FireEye/SolarWinds Hack

Uh oh, a big name company got hacked again and based on the amount of news surrounding it, it's probably a big deal huh? Well yeah, it's usually always a big deal but this one is a little extra scary. Okay, let's be real here they are all scary but most hacks aren't all that technically complex and usually result in a person opening the wrong email that installs a nasty bug on a system. That's definitely a true bummer, don't get me wrong, but those kind of hacks happen every single day. For us security folks out there, they're your standard day at the office. In most instances we can run through a series of checklists and such and get to the bottom of what happened. More times than not, someone nasty cast a pretty wide net and managed to catch at least one fish, the problem that arises from that is that single fish led them to a trove of fish. The hack I'm specifically calling out here is the FireEye/SolarWinds hack.

The hacks that really keep us up at night, are the ones that we don't know everything about. The ones that point fingers to people we know want to cause us harm. The ones that show exceptional levels of technical skill. The ones that were written and developed for the one purpose they were designed to do.

This was that kind of attack.

I really don't want to scare people into thinking things are more (or less) than they appear to be. A hack that brings down a website is sucky, but usually pretty simple in nature. A virus that installs a pop up can be annoying but it's as common as the common cold for computers. These are usually attacks that aren't built for one target. They are built with the intention of attacking as many people as will click on them, or fall into their rudimentary traps. They are programmed by some run of the mill hacker, or a small team looking to make small profits on whatever they catch in their nets. Even the attackers who do target single entities are usually not the top of their class. Sure they get lucky or they dig far enough to find a hole. But it usually don't go further than stealing some records or causing some damage. The technical prowess of these attackers, while still impressive, amounts to very little compared to the defenses set up. Yes, they do get through often enough but even then, it's comparable to a mouse finding a crack to climb through in a home. While still potentially very damaging to your home, once you know it's there, it's pretty easy to call the right people and fix the problem. The mouse didn't care who you were necessarily, in fact it may not even known you had anything at all. It was just looking and managed to find a way into something you thought was secure, and started stealing resources.

Where it gets really scary, and what keeps me up some nights, is when the attacker knows what resources you have and carefully, tactfully, and skillfully attacks you with precision so accurate, that even the exterminator you call has no idea what to do.

Let's do a fun scenario. You should know by now that I love me a good scenario. Let's take the mouse again but this time let's change some of the variables it has to work with. Instead of one mouse, it's a team of mice. And not just any team of mice, a team of very skilled mice. They have been given money, resources, training, and everything they need to do their jobs as well as they need to. Who is giving all these mice this stuff?! We'll get to that...

Let's also change the house to a thriving food delivery business. This company packages and sells boxes of food and supplies to restaurants all over the country. They are pretty well renowned and respected by the restaurants that utilize their services.

These mice hatch a plan in secret, most likely months or years before they actually do any attacking. They do their research, they watch, and they craft till they know their plan has the best chance of success.

When they do strike, they do so in such a stealthy fashion, the food delivery business has no idea that they even attacked at all. This is exactly what the mice want since the end goal of this plan really doesn't include the food delivery business at all, it's the restaurants.

With care and slow methodical work, the mice manage to infiltrate the food supply line and plant little mice agents in the boxes of food that are going out to all the restaurants. Even worse is they do this by incorporating their agents into the process so the food delivery company places the mice in the boxes themselves without knowing they are doing it at all.

As the boxes of food goes out to restaurants all over the country, the mice agents wait patiently. See, these agents have specific orders and they'll follow them no matter what. The boxes of food get delivered to all sorts of restaurants, small ma and pop sandwich shops, big name fancy steak houses, and large chain fast food joints. You get the idea.

Without hesitation, each of these restaurants accepts the boxes and opens them up. They may do a quick once over, maybe even has a food inspector check em out here and there but the mice are so well hidden and the restaurants trusts the food delivery company so well that they don't find the hidden mice.

Now the mice are smart remember? If they start attacking now, the jig is up and their plan will fail. The restaurant will figure out where the mice came from and will start alerting people. No no that won't do for the mice. They need to be patient. They check their mission instructions and keep quiet for two weeks hiding amongst the resources they stealthily came in with. They may even act and participate in the restaurants normal business to subvert any suspicion.

After two weeks of waiting, two weeks of doing nothing, two weeks of hiding in plain site, masked by the trust the restaurant has for the food delivery company, the mice activate their plan.

They don't attack outright. That would be silly and get them caught. They start start sending signals back to the original mice who sent them out in the first place. They start sending them stolen information and opening up a back door so the original mice can send these agents more resources.

Again, these mice are smart. So even when the restaurant notices something weird is going on, the mice agents hop right back in the box of trust they came in with so to speak. Since the restaurants trust the food delivery company, they don't suspect that to be the source. This allows the mice agents to do their thing and continue to steal and spread.

Eventually, the agents are found out and tracked back to the source. The food delivery company. The company scrambled to fix everything and makes sure to alert the restaurants as soon as they know but the infection has gone too wide and unfortunately lost a lot of trust from it's massive customer base. The restaurants are hurt too since they lost a lot of business and information themselves. Laws force these businesses to alert it's customers to what happened which inevitably creates lawsuits and loss in trust themselves. No one wants to eat at a restaurant with super smart mice agents running a muck in it's kitchen. Not only that but the loss of key information and resources is huge. Restaurants had their secret recipes stolen, some that were protected for years and gave them the edge they needed to make the food they were making. All in all, this would be a huge devastation to the whole industry.

Yes, this was very bad and will take a very, very long time to remedy. This is assuming that things will ever be the same for these locations. But I also want to ask you a question. While you were reading that, who did you put fault on? Really think back and reflect on who you placed blame on.

Was it the mice for acting maliciously to gain secrets and resources that don't belong to them?

Was it the food delivery company for not protecting their supply line and assets better?

Maybe you placed blame on the restaurants for not inspecting their delivered resources more carefully?

This is where I want to loop back to the mice. Not the mice themselves, although there is a moral fault to be discussed there. I want to talk about who set them up to do this in the first place. Who gave them the target, who gave them the resources, who gave them the training, and who was paying them? Was it a competitor food delivery company? Maybe a restaurant who wanted to learn others secrets? Unfortunately none of these are fully the case. Though some of these motives could be used, the culprit was a bit higher up the food chain (pun intended).

In relating back to technical terms, the food service company was a tech company called SolarWinds. This company makes software that assists all different types of businesses in their IT infrastructure. They make software that can scan and protect and inventory and generally assist in all matter of technical resources that companies leap at the opportunity to use. Their software is used all over different parts of companies cause they do things that companies needed them to do but maybe didn't have the resources and skills to do themselves.

The food that was delivered to the restaurants were updates to these software packages that these companies needed and trusted. They were trusted cause they came from SolarWinds themselves. This is generally how software gets updated so it's not unusual that companies trust the update that comes from a vendor, especially one that the vendor didn't even know was infected. Updates to software are usually accompanied with things called "Certificates" that vouch for the authenticity of the update so the person installing it knows it came from the location it claims to have come from. This is how the infection got in so easily. Which leads us to...

The mice. In this case, it was sophisticated malicious code that was embedded in the updates that were sent out from SolarWinds (unknowingly) to the vendors.

The restaurants in this scenario is where it starts getting really nerve wracking. In the scenario I painted, I used one type of industry. But in real life, most major companies in all different industries have an IT department that needs the support that companies like SolarWinds offers. In the case of this infection, one of the companies infected was a cyber security firm called FireEye. They were one of the first to identify the hack on their system and in doing so, alerted everyone to what they had found. The big issue here is that by the time the attack was identified, the damage had been done. A firm like this earns it's business by keeping the trust of it's costumers it sets out to protect. A loss of that trust is MASSIVE, as you can probably imagine. It's quite unfortunate that they lost so much of that trust too since they did what they should have done in that situation which in my option, wasn't really their fault.

We still don't have the full picture of how this attack happened to its full extent. We have guesses and theories but really there is a lot we don't know and likely won't know for a long time. More and more information is being released every day and with that we are learning more about the how this all happened.

Tech is built on trust and if you don't trust at least a few people, nothing will get done. FireEye trusted a company who honestly didn't even know they got breached and in doing so lost a lot in the process. Remember that super secret recipe that was stolen in the mouse scenario? What do you think a super secret cyber security firm could lose that amounts to the equivalent? Yep you are absolutely correct.

Tools and resources. FireEye had some of their proprietary and specially designed tools that allowed them to do some pretty important work in protecting companies, organizations, government entities, and in the end, people. Yikes. This is like someone stealing the blueprints to a bank vault.

So who did this? Who stole all these things? Who now has information that protects and safeguards and defends people from frankly, very intelligent attackers?

This is where things start to get fuzzy. There are fingers being pointed and claims being made but this is also where I don't want to make false claims and create fear towards the unknown. I will tell you the speculations and signs are pointing towards state sponsored elite hacker groups in countries who want to do harm to the US. Russia is named as one of the top locations suspected. Like I said, there are a lot of different outlets who are claiming different things and pointing fingers but I personally don't have all the information to feel comfortable telling you who I think you should point a finger at. I'm just here to start a conversation by giving you all the information I have.

I want you to think about that, and really think about it cause this is where things get really really scary. Why would a country like that want to do so much harm and steal such critical information from us? What would they have to gain from doing so? What could they do with knowing how we defend ourselves the most?

I also really think it's important that before you pull out a pitchfork and torch, remember that we aren't innocent in that front either. Whoever is doing it to us, is getting right back from us just as much if not worse. I'm not saying they were justified, not at all. I merely want to point out that maybe there is more to this story than just how the hack happened. Sometimes I think it's also good to talk about the why so we can better understand the environment of hacking and technology right now.

In WW2 we developed nukes to defend ourselves, and in turn, other countries developed nukes too. Now countries in every corner of the globe have a bunch of nukes all pointed at one another in the name of defense. Do you feel safe knowing that? Just cause a virus doesn't explode with fire, doesn't mean it doesn't cause damage in other ways.