Investigating The SolarWinds Situation, Part I (12/14/2020)

“All five branches of the US Military

“The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States”…Image
Somehow Chris Krebs is being linked to this story.
Krebs was fired after the hack. 
Orion: “Centralized monitoring and management of your entire IT stack, from infrastructure to application”
In the wrong hands, who is looking at what? 
“two people familiar with the investigation said…connected to a previously announced intrusion at cybersecurity firm FireEye.” 
Last Tue 12/8 “FireEye, one of the largest cybersecurity companies in the United States, said on Tuesday that it had been hacked, likely by a government, and that an arsenal of hacking tools used to test the defenses of its clients had been stolen.”
The focus was on “government agencies.”

“The chairman of the House Intelligence Committee, Rep. Adam Schiff, said he would ask for more information.” 
Ok so to translate this into English.

Solar Winds (remotely monitors the network performance of the USG, can see data) was hacked by a foreign government.

The hacker used tools stolen from FireEye which tests cybersecurity of USG.

They’re blaming Russia but no proof. 
Is there another company involved here? I don’t know. Just trying to piece this together. 
“and it is not known how many other federal agencies they may have compromised.” 
“The hackers, who are known as Cozy Bear or APT29, are reportedly the same group that hacked the White House and State Department under the Obama administration.” 
Bad actor: UNC2452

Attack name: SUNBURST 
“FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.” 
Seems they don’t know who the “supply chain” attacker is who essentially impersonated the legitimate software update. 
“SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.” 
“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security” 
“This campaign may have begun as early as Spring 2020 and is currently ongoing.” – so things aren’t safe yet? 
“Post compromise activity following this supply chain compromise has included lateral movement [they still have access after discovery] and data theft”Image
Repeat, FireEye is saying they don’t know who did this.

“FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild.” 
“post compromise activity leverages multiple techniques to evade detection and obscure their activity” 
“This actor prefers to maintain a light malware footprint, instead preferring legitimate credentials and remote access for access into a victim’s environment” 
“Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor. “ 
Odd tweet from Krebs. He says “odds are you’re not affected” when FireEye says it’s worldwide and highly alarming. Then Krebs says to focus on “Crown Jewels”…

FireEye basically recommends cutting off access from SolarWinds to digital assets on the network (“Crown Jewels”) that are most valuable. Krebs seems to point the attackers to them! (Or is that just me?)Image
The obvious question is why are we doing the Russia Russia Russia dance again when the attacker is unknown and admittedly “evasive?” 
Another obvious question is why the government allows remote access by commercial entities (who serve China) to emails at the White House, DOD, NSA, etc. Seems like carelessness at best, deliberate leaving the door open at worst. 
Here is the Gov basically saying to disconnect SolarWinds…
Ending this here for now. 
By Dr. Dannielle Blumenthal. All opinions are the author’s own. Public domain.