Russian hackers are believed to be behind a massive breach in the federal government’s databases and other Microsoft related systems. The perpetrators believed to be behind the attacks, Cozybear, are the same ones that had breached the 2016 Democratic National Convention.
The hackers used a compromised server to target SolarWinds, a software provider and then used the server to infect Microsoft updates. From March through June, these hackers used Trojan Horse malware, or malware that hides other computer viruses, to infect these important updates to allow them to gain backdoor access to these networks.[1] In addition to SolarWinds, Fireeye, a cybersecurity company, was also breached and they had tools they used to test customer’s security stolen, which presumably was part of the SolarWinds hack [2]
Microsoft’s response was swift and decisive on the malware they dubbed Solorigate:
- First, the day the attack became public Microsoft announced that it removed the digital certificates that the Trojaned files used. These digital certificates allowed Microsoft Windows systems to believe that those compromised files were trustworthy. In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.
- Second, they updated Microsoft Windows Defender, their antimalware system to detect and alert if they found the Trojaned file before isolating it
- Third, they moved to sinkhole the domain the malware used to control the systems. Essentially, Microsoft went to court to pull the domain from the hackers. Once the server is under their control, they severed the hacker’s access to the domain and any domains they had control over. This tactic has been used successfully in the past, most recently against the Trickbot Malware.
- Fourth, Microsoft changed Windows Defender’s default action on this malware from Alert to Quarantine. This action, which may crash a system, means that if Windows Defender finds Solorigate, it can destroy it.
All these actions mean that the hackers basically have little to no direct access to the infected servers. They may still have other compromised networks, which forensics and investigators will figure out along with the damage they had caused.[3]
While this breach is stunning and horrifying, it shows it can happen to anyone even the federal government. Cyber breaches are no joke, and they will continue to rise as we head into the new year. Be vigilant and talk with your provider about cyber insurance options when a breach occurs.
[1] https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
[2] https://www.zdnet.com/article/fireeye-one-of-the-worlds-largest-security-firms-discloses-security-breach/
[3] https://www.geekwire.com/2020/microsoft-unleashes-death-star-solarwinds-hackers-extraordinary-response-breach/