CyberWarfare / ExoWarfare HyperWarfare

Solarwind Attack, Cyber Hack of German Publishing House – when will we try to stop trying to plug the Swiss Cheese?

Waiting like a lame duck, until it is our turn to get compomised?

Just before Christmas 2020 the German publishing house “Funke Gruppe” – which publishes multiple newspapers, magazines, ad-papers etc in print and digital formats – was hit with a ransomware attack, which has shut it down over the holidays, and continues to be a big issue, blocking all resources and archives, newsdesks, editors, and print shops, thus making it unable to publish or print regular issues of all their publications.

This is just one example of the Berlin Morgenpost – one of many Funke titles – and just one example of successful ransomware attacks: they keep repeating, globally, and with no end in sight.

Screenshots from todays 20-page-digital-only, home-made edition of the Berliner Morgenpost

Obviously, firewalls, end-point security, signature-based anti-virus / anti-ransomware tools, or other available solutions are not enough to prevent these attacks.

The underlying root case is: we are still continuing to use software (both operating systems and applications)

  • which we know are insecure
  • which we know we run as a “black box” unable to even understand the security threats they impose 1)
  • which we have been proven numerous times to have enourmous amounts of security flaws (those we kow about already, and which have been exploited) 2)
  1. notably the Microsoft Operating System “Windows” in all its flavors, as well as Microsoft applications such as Office, Exchange, etc
  2. notably the regular “Patch Tuesdays” by Microsoft fixing hundreds (!) of security flaws every time, which we have come to accept as “normal”

I am using Microsoft’s products here as examples, because of the wide-spread use on desktops, via which most of these ransomware, virus, and trojan attacks come in. There are also many other “black box” (aka proprietary) software products, albeit Microsoft’s make up a very large part of them by user numbers.

Instead of attempting to solve the root cause, we keep doing what we already know does not work, meaning we are trying to plug a “Swiss Cheese” or holes in a failing dyke, as analogies go.

Why are we not solving the root cause?

The Internet infrastructure runs almost entirely on non-Microsoft, non-“Black box” operating systems and applications – and how often do you hear about compromised Internet servers? While not impossible, it happens a *lot* less often. Why is that? Why are Google, Facebook, Amazon AWS, and the millions of other webservers running the huge Internet rarely – if ever – affected by ransomware, trojans, or virii? They all run on Linux and other open source software, often highly customized to their needs.

What is notable here, they all can check the code they are running, and can rely on a developer base much greater (and much better skilled, and more motivated) than any single corporation can muster. And they run on software with the utmost transparency, which is the exact opposite of proprietary, “black box” software.

Sticking with the Microsoft example, you have to rely on the quality of Microsoft employees to write secure code (sadly, they have been proven numerous times to not do that, and instead produce the areforementioned “swiss cheese” software, caused in parts by having to be backwards-compatible with even worse code); you have to rely on the abilities of Microsoft’s cyber engineering team to find the holes in said swiss cheese faster than the hackers do; and you have to rely on Microsoft management to allocate cyber defense resources towards thiese issues, all in light of profitability (and here they know despite decades of insecure software products, they still hold a very large portion of the desktop market – what incentive does that give?).

We have the alternatives – but we are not using them.

We have Linux desktop systems (it is even free), office and all equivalent applications (also mostly even free), we have signature-free intrusion detection and -blocking systems, and we have Blockchain technology, which has been proven over the last 10 years to be the first software bundle to be successfully resistent against all hacking attempts (despite huge, multi-billion incentives).

We have companies who dedicate themselves to make these alternative, highly secure technologies work for the main stream – these companies, their products and SaaS cloud services could eradicate these ransomware, trojan, and virus problems, and prevent the large-spread outages from hacking and cyber intrusions, which we have come to accept like it is the weather (which we can at least fairly accurately predict).

If the NSA and the Pentagon, DoD, and many others can get hacked (most recently and gravely through the Solarwinds attack), what makes you sure, your defenses are better than theirs?

Logic would tell you, that you are just the next duck in line waiting to get shot – and that your defenses are of course not better than the examples above. Your cyber defense resources are much (!) smaller than theirs, and your understanding of cyber threats does not even begin to imagine or reflect what is really out there.

So why do you not support developing alternatives, and make that desire known to those in politics and business, who need to support and push it?

Just for the record:

I do what I preach – I write this blog article on a Linux desktop, host it on a Linux-based server, with open-source webserver software, WordPress publishing and content management software, and open-source security tools protecting it all.

And I have started multiple companies addressing exactly all the above, and written patents to support these efforts.

What I wrote above only addresses the basic threats of CyberWarfare – the “bread and butter” of the average hacker. It does not even begin to explain the much more sophisticated threats in Exo- and HyperWarfare.

But first try to get your own “bread & butter” operations secure and without constant threat of shutdown and extortion, before you start worrying about the other stuff.




‘Very difficult to defend’: What happens if hackers are inside the Pentagon’s networks?

If suspected Russian hackers are able to burrow into the DoD’s computer systems, a breach of that extent poses tremendous challenges.

The U.S. Department of Defense faces a tough challenge assessing its networks after suspected Russian hackers may have had access for months. (Aislan13/Getty Images)

27 DEC 2020

WASHINGTON — If Russian hackers suspected of a vast cybersecurity breach slipped into the Pentagon or military’s computer systems, the strength of protective network blockades is key to keeping them from burrowing in to try to access increasing amounts of information.

Those protections — in the form of secure network connections — have to stand up to meddling to keep hackers from hopping from network to network to potentially reach sensitive communications or even weapon systems, where they could steal or alter data or cause damage, experts say. However, observers point out that this breach appears so far to be a classic espionage campaign, though with some of the most sophisticated methods seen yet.

“We certainly have a high degree of activity around that right now,” Navy CIO Aaron Weis told C4ISRNET. “We have teams who have acted upon the direct orders from Cyber Command and have executed those things. We continue to engage around that. There are internal meetings that are ongoing where we’re ensuring that we’ve put the right things in place. Absolutely it’s got our full attention.”

Overall, the Pentagon has been largely silent about the breach publicly as it works through the long process to assess fallout from the intrusion, saying early on that no breach had been detected yet, despite media reports that said the agency was among government offices compromised through widely used software from SolarWinds, a network management company.

President-elect Joe Biden has criticized the Pentagon for not briefing him and his transition team fully, challenging President Donald Trump’s assertion that the situation is under control. The Pentagon disputed the idea that it is withholding information from Biden, saying briefings will continue in early January after a break over the holidays.

According to cybersecurity company FireEye, which uncovered the breach, the access that hackers achieved has allowed the malicious actor to move further into computer networks.

Several former government cybersecurity officials told C4ISRNET that lateral movement allowing the suspected Russian hackers to dig deeper posed a worst-case scenario with a myriad of possible outcomes spiraling from there. The challenge is that the DoD’s web of systems includes legacy and modernized networks that connect to weapons systems and control systems.

“If an adversary had gotten in and moved laterally, then all the network connection points — any place you have connections between networks and those trust relationships — that becomes very difficult to defend,” said retired Rear Adm. Danelle Barrett, former deputy Navy CIO and cybersecurity division director.

“Wherever you have those trust relationships, you have to always be really careful about what is going on back and forth across that tunnel,” Barrett said.

There are potentially two worst-case dimensions to this situation, said Jan Tighe, former commander of 10th Fleet/Fleet Cyber Command and deputy chief of naval operations for information warfare.

First, cyber threat hunters must find out whether the intruder persists on the network. Job No. 1 for response teams is to cut off any existing access the trespassers might have, Tighe said. If the intrusion was an espionage campaign, DoD will have to do a damage assessment of what information was affected. If the agency can’t be sure what data and communications were accessed, leaders have to make assumptions about what the hackers may have reached, she said.

The second, more troubling question is whether hackers altered data in any way, which Tighe said could be more problematic than destroying data.

“You have data, but you don’t know if it’s really the right data in your network. Depending on what aspect of the DoD you’re in, that could be very damaging,” she explained.

Once inside, the access would depend on what system the malicious code went to through updates to the SolarWinds software. For example, an upload to an agency’s central administration systems could be damaging, allowing access to information such as user logs and system locations, said Frank Downs, former NSA analyst and director of proactive services at cybersecurity firm BlueVoyant.

If the actor entered into a central network through the SolarWinds vulnerability and found lax security on connected systems, that could cause serious problems for the department.

“It all depends on what’s on the network and the permissions on the network, but they could hop from one node to another node to another node,” Downs said. “If you have security in depth, the chances are a lot lower that they’ll be able to get much greater access, but if you are just sitting on a perimeter baseline, it’s not looking good.”

If those systems administrator privileges are vulnerable, experts said accounts could be manipulated and privileges elevated to continually allow increased access.

“They’re going get in and build all sorts of backdoors that you’re not going to be able to figure out,” Barrett said. “They’re going to be able to manipulate accounts and do things and hide their tracks. You’re not going to catch them, and they’re probably still there now.”

Communication is likely disrupted during a survey of potential network damage. Specifically, officials shouldn’t send and receive emails on the network if investigators are searching for potential compromises, Tighe said, noting that one of the first things the Cybersecurity and Infrastructure Security Agency did was tell agencies to have a different way of communicating as they coordinate the response.

There’s also more risk through the software supply chain. Another concerning scenario is if the attackers find their way into an update for a hacked company’s software, infecting still more users through those software products or even the firmware on chips or other hardware, said Greg Conti, founder at cybersecurity firm Kopidion and former chief of the U.S. Army Cyber Institute.

“This could have second, third or fourth order effects as it propagates that we’ll never know,” said Conti. “This thing could attack, spread outward, companies could remediate, and then it could loop back in through another product that was compromised.”

Authorities believe that hackers had extensive access to some government or business networks for as long as nine months. With that time, could the hackers have figured out how to jump the air gap meant to block computer system users from accessing classified systems?

“I’m speculating, but people have done amazing things where they turn a RAM in a computer into a radio transmitter [to bridge into air-gapped networks],” Conti said. “There are hundreds of counterintuitive and crazy things people have done. This is a huge thing, and there’s a nonzero chance the attackers pulled out their super-secret best capability.”

Agencies could face another problem if they use the same credentials for users on unclassified and classified portions of network, allowing hackers to steal unclassified credentials and migrate to more protected areas, Tighe pointed out. While administrators work to have different credentials for each, rare cases where they are the same are worrying.

In another scenario, subtle, hard-to-detect data manipulations could be introduced into the software of a weapon system so that it malfunctions.

However, Jamil Jaffer, founder and executive director of the National Security Institute at George Mason University, cautioned that there is no evidence that the Russians have taken that step, and it is unlikely because of the strong reaction it would likely provoke. He also noted that if the Russians were to even threaten such action, that would raise concerns.

“I’m not sure they’d even want to do that, because I think they realize if we found out they’d engaged in data manipulation or destruction, they’d be crossing a red line that would provoke a stiff response, but they might try to hold us at risk, and if they do, that’s a major problem also and might force us to get more aggressive sooner,” Jaffer said.





The US has suffered a massive cyberbreach.

It’s hard to overstate how bad it is.

by Bruce Schneier on 23 DEC 2020

‘The only reason we know about this breach is that the security company FireEye discovered it had been hacked and alerted the US government. We shouldn’t have to rely on a private company to alert us of a major nation-state attack.’ Photograph: Patrick Semansky/AP

This is a security failure of enormous proportions – and a wake-up call. The US must rethink its cybersecurity protocols.

ecent news articles have all been talking about the massive Russian cyber-attack against the United States, but that’s wrong on two accounts. It wasn’t a cyber-attack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous.

Espionage is internationally allowed in peacetime. The problem is that both espionage and cyber-attacks require the same computer and network intrusions, and the difference is only a few keystrokes. And since this Russian operation isn’t at all targeted, the entire world is at risk – and not just from Russia. Many countries carry out these sorts of operations, none more extensively than the US. The solution is to prioritize security and defense over espionage and attack.

Here’s what we know: Orion is a network management product from a company named SolarWinds, with over 300,000 customers worldwide. Sometime before March, hackers working for the Russian SVR – previously known as the KGB – hacked into SolarWinds and slipped a backdoor into an Orion software update. (We don’t know how, but last year the company’s update server was protected by the password “solarwinds123” – something that speaks to a lack of security culture.) Users who downloaded and installed that corrupted update between March and June unwittingly gave SVR hackers access to their networks.

This is called a supply-chain attack, because it targets a supplier to an organization rather than an organization itself – and can affect all of a supplier’s customers. It’s an increasingly common way to attack networks. Other examples of this sort of attack include fake apps in the Google Play store, and hacked replacement screens for your smartphone.

SolarWinds has removed its customers list from its website, but the Internet Archive saved it: all five branches of the US military, the state department, the White House, the NSA, 425 of the Fortune 500 companies, all five of the top five accounting firms, and hundreds of universities and colleges. In an SEC filing, SolarWinds said that it believes “fewer than 18,000” of those customers installed this malicious update, another way of saying that more than 17,000 did.

That’s a lot of vulnerable networks, and it’s inconceivable that the SVR penetrated them all. Instead, it chose carefully from its cornucopia of targets. Microsoft’s analysis identified 40 customers who were infiltrated using this vulnerability. The great majority of those were in the US, but networks in Canada, Mexico, Belgium, Spain, the UK, Israel and the UAE were also targeted. This list includes governments, government contractors, IT companies, thinktanks, and NGOs … and it will certainly grow.

Once inside a network, SVR hackers followed a standard playbook: establish persistent access that will remain even if the initial vulnerability is fixed; move laterally around the network by compromising additional systems and accounts; and then exfiltrate data. Not being a SolarWinds customer is no guarantee of security; this SVR operation used other initial infection vectors and techniques as well. These are sophisticated and patient hackers, and we’re only just learning some of the techniques involved here.

Recovering from this attack isn’t easy. Because any SVR hackers would establish persistent access, the only way to ensure that your network isn’t compromised is to burn it to the ground and rebuild it, similar to reinstalling your computer’s operating system to recover from a bad hack. This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can’t be sure. There are many ways to establish persistent access that survive rebuilding individual computers and networks. We know, for example, of an NSA exploit that remains on a hard drive even after it is reformatted. Code for that exploit was part of the Equation Group tools that the Shadow Brokers – again believed to be Russia – stole from the NSA and published in 2016. The SVR probably has the same kinds of tools.

Even without that caveat, many network administrators won’t go through the long, painful, and potentially expensive rebuilding process. They’ll just hope for the best.

It’s hard to overstate how bad this is. We are still learning about US government organizations breached: the state department, the treasury department, homeland security, the Los Alamos and Sandia National Laboratories (where nuclear weapons are developed), the National Nuclear Security Administration, the National Institutes of Health, and many more. At this point, there’s no indication that any classified networks were penetrated, although that could change easily. It will take years to learn which networks the SVR has penetrated, and where it still has access. Much of that will probably be classified, which means that we, the public, will never know.

And now that the Orion vulnerability is public, other governments and cybercriminals will use it to penetrate vulnerable networks. I can guarantee you that the NSA is using the SVR’s hack to infiltrate other networks; why would they not? (Do any Russian organizations use Orion? Probably.)

While this is a security failure of enormous proportions, it is not, as Senator Richard Durban said, “virtually a declaration of war by Russia on the United States” While President-elect Biden said he will make this a top priority, it’s unlikely that he will do much to retaliate.

The reason is that, by international norms, Russia did nothing wrong. This is the normal state of affairs. Countries spy on each other all the time. There are no rules or even norms, and it’s basically “buyer beware”. The US regularly fails to retaliate against espionage operations – such as China’s hack of the Office of Personal Management (OPM) and previous Russian hacks – because we do it, too. Speaking of the OPM hack, the then director of national intelligence, James Clapper, said: “You have to kind of salute the Chinese for what they did. If we had the opportunity to do that, I don’t think we’d hesitate for a minute.”

We don’t, and I’m sure NSA employees are grudgingly impressed with the SVR. The US has by far the most extensive and aggressive intelligence operation in the world. The NSA’s budget is the largest of any intelligence agency. It aggressively leverages the US’s position controlling most of the internet backbone and most of the major internet companies. Edward Snowden disclosed many targets of its efforts around 2014, which then included 193 countries, the World Bank, the IMF and the International Atomic Energy Agency. We are undoubtedly running an offensive operation on the scale of this SVR operation right now, and it’ll probably never be made public. In 2016, President Obama boasted that we have “more capacity than anybody both offensively and defensively.”

He may have been too optimistic about our defensive capability. The US prioritizes and spends many times more on offense than on defensive cybersecurity. In recent years, the NSA has adopted a strategy of “persistent engagement”, sometimes called “defending forward”. The idea is that instead of passively waiting for the enemy to attack our networks and infrastructure, we go on the offensive and disrupt attacks before they get to us. This strategy was credited with foiling a plot by the Russian Internet Research Agency to disrupt the 2018 elections.

But if persistent engagement is so effective, how could it have missed this massive SVR operation? It seems that pretty much the entire US government was unknowingly sending information back to Moscow. If we had been watching everything the Russians were doing, we would have seen some evidence of this. The Russians’ success under the watchful eye of the NSA and US Cyber Command shows that this is a failed approach.

And how did US defensive capability miss this? The only reason we know about this breach is because, earlier this month, the security company FireEye discovered that it had been hacked. During its own audit of its network, it uncovered the Orion vulnerability and alerted the US government. Why don’t organizations like the departments of state, treasury and homeland security regularly conduct that level of audit on their own systems? The government’s intrusion detection system, Einstein 3, failed here because it doesn’t detect new sophisticated attacks – a deficiency pointed out in 2018 but never fixed. We shouldn’t have to rely on a private cybersecurity company to alert us of a major nation-state attack.

If anything, the US’s prioritization of offense over defense makes us less safe. In the interests of surveillance, the NSA has pushed for an insecure cellphone encryption standard and a backdoor in random number generators (important for secure encryption). The DoJ has never relented in its insistence that the world’s popular encryption systems be made insecure through back doors – another hot point where attack and defense are in conflict. In other words, we allow for insecure standards and systems, because we can use them to spy on others.

We need to adopt a defense-dominant strategy. As computers and the internet become increasingly essential to society, cyber-attacks are likely to be the precursor to actual war. We are simply too vulnerable when we prioritize offense, even if we have to give up the advantage of using those insecurities to spy on others.

Our vulnerability is magnified as eavesdropping may bleed into a direct attack. The SVR’s access allows them not only to eavesdrop, but also to modify data, degrade network performance, or erase entire networks. The first might be normal spying, but the second certainly could be considered an act of war. Russia is almost certainly laying the groundwork for future attack.

This preparation would not be unprecedented. There’s a lot of attack going on in the world. In 2010, the US and Israel attacked the Iranian nuclear program. In 2012, Iran attacked the Saudi national oil company. North Korea attacked Sony in 2014. Russia attacked the Ukrainian power grid in 2015 and 2016. Russia is hacking the US power grid, and the US is hacking Russia’s power grid – just in case the capability is needed someday. All of these attacks began as a spying operation. Security vulnerabilities have real-world consequences.

We’re not going to be able to secure our networks and systems in this no-rules, free-for-all every-network-for-itself world. The US needs to willingly give up part of its offensive advantage in cyberspace in exchange for a vastly more secure global cyberspace. We need to invest in securing the world’s supply chains from this type of attack, and to press for international norms and agreements prioritizing cybersecurity, like the 2018 Paris Call for Trust and Security in Cyberspace or the Global Commission on the Stability of Cyberspace. Hardening widely used software like Orion (or the core internet protocols) helps everyone. We need to dampen this offensive arms race rather than exacerbate it, and work towards cyber peace. Otherwise, hypocritically criticizing the Russians for doing the same thing we do every day won’t help create the safer world in which we all want to live.

Bruce Schneier is a security technologist and author.
His most recent book is Click Here to Kill Everybody: Security and Survival in a Hyper-connected World




US scrambles to understand fallout of suspected Russia hack

At least six government departments breached in likely Russian intelligence operation thought to have begun in March

18 DEC 2020

‘This hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in the terms of the breadth of the intrusion itself,’ said Stephen Lynch, head of the House oversight and reform committee. Photograph: Olivier Douliery/AFP/Getty Images

The US government is still in the dark over how deeply Russian hackers penetrated its networks during the worst ever cyber-attack on federal agencies, members of Congress warned on Friday.

At least six government departments were breached in a likely Russian intelligence operation thought to have begun in March. Although there is no evidence that classified networks were compromised, it is not known what the hackers may have stolen or how long it will take to purge them.

Members of Congress said the government is still scrambling to understand the fallout as details emerge. “This hack was so big in scope that even our cybersecurity experts don’t have a real sense yet in the terms of the breadth of the intrusion itself,” commented Stephen Lynch, head of the House of Representatives’ oversight and reform committee, after attending a classified briefing.

Congressman Jamie Raskin, another member of the committee, added: “There’s a lot more that we don’t know than what we do know. I’m hopeful the government will learn exactly how this was perpetrated on us and what is the full scope of the damage.”

US officials say they only recently became aware of the attacks on both the government and some Fortune 500 companies in which spies roamed undetected for as long as nine months. The energy department and national nuclear security administration, which manages the country’s nuclear weapons stockpile, was among the agencies breached.

Hackers injected malicious code into the software of SolarWinds, a company that provides network services, and appeared to use other tools to gain access. America’s cybersecurity agency warned of a “grave risk” to the nation’s infrastructure.

Tech giant Microsoft, which has helped respond to the breach, said it has identified more than 40 government agencies, think tanks, non-governmental organisations and IT companies infiltrated by the hackers. Four in five were in the US – nearly half of them tech companies – with victims also in Canada, Mexico, Belgium, Spain, the UK, Israel and the United Arab Emirates.

Microsoft said in a blogpost: “This is not espionage as usual, even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”

But Donald Trump, long reluctant to criticise his Russian counterpart, Vladimir Putin, has been conspicuously silent, focused instead on overturning an election that he lost. The US president is under growing pressure to speak out about what some described as an epic national security crisis.

The Republican senator Mitt Romney, a former presidential candidate, told SiriusXM radio: “What I find most astonishing is that a cyber-hack of this nature is really the modern equivalent of almost Russian bombers reportedly flying undetected over the entire country.”

Describing the country’s cyber defences as extraordinarily vulnerable and weak, Romney added: “In this setting, not to have the White House aggressively speaking out and protesting and taking punitive action is really, really quite extraordinary.”

Trump’s absence on the issue implies that it will be left to his successor, Joe Biden, to retaliate through sanctions, criminal charges or other means. In a statement on Thursday, the president-elect said his administration “will make dealing with this breach a top priority from the moment we take office”.

The damage, however, could take years to remedy. Thomas Bossert, Trump’s former homeland security adviser, wrote this week in a New York Times column: “While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.

“The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated. But it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying.”





How hacked is hacked? Here’s a ‘hack scale’ to better understand the SolarWinds cyberattacks

“Microsoft, FireEye, and the U.S. Treasury department have been hacked in the SolarWinds attacks.”

This statement is true but doesn’t tell the whole story accurately.

It’s true because by most people’s understanding, these organizations have been hacked. But it doesn’t tell the whole story accurately because each of these organizations has had different impacts with different levels of severity from “the hack.”

A good example of why this matters is how we talk about cancer. Years ago “having cancer” was a binary thing, too. Either you “had cancer” and were going to die or you didn’t. And cancer was often talked about in hushed tones with euphemistic terms — “the C word.”

Because of advances in medicine, this is no longer the case: people can and do survive cancer. So now we talk about cancer more openly in a way that reflects that reality in terms of types of cancer and stages. That helps us understand if it’s a kind of cancer that could be treatable and survivable or one that is untreatable and terminal.

The same is true now about being hacked. Some hacking is catastrophic, but some is survivable. We see this reality in the different reports coming out about “SolarWinds hacks.” Some organizations are severely affected while others less so. But these crucial nuances are lost when we say they’ve all been “hacked.”

There is no “hacked scale” that is used by professionals, let alone that can be used by laypeople. This is one reason why we continue to just hear about “hacked.”

If we’re going to understand the nuances in the SolarWinds cases better, we need to define a scale. Since the most important thing in hacks is the spread and severity, the cancer staging system gives a good model to adapt because it tracks the spread and severity of cancer in five stages. We can do the same with hacks.

  • Stage 0: The attackers have found or made an entry point to systems or the network but haven’t used it or took no action.
  • Stage I: Attackers have control of a system but haven’t moved beyond the system to the broader network.
  • Stage II: Attackers have moved to the broader network and are in “read-only” mode meaning they can read and steal data but not alter it.
  • Stage III: Attackers have moved to the broader network and have “write” access to the network meaning they can alter data as well as read and steal it.
  • Stage IV: Attackers have administrative control of the broader network meaning they can create accounts and new means of entry to the network as well as alter, read and steal data.

The key factors in these levels are the attacker’s access and control: less of each is better, more is worse.

For instance, SolarWinds has said that 18,000 customers were impacted. But this doesn’t mean that 18,000 customers’ networks experienced Stage IV and are fully and totally controlled by the attackers.

The information SolarWinds provides only tells us that those customers experienced Stage 0: the attackers may have had a way to get further into the network. To know if attackers did go further and customers were more severely affected requires more investigation.

On Dec. 17, Microsoft said it “can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed … we have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.” Taking the information at face value, that would seem to indicate that Microsoft experienced Stage 0 or Stage I.

FireEye made a disclosure on Dec. 8 of its own compromise that would turn out to be part of the SolarWinds attacks. It seems to indicate that the attacker was able to steal information but gave no indication that the attackers were able to alter data or gain administrative control of the network, likely making what the company experienced a Stage II.

Details of the U.S. Treasury’s attack aren’t as clear in part because we only have the information second and third-hand. The information in the New York Times report clearly indicates that the attackers at least had “read” access on the network, which is consistent with Stage II. However, some of the details that have emerged about how the attackers may have gained access to cloud properties imply the possibility that the attackers had achieved Stage IV on the network.

The goal with any scale is to make things simple but not simplistic. But no scale is ever perfect; there are always going to be ways that scales can obscure critical details. The important thing with scales like this is to enable us to easily and succinctly understand the relative comparative severity of the situation. What we know does indicate that the Treasury situation is worse than the Microsoft or FireEye situations — in this regard, this scale is accurate and useful.

The key point for everyone now is to understand that “hacked” isn’t a simple binary state: there are different degrees of it. By understanding this we can better assess how serious a situation is and what we need to do in response.




See also from Geekwire:

Microsoft unleashes ‘Death Star’ on SolarWinds hackers in extraordinary response to breach