Showing posts with label SolarWinds. Show all posts
Showing posts with label SolarWinds. Show all posts

Sunday, December 27, 2020

The Great Pause Week 41: The Night After Christmas

"There is no more evidence Russians were behind the SolarWinds hack than that Donald Trump was reelected President."

 

Bil Baird, Detail from Christmas Card sent to Bates family c. 1955

Because those of my advanced age are under general quarantine orders now in the State of Quintana Roo, I did not venture out to any of the usual Christmas Eve festivities with children batting piñatas and candles set before the Virgin of Guadalupe, but made an early night of it and arose to my usual routine, watering my garden while the espresso steamed on the stove.

Coffee made and fragrant cup in hand, I sat at my desk and dialed up the daughter in Tennessee to wish a happy Christmas. No answer. I called the son and granddaughter, who live just up the road from my daughter. Also no answer. Hmmm. They could still be sleeping in, I thought, but usually my son leaves the phone on voice mail. It didn’t pick up.

I opened my laptop. The browser’s home page did not boot. I tried some other pages — Google, The New York Times, Medium. Nada. Then I tried my regional Mexican newspaper, Por Esto! and it appeared. The headline was a shocker.

¡Cortar! Todas las comunicaciones dentro y fuera de los Estados Unidos se han cerrado.
(“Cut Off! News into and out of the United States has silenced.”)

Whoa. What is that about? Now I launched The Guardian website and saw the same story, but with some more details. The writer said that well placed sources in UK government thought that since no seismic anomalies or other signs of disaster had been detected, the sudden blackout, which had come at midnight Pacific time, 4 AM Eastern, 9 AM London, might be connected to the SolarWinds hack.

The suggestion was, although far from confirmed at that point, that a hack attack had shut off the North American Electric Reliability grid and severed most, if not all, connections to the internet, killing server farms and satellite uplinks. 

The effects cascading from that kind of abrupt interruption would include not only power outages across the entire United States and parts of Canada, but also the power sharing arrangements that allow nuclear power and research reactors to safely scram while maintaining coolant flow, petrochemical refineries to remain on line long enough to halt dangerous reactions in process, and thousands of other severed ties with varying degrees of catastrophic hazard. Traffic lights would have gone dark. Subway trains would be trapped in tunnels. 

The Guardian couldn’t or wouldn’t say whether anything had blown up yet, but it did report that reactors, smelters, and refineries all over the UK and Europe were shutting down as a precaution. Mexico Energy Regulatory Commission (CRE) had already cut its North American intergrid tie or I wouldn’t be reading this.

I pushed back my chair and exhaled a low whistle. Holy shyt.

This particular cyberattack of unknown origin had been underway against critical infrastructure for more than 9 months, with no apparent damage or loss. Early in the year, security researchers had alerted the SolarWinds company that anyone could access its update server by using the password “solarwinds123” — a gaping security hole, now a back door (called Solorigate by Microsoft and SUNBURST by FireEye).

SolarWinds provides antihacking software to major companies and governments. The software sets itself up and works from the root of computer operating systems to monitor all commands. It is much like an engineered virus — an mRNA — loosed to transcribe itself into the DNA of a designated computer system.

Once through the SolarWinds back door, hackers had leisurely used half of 2020 to issue malware disguised as a routine update to some 18,000 of the 33,000 client organizations around the world — including 425 of the Fortune 500 companies, the top 10 telecom operators in the US, the Department of Commerce’s National Telecommunications and Information Administration, the Department of Health’s National Institutes of Health (NIH), the Cybersecurity and Infrastructure Agency (CISA), the Centers for Disease Control and Prevention, the Department of Homeland Security, State Department, Treasury, Justice, Pentagon, and many government agencies and financial institutions in North America, Europe, Asia and the Middle East.

The hack began as early as March, when malicious code was sneaked into updates to popular software called Orion, made by the company SolarWinds, which monitors the computer networks of businesses and governments for outages.

The Guardian

Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers. More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.

— Indian Express

Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it.
***
In the end, this all reminds us how much power Microsoft has at its disposal. Between its control of the Windows operating system, its robust legal team, and its position in the industry, it has the power to change the world nearly overnight if it wants to. And when it chooses to train that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast.

Geek Wire

Alerted by independent sleuths, FBI swung into action before news of the breach had reached the public. Although many prominent figures inside and outside government circles were quick to accuse Russian hackers, and the government of Vladimir Putin, there was no more evidence Russians were behind the SolarWinds attack than that Donald Trump was reelected President. Senator Mitt Romney was undeterred, comparing the attack to the equivalent of Russian bombers flying undetected all over the country. Prominent Democrats said they were “downright scared” and demanded new sanctions. The State Department closed consulates in Russia in reprisal. Despite enormous political pressure, the FBI would not say there was any Russian involvement.

On December 21, the US Cybersecurity and Infrastructure Security Agency issued Emergency Directive 21–01, asking all “federal civilian agencies to review their networks” for indicators of compromise. It has asked them to “disconnect or power down SolarWinds Orion products immediately.”

The warnings apparently came too late. From where I am in Mexico, it looks very much like the US power grid is toast. With as many as 80 nuclear plants melting down and already overwhelmed hospitals now without enough power to run ICUs, this is a Christmas Day we will not forget. And ironically, it might have been just a group of teenage hackers who bought their ‘Sunburst’ malware on the Dark Web and discovered the solarwinds123 password through sheer dumb luck.

Okay, that wasn’t real. I made most of that up, although not the closed consulates and FBI part. The US hasn’t melted down. I just needed to make a point about the brittle nature of complex systems. I punted my rap on Joseph Tainter forward one week to send this holiday greeting out to all my readers. Happy holidays!

 ____________

 


The COVID-19 pandemic has destroyed lives, livelihoods, and economies. But it has not slowed down climate change, which presents an existential threat to all life, humans included. The warnings could not be stronger: temperatures and fires are breaking records, greenhouse gas levels keep climbing, sea level is rising, and natural disasters are upsizing.

As the world confronts the pandemic and emerges into recovery, there is growing recognition that the recovery must be a pathway to a new carbon economy, one that goes beyond zero emissions and runs the industrial carbon cycle backwards — taking CO2 from the atmosphere and ocean, turning it into coal and oil, and burying it in the ground. The triple bottom line of this new economy is antifragility, regeneration, and resilience.

Help me get my blog posted every week. All Patreon donations and Blogger subscriptions are needed and welcomed. You are how we make this happen. Your contributions are being made to Global Village Institute, a tax-deductible 501(c)(3) charity. PowerUp! donors on Patreon get an autographed book off each first press run. Please help if you can.

 

Friends

Friends

Dis-complainer

The Great Change is published whenever the spirit moves me. Writings on this site are purely the opinion of Albert Bates and are subject to a Creative Commons Attribution Non-Commercial Share-Alike 3.0 "unported" copyright. People are free to share (i.e, to copy, distribute and transmit this work) and to build upon and adapt this work – under the following conditions of attribution, n on-commercial use, and share alike: Attribution (BY): You must attribute the work in the manner specified by the author or licensor (but not in any way that suggests that they endorse you or your use of the work). Non-Commercial (NC): You may not use this work for commercial purposes. Share Alike (SA): If you alter, transform, or build upon this work, you may distribute the resulting work only under the same or similar license to this one. Nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws. Therefore, the content of
this publication may be quoted or cited as per fair use rights. Any of the conditions of this license can be waived if you get permission from the copyright holder (i.e., the Author). Where the work or any of its elements is in the public domain under applicable law, that status is in no way affected by the license. For the complete Creative Commons legal code affecting this publication, see here. Writings on this site do not constitute legal or financial advice, and do not reflect the views of any other firm, employer, or organization. Information on this site is not classified and is not otherwise subject to confidentiality or non-disclosure.