In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches.[1][28][29] The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access.[35] Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches.[1][36][37] Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.[36]
The cyberattack that led to the breaches began no later than March 2020.[9][10] The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware.[43][21] A supply chain attack on Microsoft cloud services provided one way for the attackers to breach their victims, depending upon whether the victims had bought those services through a reseller.[16][17][18] A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided another avenue, if the victim used that software.[12][44] Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents,[23][24][14][15] and to perform federated authentication across victim resources via single sign-on infrastructure.[21][45][46]
In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution.[47][48] U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war.[49][4] President Donald Trump was silent for several days after the attack was publicly disclosed. He suggested that China, not Russia, might have been responsible for it, and that "everything is well under control".[50][51][52]
Background
SolarWinds, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack.[53][54] SolarWinds did not employ a chief information security officer or senior director of cybersecurity.[4][55] Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017.[54][53] SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software.[53] In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious [files]" that would then be distributed to SolarWinds customers.[56][53][57][54] Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.[58][59]
On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired.[60][61] That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds.[60] The firms denied insider trading.[60][62]
Methodology
Multiple attack vectors were used in the course of breaching the various victims of the incident.[63][64]
Microsoft exploits
If you think about data that is only available to the CEO, or data that is only available to IT services, [the attacker would get] all of this data.
The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.[23][15][9][18]
At least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.[16][17][18]
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached.[23][24] This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.[23][24]
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months.[9][39][66] This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems.[39][67][68] The presence of single sign-on infrastructure increased the viability of the attack.[46]
SolarWinds exploit
This is classic espionage. It's done in a highly sophisticated way... But this is a stealthy operation.
The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019.[71][72] In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion.[73][74] The first known modification, in October 2019, was merely a proof of concept.[8] Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.[8]
In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them.[12][44][75][76][77] These users included U.S. government customers in the executive branch, the military, and the intelligence services (see Impact section, below).[9][78] If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers.[79][80][81][82] The communications were designed to mimic legitimate SolarWinds traffic.[70][83] If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further.[82][84] The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.[85][82]
The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets.[79][12] Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components,[86][83] and seeking additional access.[70][1] Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents.[87] This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory.[87][70][88] Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network.[5][89][90] Having accessed data of interest, they encrypted and exfiltrated it.[69][1]
The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others.[91] By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security (DHS).[81][4][92]
FBI investigators in February 2021 found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.[93]
VMware exploits
Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers.[21][22] As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.[21][22]
Discovery
Microsoft exploits
During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed.[94][95][14] The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication.[14] Later, in June and July 2020, Volexity observed the attacker utilizing the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals.[14] Volexity said it was not able to identify the attacker.[14]
Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike.[96] That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.[96]
Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol.[23][24] This was reported to CISA, who issued an alert on October 22, 2020, specifically warning state, local, territorial and tribal governments to search for indicators of compromise, and instructing them to rebuild their networks from scratch if compromised.[23][97] Using VirusTotal, The Intercept discovered continued indicators of compromise in December 2020, suggesting that the attacker might still be active in the network of the city government of Austin, Texas.[23]
SolarWinds exploit
On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.[98][99][100][101] FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service.[27][102] FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.[103][104]
After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks.[1] The NSA is not known to have been aware of the attack before being notified by FireEye.[1] The NSA uses SolarWinds software itself.[1]
Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related.[9][27] On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.[56][105]
The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020.[75][86] FireEye named the malware SUNBURST.[19][20] Microsoft called it Solorigate.[53][20] The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.[71][106][74]
Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.[8]
July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on LinkedIn.[107]
VMware exploits
Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager.[21] VMware released patches on December 3, 2020.[21] On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.[21][108]
Responsibility
Conclusions by investigators
SolarWinds said it believed the malware insertion into Orion was performed by a foreign nation.[9][10] Russian-sponsored hackers were suspected to be responsible.[109][9][25] U.S. officials stated that the specific groups responsible were probably the SVR or Cozy Bear (also known as APT29).[27][26] FireEye gave the suspects the placeholder name "UNC2452";[70][14]incident response firm Volexity called them "Dark Halo".[14][95] On December 23, 2020, the CEO of FireEye said Russia was the most likely culprit and the attacks were "very consistent" with the SVR.[110] One security researcher offers the likely operational date, February 27, 2020, with a significant change of aspect on October 30, 2020.[111]
In January 2021, cybersecurity firm Kaspersky said SUNBURST resembles the malware Kazuar, which is believed to have been created by Turla,[112][106][113][114] a group known from 2008 that Estonian intelligence previously linked to the Russian federal security service, FSB.[115][116][93]
Statements by U.S. government officials
On October 22, 2020, CISA and the FBI identified the Microsoft zerologon attacker as Berserk Bear, a state-sponsored group believed to be part of Russia's FSB.[23]
On December 19, U.S. president Donald Trump publicly addressed the attacks for the first time, downplaying its severity and suggesting without evidence that China, rather than Russia, might be responsible.[51][50][119][52] The same day, Republican senator Marco Rubio, acting chair of the Senate Intelligence Committee, said it was "increasingly clear that Russian intelligence conducted the gravest cyber intrusion in our history."[37][120]
On December 20, Democratic senator Mark Warner, briefed on the incident by intelligence officials, said "all indications point to Russia."[121]
On December 21, 2020, former Attorney General William Barr said that he agreed with Pompeo's assessment of the origin of the cyberhack and that it "certainly appears to be the Russians," contradicting Trump.[122][123][124]
On January 5, 2021, CISA, the FBI, the NSA, and the Office of the Director of National Intelligence, all confirmed that they believe Russia was the most likely culprit.[125][126][127] On June 10, 2021, FBI DirectorChristopher Wray attributed the attack to Russia's SVR specifically.[128]
Denial of involvement
The Russian government said that it was not involved.[129]
The Chinese foreign ministry said in a statement, "China resolutely opposes and combats any form of cyberattacks and cyber theft."[93]
Impact
SolarWinds said that of its 300,000 customers, 33,000 use Orion.[1] Of these, around 18,000 government and private users downloaded compromised versions.[1][5][130]
Discovery of the breaches at the U.S. Treasury and Commerce Departments immediately raised concerns that the attackers would attempt to breach other departments, or had already done so.[67][25] Further investigation proved these concerns to be well-founded.[1] Within days, additional federal departments were found to have been breached.[1][131][6]Reuters quoted an anonymous U.S. government source as saying: “This is a much bigger story than one single agency. This is a huge cyber espionage campaign targeting the U.S. government and its interests.”[9]
Through a manipulation of software keys, the hackers were able to access the email systems used by the Treasury Department's highest-ranking officials. This system, although unclassified, is highly sensitive because of the Treasury Department's role in making decisions that move the market, as well as decisions on economic sanctions and interactions with the Federal Reserve.[124]
Simply downloading a compromised version of Orion was not necessarily sufficient to result in a data breach; further investigation was required in each case to establish whether a breach resulted.[1][133] These investigations were complicated by: the fact that the attackers had in some cases removed evidence;[63] the need to maintain separate secure networks as organizations' main networks were assumed to be compromised;[63] and the fact that Orion was itself a network monitoring tool, without which users had less visibility of their networks.[69] As of mid-December 2020, those investigations were ongoing.[1][5]
As of mid-December 2020, U.S. officials were still investigating what was stolen in the cases where breaches had occurred, and trying to determine how it could be used.[9][134] Commentators said that the information stolen in the attack would increase the perpetrator's influence for years to come.[58][135][82] Possible future uses could include attacks on hard targets like the CIA and NSA,[how?][4] or using blackmail to recruit spies.[136] Cyberconflict professor Thomas Rid said the stolen data would have myriad uses.[134] He added that the amount of data taken was likely to be many times greater than during Moonlight Maze, and if printed would form a stack far taller than the Washington Monument.[134]
Even where data was not exfiltrated, the impact was significant.[48] The Cybersecurity and Infrastructure Security Agency (CISA) advised that affected devices be rebuilt from trusted sources, and that all credentials exposed to SolarWinds software should be considered compromised and should therefore be reset.[137] Anti-malware companies additionally advised searching log files for specific indicators of compromise.[138][139][140]
However, it appeared that the attackers had deleted or altered records, and may have modified network or system settings in ways that could require manual review.[63][141] Former Homeland Security AdvisorThomas P. Bossert warned that it could take years to evict the attackers from US networks, leaving them able to continue to monitor, destroy or tamper with data in the meantime.[47]Harvard's Bruce Schneier, and NYU's Pano Yannakogeorgos, founding dean of the Air Force Cyber College, said that affected networks may need to be replaced completely.[142][143]
The Justice Department disclosed in July 2021 that 27 of its federal prosecutors' offices around the country had been affected, including 80% of Microsoft email accounts breached in four New York offices. Two of the offices, in Manhattan and Brooklyn, handle many prominent investigations of white-collar crime, as well as of people close to former president Trump.[144][145]
On December 8, 2020, before other organizations were known to have been breached, FireEye published countermeasures against the red team tools that had been stolen from FireEye.[102][211]
On December 15, 2020, Microsoft announced that SUNBURST, which only affects Windows platforms, had been added to Microsoft's malware database and would, from December 16 onwards, be detected and quarantined by Microsoft Defender.[212][75]
On December 14, 2020, the CEOs of several American utility companies convened to discuss the risks posed to the power grid by the attacks.[1] On December 22, 2020, the North American Electric Reliability Corporation asked electricity companies to report their level of exposure to SolarWinds software.[213]
SolarWinds unpublished its featured customer list after the hack,[214] although as of December 15, cybersecurity firm GreyNoise Intelligence said SolarWinds had not removed the infected software updates from its distribution server.[56][58][215]
Around January 5, 2021, SolarWinds investors filed a class action lawsuit against the company in relation to its security failures and subsequent fall in share price.[216][217] Soon after, SolarWinds hired a new cybersecurity firm co-founded by Krebs.[218]
The Linux Foundation pointed out that if Orion had been open source, users would have been able to audit it, including via reproducible builds, making it much more likely that the malware payload would have been spotted.[219]
U.S. government
On December 18, 2020, U.S. Secretary of State Mike Pompeo said that some details of the event would likely be classified so as not to become public.[73]
Security agencies
On December 12, 2020, a National Security Council (NSC) meeting was held at the White House to discuss the breach of federal organizations.[9] On December 13, 2020, CISA issued an emergency directive asking federal agencies to disable the SolarWinds software, to reduce the risk of additional intrusions, even though doing so would reduce those agencies' ability to monitor their computer networks.[1][137] The Russian government said that it was not involved in the attacks.[220]
On December 14, 2020, the Department of Commerce confirmed that it had asked the CISA and the FBI to investigate.[9][27][221] The NSC activated Presidential Policy Directive 41, an Obama-era emergency plan, and convened its Cyber Response Group.[222][223] The U.S. Cyber Command threatened swift retaliation against the attackers, pending the outcome of investigations.[224]
On December 24, 2020, CISA said state and local government networks, in addition to federal ones, and other organizations, had been impacted by the attack, but did not provide further details.[226]
Senator Ron Wyden called for mandatory security reviews of software used by federal agencies.[151][147]
On December 22, 2020, after U.S. Treasury SecretarySteven Mnuchin told reporters that he was "completely on top of this", the Senate Finance Committee was briefed by Microsoft that dozens of Treasury email accounts had been breached, and the attackers had accessed systems of the Treasury's Departmental Offices division, home to top Treasury officials.[46][124] Senator Wyden said that the briefing showed that the Treasury "still does not know all of the actions taken by hackers, or precisely what information was stolen".[46][124]
President Donald Trump made no comment on the hack for days after it was reported, leading Senator Mitt Romney to decry his "silence and inaction".[232] On December 19, Trump publicly addressed the attacks for the first time; he downplayed the hack, contended that the media had overblown the severity of the incident, said that "everything is well under control"; and proposed, without evidence, that China, rather than Russia, might be responsible for the attack. Trump then pivoted to insisting that he had won the 2020 presidential election.[50][119][117][51][233] He speculated, without evidence, that the attack might also have involved a "hit" on voting machines, part of a long-running campaign by Trump to falsely assert that he won the 2020 election. Trump's claim was rebutted by former CISA director Chris Krebs, who pointed out that Trump's claim was not possible.[1][233][234]Adam Schiff, chair of the House Intelligence Committee, described Trump's statements as dishonest,[235] calling the comment a "scandalous betrayal of our national security" that "sounds like it could have been written in the Kremlin."[233]
Former Homeland Security AdvisorThomas P. Bossert said, "President Trump is on the verge of leaving behind a federal government, and perhaps a large number of major industries, compromised by the Russian government," and noted that congressional action, including via the National Defense Authorization Act would be required to mitigate the damage caused by the attacks.[30][236][47]
President Biden
Then president-electJoe Biden said he would identify and penalize the attackers.[64][3] Biden's incoming chief of staff, Ron Klain, said the Biden administration's response to the hack would extend beyond sanctions.[237] On December 22, 2020, Biden reported that his transition team was still being denied access to some briefings about the attack by Trump administration officials.[238][239]
In January 2021, Biden named appointees for two relevant White House positions: Elizabeth Sherwood-Randall as homeland security adviser, and Anne Neuberger as deputy national security adviser for cyber and emerging technology.[240]
In March 2021, the Biden administration expressed growing concerns over the hack, and White HousePress SecretaryJen Psaki called it “an active threat”.[241] Meanwhile The New York Times reported that the US government was planning economic sanctions as well as "a series of clandestine actions across Russian networks" in retaliation.[242]
On April 15, 2021, the United States expelled 10 Russian diplomats and issued sanctions against 6 Russian companies that support its cyber operations, as well as 32 individuals and entities for their role in the hack and in Russian interference in the 2020 United States elections.[243][244][245]
Rest of the world
NATO said that it was "currently assessing the situation, with a view to identifying and mitigating any potential risks to our networks."[36] On December 18, the United Kingdom National Cyber Security Centre said that it was still establishing the attacks' impact on the UK.[246] The UK and Irish cybersecurity agencies published alerts targeting SolarWinds customers.[129]
On December 23, 2020, the UK Information Commissioner's Office – a national privacy authority – told UK organizations to check immediately whether they were impacted.[110][247]
The attack prompted a debate on whether the hack should be treated as cyber espionage, or as a cyberattack constituting an act of war.[250] Most current and former U.S. officials considered the 2020 Russian hack to be a "stunning and distressing feat of espionage" but not a cyberattack because the Russians did not appear to destroy or manipulate data or cause physical damage (for example, to the electrical grid).[251] Erica Borghard of the Atlantic Council and Columbia's Saltzman Institute and Jacquelyn Schneider of the Hoover Institution and Naval War College argued that the breach was an act of espionage that could be responded to with "arrests, diplomacy, or counterintelligence" and had not yet been shown to be a cyberattack, a classification that would legally allow the U.S. to respond with force.[252] Law professor Jack Goldsmith wrote that the hack was a damaging act of cyber-espionage but "does not violate international law or norms" and wrote that "because of its own practices, the U.S. government has traditionally accepted the legitimacy of foreign governmental electronic spying in U.S. government networks."[253] Law professor Michael Schmitt concurred, citing the Tallinn Manual.[254]
By contrast, Microsoft president Brad Smith termed the hack a cyberattack,[251] stating that it was "not 'espionage as usual,' even in the digital age" because it was "not just an attack on specific targets, but on the trust and reliability of the world's critical infrastructure."[255][256] U.S. Senator Richard J. Durbin (D-IL) described the attack as tantamount to a declaration of war.[49][4]
Debate on possible U.S. responses
Writing for Wired, Borghard and Schneider opined that the U.S. "should continue to build and rely on strategic deterrence to convince states not to weaponize the cyber intelligence they collect". They also stated that because deterrence may not effectively discourage cyber-espionage attempts by threat actors, the U.S. should also focus on making cyber-espionage less successful through methods such as enhanced cyber-defenses, better information-sharing, and "defending forward" (reducing Russian and Chinese offensive cyber-capabilities).[252]
Writing for The Dispatch, Goldsmith wrote that the failure of defense and deterrence strategies against cyber-intrusion should prompt consideration of a "mutual restraint" strategy, "whereby the United States agrees to curb certain activities in foreign networks in exchange for forbearance by our adversaries in our networks."[253]
In the New York Times, Paul Kolbe, former CIA agent and director of the Intelligence Project at Harvard's Belfer Center for Science and International Affairs, echoed Schneier's call for improvements in the U.S.'s cyberdefenses and international agreements. He also noted that the US is engaged in similar operations against other countries in what he described as an ambient cyber-conflict.[258]
^ abcAxelrod, Tal (December 19, 2020). "Trump downplays impact of hack, questions whether Russia involved". The Hill. Archived from the original on April 26, 2021. Retrieved December 19, 2020. "The Cyber Hack is far greater in the Fake News Media than in actuality. I have been fully briefed and everything is well under control. Russia, Russia, Russia is the priority chant when anything happens because Lamestream is, for mostly financial reasons, petrified of discussing the possibility that it may be China (it may!)," Trump tweeted.
^ abcCimpanu, Catalin (January 26, 2021). "Four security vendors disclose SolarWinds-related incidents". ZDNet. Archived from the original on March 4, 2021. Retrieved February 1, 2021. This week, four new cyber-security vendors -- Mimecast, Qualys, Palo Alto Networks, and Fidelis -- have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
^Satter, Raphael; Menn, Joseph (January 1, 2021). "SolarWinds hackers accessed Microsoft source code, the company says". Reuters. Archived from the original on November 20, 2022. Retrieved March 25, 2023. Modifying source code — which Microsoft said the hackers did not do — could have potentially disastrous consequences given the ubiquity of Microsoft products, which include the Office productivity suite and the Windows operating system. But experts said that even just being able to review the code could offer hackers insight that might help them subvert Microsoft products or services.
^Smith, Chris (January 1, 2021). "Here's why it's so dangerous that SolarWinds hackers accessed Microsoft's source code". BGR. Archived from the original on February 26, 2021. Retrieved January 13, 2021. More than two weeks after the hacks, Microsoft disclosed that the attackers were able to access a critical piece of software, the source code from one or more undisclosed products. Microsoft explained in a blog post that the hackers were not able to modify the source code. But even just a glance at a source code from a company like Microsoft might be enough for hackers to develop new attacks that compromise other Microsoft products. ... Microsoft's blog post is meant to reassure governments and customers, but the fact remains that hackers might be in possession of the kind of secrets they shouldn't have access to. Time will tell if gaining access to Microsoft's source code will allow the same team of attackers to create even more sophisticated hacks.
^Hope, Alicia (January 7, 2021). "Software Giant Admits That SolarWinds Hackers Viewed Microsoft Source Code". CPO Magazine. Archived from the original on January 26, 2021. Retrieved January 13, 2021. Microsoft disclosed [that] the hacking group behind the SolarWinds attack also viewed Microsoft source code for unnamed products. ... Microsoft, however, downplayed the breach, saying that the security of its products does not depend on the secrecy of its source code. Contrarily, Microsoft source code for most high-profile products remains to be among the most jealously guarded corporate secrets, shared only with a few trusted customers and governments.
^Stanley, Alyse (December 31, 2020). "Microsoft Says SolarWinds Hackers Also Broke Into Company's Source Code". Gizmodo. Archived from the original on January 27, 2021. Retrieved January 13, 2021. While hackers may not have been able to change Microsoft's source code, even just sneaking a peek at the company's secret sauce could have disastrous consequences. Bad actors could use that kind of insight into the inner workings of Microsoft's services to help them circumvent its security measures in future attacks. The hackers essentially scored blueprints on how to potentially hack Microsoft products.
^Bradley, Susan (January 4, 2021). "SolarWinds, Solorigate, and what it means for Windows updates". Computerworld. Archived from the original on March 22, 2021. Retrieved January 13, 2021. Microsoft investigated further and found that while the attackers were not able to inject themselves into Microsoft's ADFS/SAML infrastructure, 'one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made.' This is not the first time Microsoft's source code has been attacked or leaked to the web. In 2004, 30,000 files from Windows NT to Windows 2000 leaked onto the web via a third party. Windows XP reportedly leaked online last year.
^Satter, Raphael (December 31, 2020). "Microsoft says SolarWinds hackers were able to view its source code but didn't have the ability to modify it". Business Insider. Archived from the original on January 14, 2021. Retrieved January 13, 2021. Ronen Slavin, [chief technology officer at source code protection company Cycode], said a key unanswered question was which source code repositories were accessed. ... Slavin said he was also worried by the possibility that the SolarWinds hackers were poring over Microsoft's source code as prelude for something more ambitious. 'To me the biggest question is, "Was this recon for the next big operation?"' he said.
^"Email security firm Mimecast says hackers hijacked its products to spy on customers". Reuters. January 12, 2021. Archived from the original on January 12, 2021. Retrieved January 13, 2021. Three cybersecurity investigators, who spoke on condition of anonymity to discuss details of an ongoing probe, told Reuters they suspected the hackers who compromised Mimecast were the same group that broke into U.S. software maker SolarWinds and a host of sensitive U.S. government agencies.
^Kovacs, Eduard (January 13, 2021). "Mimecast Discloses Certificate Incident Possibly Related to SolarWinds Hack". SecurityWeek.Com. Archived from the original on March 17, 2021. Retrieved January 13, 2021. According to Mimecast, it learned from Microsoft that hackers had compromised a certificate used to authenticate Mimecast Continuity Monitor, Internal Email Protect (IEP), and Sync and Recover products with Microsoft 365 Exchange Web Services. ... The company has not shared any details about the attacks abusing the compromised certificate, but some experts have speculated that the certificate may have allowed the hackers to intercept Mimecast customers' communications. ... According to Reuters, people with knowledge of the situation believe this incident may be related to the recently disclosed supply chain attack involving Texas-based IT management solutions provider SolarWinds.
^Seals, Tara (January 12, 2021). "Mimecast Certificate Hacked in Microsoft Email Supply-Chain Attack". Threatpost. Archived from the original on March 17, 2021. Retrieved January 13, 2021. Mimecast provides email security services that customers can apply to their Microsoft 365 accounts by establishing a connection to Mimecast's servers... A compromise means that cyberattackers could take over the connection, though which inbound and outbound mail flows, researchers said. It would be possible to intercept that traffic, or possibly to infiltrate customers' Microsoft 365 Exchange Web Services and steal information. 'The attack against Mimecast and their secure connection to Microsoft's Office 365 infrastructure appears to be the work of the same sophisticated attackers that breached SolarWinds and multiple government agencies,' Saryu Nayyar, CEO at Gurucul, said via email.
^Spadafora, Anthony (January 12, 2021). "Mimecast may also have been a victim of the SolarWinds hack campaign". TechRadar. Archived from the original on January 13, 2021. Retrieved January 13, 2021. The reason that Mimecast may have been attacked by the same threat actor behind the SolarWinds hack is due to the fact that these hackers often add authentication tokens and credentials to Microsoft Active Directory domain accounts in order to maintain persistence on a network and to achieve privilege escalation.
^McMillan, Robert (January 13, 2021). "SolarWinds Hackers' Attack on Email Security Company Raises New Red Flags". WSJ. Archived from the original on June 7, 2021. Retrieved January 13, 2021. The Mimecast hackers used tools and techniques that link them to the hackers who broke into Austin, Texas-based SolarWinds Corp., according to people familiar with the investigation. The link to the SolarWinds hackers was reported earlier by Reuters.
^Sanger, David E. (January 13, 2021). "Biden to Restore Homeland Security and Cybersecurity Aides to Senior White House Posts". The New York Times. Archived from the original on March 29, 2021. Retrieved January 13, 2021. President-elect Joseph R. Biden Jr., facing the rise of domestic terrorism and a crippling cyberattack from Russia, is elevating two White House posts that all but disappeared in the Trump administration: a homeland security adviser to manage matters as varied as extremism, pandemics and natural disasters, and the first deputy national security adviser for cyber and emerging technology. ... Mr. Trump dismantled the National Security Council's pandemic preparedness office, and while he had an active cyberteam at the beginning of his term, it languished. 'It's disturbing to be in a transition moment when there really aren't counterparts for that transition to be handed off,' Ms. Sherwood-Randall said. ... The SolarWinds hacking, named after the maker of network management software that Russian intelligence agents are suspected of having breached to gain access to the email systems of government agencies and private companies, was a huge intelligence failure.
Coordenadas: 51° 04' 18 N 2° 31' 42 E Bray-Dunes Comuna francesa Localização Bray-DunesLocalização de Bray-Dunes na França Coordenadas 51° 04' 18 N 2° 31' 42 E País França Região Altos da França Departamento Norte Características geográficas Área total 8,57 km² População total (2018) [1] 4 553 hab. Densidade 531,3 hab./km² Código Postal 59123 Código INSEE 59107 Bray-Dunes é uma comuna...
St. Petersburg beralih ke halaman ini. Untuk kota di negara bagian Florida, Amerika Serikat, lihat St. Petersburg, Florida.Sankt-Peterburg Санкт-ПетербургKota federalSearah jarum jam, dari kanan atas: Gereja Juru Selamat Menumpahkan Darah; Penunggang Kuda Perunggu; Lapangan Istana; Katedral Trinitas; Lapangan Santo Ishak; Benteng Petrus dan Paulus BenderaLambang kebesaranHimne daerah: Himne Sankt-PeterburgnoiconNegara RusiaDistrik federalBarat LautWilayah ekonomiBarat LautD...
This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed.Find sources: I Am What I Am George Jones album – news · newspapers · books · scholar · JSTOR (October 2023) (Learn how and when to remove this template message) 1980 studio album by George JonesI Am What I AmStudio album by George JonesReleasedSeptember 8, 1980...
Wrestling in PakistanGoverning bodyPakistan Wrestling FederationNickname(s)Koshti Wrestling in Pakistan, known locally as koshti (Urdu: کشتی), has been practiced since ancient times, mainly in Punjab (Pehlwani) and Sindh (Malakhra).[1] Type Main article: Pehlwani The Great Gama, a former Rustam-e-Zamana Pehlwani (Urdu, Punjabi: پہلوانی) is a form of wrestling mainly based in Punjab. It was developed during the Mughal Empire by combining varzesh-e bastani with malla-yuddha.&...
Symbol der Kroatischen Heimwehr: Kroatisches Dreiblatt (Hrvatski trolist), auch Kreuz des Zvonimir (Zvonimirov križ) genannt (Version des Hoheitszeichens 1941–45) Als Hrvatsko domobranstvo (Kroatische Heimwehr) bezeichnete man die kroatischen Verbände Österreich-Ungarns (k.u. Landwehr) und die regulären Streitkräfte des Unabhängigen Staates Kroatien (NDH). Häufiger wird die Bezeichnung für die Angehörigen des Hrvatsko domobranstvo, nämlich Domobrani (kroatisch Singular: domobran =...
American musician Orlando DiGirolamoAlso known asLanny DiJayBorn(1924-04-20)April 20, 1924DiedJanuary 26, 1998(1998-01-26) (aged 73)New Jersey, United StatesGenresJazzOccupation(s)Accordionist, pianist, composer, teacherInstrument(s)Accordion, pianoMusical artist Orlando DiGirolamo (April 20, 1924 – January 26, 1998) was an American jazz accordionist, pianist, composer, and teacher. He is sometimes credited as Lanny DiJay on jazz recordings. DiGirolamo collaborated frequently with ...
Andri SingkarruM.Sc.Andri Singkarru sebagai Anggota Dewan Perwakilan Daerah Republik Indonesia periode 2019–2024Anggota DPD RI TerpilihDaerah pemilihanSulawesi BaratMayoritas68.870 suara Informasi pribadiLahirAndri Prayoga Putra Singkarru3 Juni 1993 (umur 30)Jakarta, IndonesiaKebangsaanIndonesiaSuami/istriPutri RadityastariAlma mater Universitas Presiden Universitas BournemonthSunting kotak info • L • B Andri Prayoga Putra Singkarru, M.Sc., (lahir 3 Juni 1993), adalah ang...
English media company Really Useful Group Ltd.TypePrivate companyIndustryMediaGenre Theatre Film Television Video Concert productions Merchandising Magazine publishing Records Music publishing Founded1977FounderAndrew Lloyd WebberHeadquartersLondon, EnglandSydney, AustraliaKey peopleAndrew Lloyd Webber (Chairman)OwnerAndrew Lloyd WebberDivisionsSee belowWebsitereallyuseful.com The Really Useful Group Ltd. (RUG) is an international company set up in 1977 by Andrew Lloyd Webber. It is involved ...
CTB Companhia Telefônica Brasileira Razão social Companhia Telefônica Brasileira Atividade Telecomunicações Fundação 28 de novembro de 1923 Encerramento 22 de fevereiro de 1976 Sede Rio de Janeiro Área(s) servida(s) Rio de Janeiro e São Paulo Proprietário(s) Brazilian Traction Light and Power Co. Ltd. (1923-1956)Brascan (1956-1966)Embratel (1966-1972)Telebras (1972-1976) Antecessora(s) Rio de Janeiro & São Paulo Telephone Company Sucessora(s) Telecomunicações do Ri...
Scottish politician Kevin StewartMSPOfficial portrait, 2021Minister for TransportIn office29 March 2023 – 6 June 2023First MinisterHumza YousafPreceded byJenny GilruthSucceeded byFiona HyslopMinister for Mental Wellbeing and Social CareIn office20 May 2021 – 29 March 2023First MinisterNicola SturgeonPreceded byClare HaugheySucceeded byMaree ToddMinister for Local Government, Housing and PlanningIn office18 May 2016 – 20 May 2021First MinisterNicola SturgeonPre...
Кеменов Владимир Семёнович Дата рождения 20 мая (2 июня) 1908(1908-06-02) Место рождения Екатеринослав, Российская империя Дата смерти 14 июня 1988(1988-06-14) (80 лет) Место смерти Москва, СССР Страна СССР Научная сфера история искусства Место работы Российский институт театрального и...
Vic Mensa Vic Mensa en 2014Información personalNombre de nacimiento Victor Kwesi MensahNacimiento 6 de junio de 1993 (30 años)Chicago, Illinois, Estados Unidos Nacionalidad EstadounidenseEducaciónEducado en Whitney M. Young Magnet High School Información profesionalOcupación RaperoAños activo 2009 - presenteSeudónimo Vic Mensa Géneros Hip hop, TrapInstrumento Voz Discográfica Roc Nation Universal MusicArtistas relacionados Chance The Rapper, Kanye West, Kids These DaysSitio web ...
1948 film by William Witney Grand Canyon TrailFilm posterDirected byWilliam WitneyWritten byGerald GeraghtyStarringRoy RogersCinematographyReggie LanningEdited byTony MartinelliMusic byNathan ScottDistributed byRepublic PicturesRelease date November 5, 1948 (1948-11-05) Running time67 minutes54 minutesCountryUnited StatesLanguageEnglish Grand Canyon Trail is a 1948 American Western film starring Roy Rogers combining Western action with Three Stooges-style slapstick. Robert Livi...
The Campau family of Detroit, Michigan, was established when brothers Michel and Jacques Campau settled in Detroit, Michigan in 1707 and 1708, respectively.[1][2] Jacques, Joseph Campau, and Barnabé Campau are among the Barons of Detroit, according to Richard R. Elliott, because they had ancestral virtues most worthily perpetuated. [3] Map of the pre-statehood Indian trails. The Sauk Trail is also known as Chicago Road Joseph; Louis Sr.; Louis Jr.; and Barnabas Campau...
Direct-to-video crime thriller film Free FallFilm posterDirected byMalek AkkadWritten byDwayne Alexander SmithProduced by Malek Akkad Abhishek Devalla Louis Nader Warren Zide Starring Sarah Butler Malcolm McDowell D. B. Sweeney Productioncompanies Trancas International Films Stuck Film Group Distributed by Anchor Bay Films Cinetel Films Albatros Film Front Row Filmed Entertainment Sunfilm Entertainment Release date October 17, 2014 (2014-10-17) Running time91 minutesCountryUnit...
Financial scandal in India SaradhaGroupTypePrivately ownedIndustryFinancial services, infrastructure management, automobiles, manufacturingGenreDeposit mobilising companyFounderUnclearDefunctApril 2013FateAllegations that this consortium of companies is a Ponzi schemeHeadquartersKolkata, West Bengal, IndiaKey peopleSudipto Sen, Chairman and MDDebjani Mukherjee, DirectorKunal GhoshNumber of employees16,000+DivisionsSaradha RealtySaradha ExportsGlobal automobiles Saradha media groupWebsiteOffic...
Potassium heptafluorotantalate Names IUPAC name Dipotassium heptafluorotantalate Systematic IUPAC name Dipotassium heptafluorotantalum(2-) Other names Potassium heptafluorotantalate(V)Potassium fluorotantalate Identifiers CAS Number 16924-00-8 Y 3D model (JSmol) Interactive image ChemSpider 28541740 N ECHA InfoCard 100.037.245 EC Number 240-986-1 PubChem CID 28146 CompTox Dashboard (EPA) DTXSID00884943 InChI InChI=1S/7FH.2K.Ta/h7*1H;;;/q;;;;;;;2*+1;+5/p-7 SMILES F[Ta-2](F)(F)(F)(F)(...