange hacks that could be automated and were carried out by seemingly for-profit criminal actors. That’s an infrastructure attack. Whoever carried this out was conducting a kind of digital infrastructure attack. It was that vast and aggressive.
But beyond the immediate damage by these mega-hacks, it’s the potential for seeds to have been sown for future even more devastating hacks that make these stories absolutely devastating from a security standpoint. Basically every major organization’s computer networks got hit by sophisticated actors with a demonstrated capacity to deploy multiple zero-day exploits. We have every reason to believe the retained access to a large number of these networks. Remember what Bill Whitaker of Bolden told us [46]: it would have been trivial for the SolarWinds hackers to have turned that malware into the kind of stuff that causes the computers on those networks to effectively self-destruct. A few dozen more lines of code. That’s how easily these kinds of mega-hacks can become major crises. Lethal crises. Imagine the digital infrastructure of most of the world getting crippled with ransomware simultaneously. A few dozen lines of code could have turned SolarWinds or the Exchange hack into the kind of hack that cripples physical infrastructure.
Now imagine a global strike like that that cripples every county’s digital infrastructure except, say, Russia’s. Or China’s. It would be treated as an act of war. And we could be pretty confident Microsoft and plenty of other actors in the security sector would be more than happy to provide those definitive attributions that, yes, it was Russia. Or China. Or Iran or North Korea or whoever is most convenient. Hacking has become the perfect crime in multiple senses. Not only can a hack be executed in a manner where no one can determine the identity of the culprit but, by virtue of that complication, anyone can become the culprit. True conclusive attribution is so difficult, and yet increasingly important and urgent, that civilization has collective just turned to the digital security industry and governments and asked them to give us their best educated guesses and then we treat those best educated guesses as conclusive findings. It really is a faith-based attribution system. Increasingly faith in Microsoft being honest about Microsoft mega-hacks. There’s bad faith. And blind faith. And then there’s that kind of faith. Blind dumb faith in Microsoft’s honesty and integrity. It’s clearly very popular these days. Enjoy it while you still can [182].