This article is more than 1 year old

Trump administration says Russia behind SolarWinds hack. Trump himself begs to differ

Microsoft’s analysis of hack suggests someone else had a crack at SolarWinds in 2019 when next-level 'DLL hell' followed likely developer pipeline compromise

United States secretary of state Mike Pompeo has laid the blame for the SolarWinds hack on Russia, but his boss begs to differ.

Pompeo on Friday gave an interview with pro-Trump conservative talk radio host Mark Levin, the transcript of which was posted by the State Department.

During the interview Levin asked about the SolarWinds incident. Pompeo responded by saying: “I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity.”

President Donald Trump responded with the following Tweets that were his only substantial public commentary on an enemy nation’s likely penetration of many government agencies in the nation he leads.

The Associated Press reports that the White House was set to issue a Friday afternoon statement describing Russia as “the main actor” behind the incident, but that staff were told to stand down instead.

At the time of writing the State Department, National Security Agency, White House, Cybersecurity and Infrastructure Security Agency, and president Trump all appear not to have attempted to reconcile the administration’s conflicting view on the incident.

Russia denies any involvement.

While the Trump administration sorts itself out, it has something new to consider: Microsoft says another attacker took a bite out of SolarWinds in 2019, meaning US government targets could have been in trouble for six months before the attacks divulged last week.

Microsoft's post that says SolarWinds was in trouble in October 2019, based on a digitally-signed .dll it has dredged up. Redmond's analysts therefore “suggests the attackers were able to access the company’s software development or distribution pipeline” and once they’d done so targeted a single .dll file called “SolarWinds.Orion.Core.BusinessLayer.dll”

“The attackers had to find a suitable place in this DLL component to insert their code,” wrote analysts from Microsoft’s 365 Defender Research Team and Threat Intelligence Center (MSTIC). “Ideally, they would choose a place in a method that gets invoked periodically, ensuring both execution and persistence, so that the malicious code is guaranteed to be always up and running. Such a suitable location turns out to be a method named RefreshInternal.

Trump says '400 pound hacker', not Russia, could be behind email hack


“The modification to this function is very lightweight and could be easily overlooked — all it does is to execute the method OrionImprovementBusinessLayer.Initialize within a parallel thread, so that the normal execution flow of RefreshInternal is not altered.

Among the jobs that RefreshInternal does as part of its legitimate business is accessing a class called CoreBusinessLayerPlugin, which initializes various other components and schedules the execution of several tasks. Among those tasks is loading a method named Start that loads the malicious code.

Once that code is up and running it runs a bunch of tests to make sure it is in an environment free of certain security software and is configured to communicate with certain expected IP addresses.

If a single hoped-for condition is not present, the backdoor bails “to avoid exposing the malicious functionality to unwanted environments, such as test networks or machines belonging to SolarWinds.” Otherwise, it gets to work giving its masters the ability to run, stop, and enumerate processes; read, write, and enumerate files and registry keys; collect and upload information about the device; and restart the device, wait, or exit.”

Microsoft says the 2019 hack allows attackers to “follow the standard playbook of privilege escalation exploration, credential theft, and lateral movement hunting for high-value accounts and assets.”


Cyber-security super-brain Rudy Giuliani forgets password, bricks iPhone, begs Apple Store staff for help


As we know, the 2020 attack on SolarWinds led to attackers gaining access to the US government departments of State, Treasury, Homeland Security, and Commerce – among 18,000 known victims. There’s plenty of high-value targets in that lot.

But we don’t know which were compromised, and secretary of state Pompeo suggested the US government may never reveal the extent of the hack.

“I can’t say much more as we’re still unpacking precisely what it is, and I’m sure some of it will remain classified,” he said in his interview with Levin. ®

More about


Send us news

Other stories you might like