Solar Winds hack (1 Viewer)

Pat Hartman

Super Moderator
Staff member
Local time
Today, 11:48
Joined
Feb 19, 2002
Messages
42,989
I got some interesting articles from Microsoft regarding security. This one is something of a promotion of Microsoft Defender but it goes into great detail about how the malware operated so I thought I would share it.

 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 10:48
Joined
Feb 28, 2001
Messages
27,005
Thanks, Pat. That is a great article.

Now that I'm retired, some of that information is less important to me than it might have been, say, five years ago. The Navy Enterprise Data Center/New Orleans had about 1500 servers that were not classified and maybe another several hundred that were WERE classified. We were a hosting site for Navy projects and we were deploying Solar Winds / Orion at our site for about three years before I retired. I also know that at least two other Navy centers at that time were deploying Solar Winds packages, and it was scheduled for the Marine Corps site just outside of Kansas City. I know this must have hit the Navy like a ton of bricks.

The Orion team even tried to tie in data from OpenVMS servers that I ran, though there was no actual module that ran on my machines. But there were scripts they could run that would log in via certificate authentication to "ask questions" of my systems via one of the obscure protocols in the TCP family (NOT the UDP family). I know my old machines are no longer vulnerable because (among other things) they were shut down when the application switched to full-blown web services. But... the project overall would still be vulnerable because the web machines were just IIS or Apache systems with Orion running in the background.

I'm guessing that this attack came based on the old concept of "the sweeter the fruit, the greater its value." In essence, once Solar Winds got the military contract, they put targets on their backs. The value of THAT particular fruit was one that no military cyber team could pass up.

In a way, it was why OpenVMS servers were darned near invulnerable. First , nobody has EVER cracked an OpenVMS from the outside, and the Solar Winds products didn't actually run binary code images. But there weren't that many VMS boxes when compared to Windows or LINUX servers, so their low market share made them of limited value, even though at the time the OpenVMS machines we had essentially ran the management side of the U.S. Navy Reserve. And I can say that without fear of security violations because the machines were retired when they switched to web services.

I'm going to GUESS that when I retired, counting the sites I knew about, at least 5000 servers at various locations and of various classifications would have been affected if the hack had happened at that time. Now, several years later, I have NO CLUE as to how many were affected, but we are talking national scope and probably several branches, not just Navy/Marine Corps. If you said to me that 20,000 military machines were affected, I couldn't confirm it but I wouldn't doubt it.
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 11:48
Joined
Feb 19, 2002
Messages
42,989
Someone just sent me a link that contends that the smart thermostat in the Fulton County counting facility was passing election results to the Chinese from the tabulating machines that were "not" connected to the internet. I thought these machines were not even supposed to be networked. My smart thermostat asks me occasionally if it can connect to the gas company so they can monitor my gas usage in real time. I tell it NO!

The convenience of all this interconnectivity is like a siren song but it is beginning to terrify me. We are completely vulnerable in exchange for "convenience".
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 10:48
Joined
Feb 28, 2001
Messages
27,005
That's why I'm careful about where I keep things in my home network.
 

Users who are viewing this thread

Top Bottom