Microsoft’s heatmap showing the organizations hit by the SolarWinds hack. (Microsoft Image)


But note: While security experts continue to pick through the digital wreckage left behind, the forensics will take a long time. You’ll see hundreds of stories speculating on what really happened. In a situation like this, very few people know the whole story, so read everything — including this story — with a skeptic’s eye. Understand that almost everything we’ve heard is from a third party.

Quick review:SolarWinds provides management software named Orion that is used by many major government agencies and more than 400 of the Fortune 500 companies. In March, criminals slipped Trojan horse software into an Orion update, ultimately giving the criminals access to many systems that interfaced with Orion at all these organizations. It could take years to undo the damage; or, organizations could never really know what kind of data was stolen during these past nine months.

My biggest unknown at the moment: What did COVID-19 have to do with this? The timing could be coincidental. But the infiltration seems to have occurred right as American companies and government agencies were scrambling to manage the abrupt transition to a work-from-home environment. It’s easy to see how that chaos could have contributed to this hack. Perhaps the timing was even intentional. That’s my speculation.

任何疑问仍然SolarWinds是质量ive incident was lifted on Thursday, when the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency pulled the fire alarm有了这个“严重威胁”通知

“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations …

“This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.

The SolarWinds Orion supply chain compromise isnotthe only initial infection vector this APT actor leveraged.


我看到的最好的作品(不是令人惊讶的)关于事件是来自狗万平台罗伯特麦克马兰和达斯汀峡谷在华尔街日报。There are good nuggets in here about how the hack was discovered, and some sober realism about how long it might take to assess the damage.

“The SolarWinds attack so eluded U.S. security measures that it was discovered not by intelligence officials but, almost accidentally, thanks to an automated security alert sent in recent weeks to an employee at FireEye, which itself had been quietly compromised. …

“也向公司安全团队发送的警告告诉Fireeye的员工,其中有人使用员工的凭据从无法识别的设备登录公司的虚拟专用网络 - 公司工人定期删除的安全消息的那种安全消息。官员说,它没有从FireeEye高管触发审查,攻击可能仍然无法检测到。......

“But because it went undetected for so long and due to the expertise of the hackers, thousands of potential victims may never be able to know for sure whether they were compromised, security experts say. …

“SolarWinds said it released a quick fix that patched the security issue for customers this week. But experts have warned that merely cutting off the access point for hackers won’t guarantee their removal, especially because they would have used their time inside those networks to further conceal their activity. …

“While intelligence officials and security experts generally agree Russia is responsible, and some believe it is the handiwork of Moscow’s foreign intelligence service, FireEye and Microsoft, as well as some government officials, believe the attack was perpetrated by a hacking group never seen before, one whose tools and techniques had been previously unknown.”

这个政客的故事表明黑客可能会在联邦机构访问的服务器,该机构管理核武器,并将— Federal Energy Regulatory Commission — might have gotten the worst of it. Remember, it’s early in the investigation, however.



路透社声称微软“was hacked” and its software was used to hack other firms, also, though Microsoft has not said so. It’s no surprise to hear conflicting reports at this stage.

“Microsoft also had its own products leveraged to attack victims, said people familiar with the matter. The U.S. National Security Agency issued a rare “cybersecurity advisory” Thursday detailing how certain Microsoft Azure cloud services may have been compromised by hackers and directing users to lock down their systems. …

“Still, another person familiar with the matter said the Department of Homeland Security (DHS) does not believe Microsoft was a key avenue of fresh infection.”

For its part, Microsoft’s Brad Smith邀请博客呼唤对世界的事件“估计的一刻”。他专门召集出售销售黑客软件的私营公司,将它们与数字雇佣兵相似。他命名的名字。

This phenomenon has reached the point where it has acquired its own acronym — PSOAs, for private sector offensive actors. Unfortunately, this is not an acronym that will make the world a better place.


NSO代表增加汇合ophisticated private-sector technology and nation-state attackers. Citizen Lab, a research laboratory at the University of Toronto, hasidentifiedmore than 100 abuse cases regarding NSO alone. But it is hardly alone. Other companies are increasingly rumored to be joining in what has become a new $12 billion global technology market.

Early on,The Washington Post blamed a Russia-based hacking group known as Cozy Bear为了攻击。Sen.Ithard Blumenthal(D-CT)appears to have publicly blamed俄罗斯也。Others have not been so quick to attributethe hack to the Russian gang.

The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR, and they breached email systems in some cases, said the people familiar with the intrusions, who spoke on the condition of anonymity because of the sensitivity of the matter. The same Russian group hacked the State Department and the White House email servers during the Obama administration.

For an interesting perspective on a potential root cause of the problem,这是一个由IT工作者的博客帖子suggesting local governments are relying too much on automated tools, and not enough on human capital, to fight off hackers.

Rather than rely on the purchase of services and expertise, these agencies should invest in their staff so that they maintain the ability to detect and respond to hacks in real-time. Local, trained staff will notice unusual occurrences or patterns on established platforms more thoroughly than a software-only solution. Should the software solutions and consultants be abandoned? No. They usually provide solid reliable information that can be used to strengthen the defense against hacking. I prefer to think of them as a race car, and in-house, trained staff as the drivers.

Finally, I asked Ben Rothke, a long-time cybersecurity professional and author of several books, for his perspective on the SolarWinds attack. Rothke is now senior information security specialist at Tapad. Here’s what he told me. I’m particularly fond of the bit about companies using cheap storage to facilitate a dangerous pack-rat mentality about data:

“Wendell Phillips noted 150 years ago that ‘eternal vigilance is the price of liberty.’ With some poetic license, in 2020, it would be ‘eternal network vigilance is the requirement for Internet connectivity.’

“It is easy to point fingers at SolarWinds, Microsoft, and the various federal agencies. But if a nation-state has teams of well-trained and experienced hackers, who are dedicated and politically motivated to penetrate your infrastructure, it is a challenging attack to defend against.

“Look at it this way; no one will tell you that Fort Knox is impenetrable. But the US Army has made it so incredibly difficult that there have been no direct attacks against the facility. Adding to that is the reality that a bar of gold weighs almost 28 pounds. So, running out with 70 gold bars, as they do in the movies, means the culprit can carry a ton of gold. That does not happen in the real world.

“But our new reality means attackers can move lots of data, which is the new gold, with ease, from far away.

“像国家 - 国家袭击一样的复杂和复杂的问题并不能够快速解决,这与许多安全供应商可能会告诉你的情况。

“So, what is the solution? John Kindervag, then of Forrester Research, created the notion of zero-trust network architecture. But creating a sophisticated architecture like that takes time and effort. Until then, network monitoring’s eternal vigilance is the way to know if someone is attacking you and in your network.

“Finally, with storage so incredibly inexpensive, firms are storing far too much data than they need to. They need to start thinking of offloading and retiring data that is no longer needed.

“Ultimately, the current situation is akin to the reality of我的600磅生活。There are no quick fixes; success is often elusive. But with enough effort and time, success can be achieved.”

Like what you're reading? Subscribe to GeekWire's free newsletters to catch every headline

Job Listings on GeekWork

Find more jobs onGeekWork。雇主,post a job here