The Pearl Harbor of Cyber Attacks Goes Unnoticed

The biggest espionage attack in US history slipped under the radar of most Americans.  It began in March 2020, but went unnoticed until December 2020.  Yet, it was barely a blip in our daily news.  Why? Yes, our country was reeling from an Ali-sized punch to the gut: pandemic, social & political upheaval, and economic downturn.  But come on!  If a Russian MIG jet entered US airspace, our military would intercept and shoot it down in seconds, right?  So what happened in December, and why should we be worried?   

What Happened

Russia’s hack of SolarWinds in Austin, TX began in March 2020, but according to WIRED, it only came to light when perpetrators used that access to break into the cybersecurity firm FireEye.  That breach was only the beginning of numerous other attacks identified by the US Department of Homeland Security on December 9.  Reuters reports that SolarWinds manages hundreds of thousands of customers, including 18,000 who were vulnerable to Russia’s attack.  Many of those companies were IT firms including well-known companies such as Microsoft.  Microsoft estimates that 18 percent of the cyberattack victims (40+ agencies) were U.S. Government targets including the Commerce Department, the Department of Homeland Security, the Pentagon, the Treasury Department, the U.S. Postal Service, the Department of Energy, and the National Institutes of Health.

“These types of sophisticated nation-state attacks are increasingly being compounded by another technology trend, which is the opportunity to augment human capabilities with artificial intelligence (AI). One of the more chilling developments this year has been what appears to be new steps to use AI to weaponize large stolen datasets about individuals and spread targeted disinformation using text messages and encrypted messaging apps. We should all assume that, like the sophisticated attacks from Russia, this too will become a permanent part of the threat landscape”. “A Moment of Reckoning” Microsoft

How They Did It

According to Santa Cruz Works partner Jack Wolosewicz / CEO of Cyberus Labs, it was a classic credentials theft attack.  Attackers entered via a compromised email account by first obtaining a User ID and Password.  This was most likely done by phishing.  Attackers then bypassed Duo Security 2nd Factor authentication (“MFA”) via an integration loophole.  Once in, the attackers gave themselves privileges in the system to be able to exfiltrate data.  After download, they passed the data to the daily espionage team. 

“As in so many of these cases,” comments Jack, “we were not facing genius attackers, but rather a lack of sophistication of security professionals still using static credentials and weak MFA. Credential theft is widely known to be responsible for 80% of all hacks, yet even security firms continue to use weak credentials to enable access to their systems. The stolen credentials were then used to provide access to victims data by compromising the very security software designed to protect this data. It is also a weakness in FIDO (a user authentication standard) compliant systems supporting 3rd party operation within the security shell.  FIDO protocols also don’t exclude the use of static credentials, like passwords. That leaves open the static credentials vulnerability and the same integration loopholes, static MFA tokens to be misused etc.”

Jack goes on to explain that this would not have been possible if they had used Cyberus Key by Cyber Labs.  “We are credential-less.  We integrate MFA within Cyberus Key. No 3rd party integration loopholes like the one used in this attack.We also require out-of-band transaction confirmation.” 

What? Me Worry?

According to WIRED, the US has invested billions of dollars in Einstein: a system designed to detect digital intrusions. The SolarWinds hack was what's known as a "supply chain" attack, in which Russia compromised a trusted tool rather than using known malware to break in. Einstein failed spectacularly. The US government can't say it wasn't warned; a 2018 report from the Government Accountability Office recommended that agencies—and federal defense systems more broadly—take the supply chain threat more seriously.

There is also the “Buy IBM” mindset still operating in the industry, where the most expensive, heavily marketed security solutions are implemented without a common sense analysis of loopholes. Paying more and adding complexity will not work when the simple gotchas are overlooked. Expensive steel doors don’t do much good if the lock is weak. Yet this seems to be a common approach to security decisions.

Yes we should worry.  For a nation that has been a world leader in technology, we failed miserably to protect our most valued institutions.   Cyber warfare, nation-state attacks require a strong and coordinated global cybersecurity response.  On January 12, president-elect Biden announced appointments of Elizabeth Sherwood-Randall and Anne Neuberger to rebuild a national security focus that was largely ignored and subsequently dismantled by President Trump. In fact, Trump dismantled the NSC in March 2020. Is it coincidence that the Russian hack started in March 2020?

“The Obama-Biden Administration set up the White House National Security Council Directorate for Global Health Security and Biodefense to prepare for future pandemics like COVID-19. Donald Trump eliminated it — and now we're paying the price.” Biden March 2020

The scope of this team’s assignment is not for the faint of heart. With the rise of domestic terrorism as well as the crippling cyberattack from Russia. Ms. Sherwood-Randall will focus on right-wing groups that terrorized our nation’s Capitol in the first week of 2021. Ms. Neuberger will be tasked with unraveling the affect of the Russian cyberattack, and rebuilding a safer system. The need for innovative tech has never been more urgent. Fellow nerds: heed the call.