Russian spies reportedly used SolarWinds hack to steal US counterintelligence details

Jackpot moment for SVR operatives

Russia's SVR spy agency made off with information about US counterintelligence investigations in the wake of the SolarWinds hack, according to people familiar with the American government cleanup operation.

The alarming snippet was reported by financial newswire Reuters. The SVR was named and shamed in April by Britain and the US as the organisation that compromised the build systems of SolarWinds' network monitoring software Orion, used by 18,000 customers across the world. Those customers included the UK and US governments, among many, many others.

The attack is said to have led to the Russian foreign intelligence service making off with "information about counterintelligence investigations, policy on sanctioning Russian individuals and the country's response to COVID-19," according to people involved in the US government's investigation who spoke to Reuters.

It was also reported that the SVR stole software signing certificates so their software could be run on them.

The attackers compromised SolarWinds' build servers, inserting a backdoor into the next version of the software that was distributed through trusted channels as part of a scheduled, routine update. They spent months covering their tracks and lying low to see if they'd been detected; it took even US infosec behemoth FireEye months to realise what had happened on its own networks.

Russia attempted to deny involvement in the compromise of SolarWinds' Orion network management 'n' monitoring product, though there was little room for doubt in the emphatic statements issued by the UK and US in April – along with their expulsion of known Russian spies from their territories as a mark of disapproval.

Orion's compromise was first noticed by FireEye, which said it detected the Russian intrusion in early December last year.

Investigations revealed that Orion had been used as a foothold into thousands of organisations including the US Treasury and Department of Commerce. The software was also widely used in the British public sector, though official sources speaking off the record insisted that the Orion compromise had minimal effect on the UK.

The idea that Defence Equipment and Support just wasn't of interest to a foreign intelligence agency seems too farfetched to be true.

SolarWinds' chief exec, who took the post three days before the breach became public knowledge, declared that the 18,000 organisations affected by the backdoored software was a "very small number".

The firm is currently trying to stave off a lawsuit from aggrieved shareholders who claim they were misled about SolarWinds' security posture, notwithstanding that they were attacked by a hostile state actor which went to extraordinary lengths to cover its track.

A not-very-subtle campaign to blunt the SVR's ongoing exploitation attempts post-SolarWinds was mounted by Britain's National Cyber Security Centre, which spent a gleeful couple of summer months telling world+dog exactly what the SVR did next after having the SolarWinds breach attributed to it. ®

Similar topics

Narrower topics

Other stories you might like

  • Pentester pops open Tesla Model 3 using low-cost Bluetooth module
    Anything that uses proximity-based BLE is vulnerable, claim researchers

    Tesla Model 3 and Y owners, beware: the passive entry feature on your vehicle could potentially be hoodwinked by a relay attack, leading to the theft of the flash motor.

    Discovered and demonstrated by researchers at NCC Group, the technique involves relaying the Bluetooth Low Energy (BLE) signals from a smartphone that has been paired with a Tesla back to the vehicle. Far from simply unlocking the door, this hack lets a miscreant start the car and drive away, too.

    Essentially, what happens is this: the paired smartphone should be physically close by the Tesla to unlock it. NCC's technique involves one gadget near the paired phone, and another gadget near the car. The phone-side gadget relays signals from the phone to the car-side gadget, which forwards them to the vehicle to unlock and start it. This shouldn't normally happen because the phone and car are so far apart. The car has a defense mechanism – based on measuring transmission latency to detect that a paired device is too far away – that ideally prevents relayed signals from working, though this can be defeated by simply cutting the latency of the relay process.

    Continue reading
  • Google assuring open-source code to secure software supply chains
    Java and Python packages are the first on the list

    Google has a plan — and a new product plus a partnership with developer-focused security shop Snyk — that attempts to make it easier for enterprises to secure their open source software dependencies.

    The new service, announced today at the Google Cloud Security Summit, is called Assured Open Source Software. We're told it will initially focus on some Java and Python packages that Google's own developers prioritize in their workflows. 

    These two programming languages have "particularly high-risk profiles," Google Cloud Cloud VP and GM Sunil Potti said in response to The Register's questions. "Remember Log4j?" Yes, quite vividly.

    Continue reading
  • Rocket Lab is taking NASA's CAPSTONE to the Moon
    Mission to lunar orbit is further than any Photon satellite bus has gone before

    Rocket Lab has taken delivery of NASA's CAPSTONE spacecraft at its New Zealand launch pad ahead of a mission to the Moon.

    It's been quite a journey for CAPSTONE [Cislunar Autonomous Positioning System Technology Operations and Navigation Experiment], which was originally supposed to launch from Rocket Lab's US launchpad at Wallops Island in Virginia.

    The pad, Launch Complex 2, has been completed for a while now. However, delays in certifying Rocket Lab's Autonomous Flight Termination System (AFTS) pushed the move to Launch Complex 1 in Mahia, New Zealand.

    Continue reading

Biting the hand that feeds IT © 1998–2022