Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
United States Government Security

Suspected Russian Hackers Breached Department of Homeland Security (reuters.com) 55

Reuters: A team of sophisticated hackers believed to be working for the Russian government won access to internal communications at the U.S. Department of Homeland Security, according to people familiar with the matter. The breach was part of the campaign reported Sunday that penetrated the U.S. departments of Treasury and Commerce.
This discussion has been archived. No new comments can be posted.

Suspected Russian Hackers Breached Department of Homeland Security

Comments Filter:
  • by boudie2 ( 1134233 ) on Monday December 14, 2020 @03:10PM (#60830372)
    Why was DHS only accessed, while the Departments of Treasury and Commerce penetrated? What sort of fuckery is this?
    • by mysidia ( 191772 )

      My best guess would be they penetrated the other departments that had limited access.

      I would liken this to a hosting provider... some customer maybe set a weak password on their email account and it gets guessed and misused by unauthorized users.

      The intruder "gained access" to send email on that user's behalf, but they did not "penetrate" the hosting provider.

      In some kind of fashion like that... it's possible the criminals somehow got limited access to some communications through DHS systems without

  • by phantomfive ( 622387 ) on Monday December 14, 2020 @03:10PM (#60830374) Journal

    "According to people familiar with the matter." Anonymous sources from security researches are often lies. That's why we say, POC||GTFO.

    • Yeah, I always love that.

      You can state whatever you want, and as soon as you add "according to anonymous sources", tadaa, It's News! Fair and balanced! I would only suggest adding "Americans think $somethingTheyDont" and "Think of the children! (Not in that way! That is reserved for us!)". ;)

      I think it is realistic to assume everyone's hacking everyone at this point, mind you. Hell, isn't infiltrating the other one's anus, err, I mean surveillance organizations basically the main goal of every spying agency

    • Yeah whatever.

      Anyway, this is what I and part of my team spent my day on, so if anyone has any actual questions, shoot.

      Questions as in, something that involves using at least two brain cells. For anything with the word Trump in it, or suggesting that we should stick our heads in the sand and pretend attacks don't happen - it looks like you guys did the stupidness all day. Any adults have questions about how the attack was carried out or what the consequences are likely to be?

      • Anyway, this is what I and part of my team spent my day on, so if anyone has any actual questions, shoot.

        OK, so how do you know it was Russians?

        • Attribution wasn't my job on this one, but this will give you an idea of how it works:

          https://slashdot.org/comments.... [slashdot.org]

          Note that this is what we do for a job, all day every day for however many by are (25 in my case). Which means it's not at all unusual for that random guy on Slashdot, based on nothing but a Slashdot headline, indeed couldn't make an attribution. Just like they can't reverse a malware. But this is our job, we learn how to do it, and get the information needed to do so.

          • I know how attribution works. I also know that the US government intelligence agencies lie, a lot. So again, they should show the proof or gtfo. There's no evidence here that it's Russia (I admit more evidence may have been presented since this story was released, I haven't looked).

            • You can, of course, believe what you want.

              I will tell you there are thousands of professionals digging deep into this, professionals at thousands of organizations. That includes professionals who do nothing but analyze Cozy Bear, all day every day.

              If DHS lied about this and said it's Cozy Bear when it's not, it'll take about 24 hours for people to start figuring that out. We do know that the attackers stayed undetected for months, in organizations with significant cybersecurity programs watching for indicat

              • We do know that the attackers stayed undetected for months, in organizations with significant cybersecurity programs watching for indicators of compromise.

                Do we? How do we know?

                • We know because if we had caught them earlier, our all-nighter wouldn't have been Sunday-Monday.

                  If you want to think everyone in cybersecurity is lying to you, I guess to protect Hillary's source for the Trump dossier or something, that's cool. Kinda wasting your time and mine bringing your conspiracy theories to me, though.

  • The DOH? (Score:3, Funny)

    by ArchieBunker ( 132337 ) on Monday December 14, 2020 @03:23PM (#60830418)

    The same people who have caught exactly zero terrorists?

    • False. They have demonstably caught *minus* some number of terrorists. (In other words: Bred them.) :D

      (And yeah, Russian leadership is evil too. Can you please imply that when I criticize the US? I just think they're all fuckers. Happy?)

  • by raymorris ( 2726007 ) on Monday December 14, 2020 @03:24PM (#60830424) Journal

    The initial intrusion came from subverting Solar Winds.
    The attackers then used various techniques to remain undetected as they went on a rampage across the network.

    Many companies use Solar Winds for monitoring and reporting, for gathering data about the network and devices and generating reports. Yet they run Solar Winds, Netwrix, and other data-gathering tools as Domain Admin! The accounts need to *read* data, but people give them *write* access to everything in the entire network. That means the bad guys got write access to anything and everything.

    If you're using a monitoring tool like this, an appropriate group for the service account is the Performance Monitoring group. It has read access via wmi to do that monitoring, to gather the data and then report on it. The Domain Administrators group is the appropriate group for people who Administer your Active Directory. It's not the appropriate group for a service that needs to read logs! That's what the Performance Monitoring group is for.

    If you also use Solar Winds or something similar for deploying updates, that can actually use a separate service for that part, ta least with Solar Winds it can.

    • SolarWinds primary line of products is supplying Windows Sh*te which is equivalent for standard packages on Unix/Linux to people who are too dumbf*cking thick to use a proper OS. The information gathering is only a small facet of what they supply.

      They have been embedded (literally) in stupidities like Windows for Warships since the early 2000s. While I can sort of understand the idea of using Winhoze within an insecure civilian network, using it for military purposes and/or secure government systems is mi

  • If you fell for the russian hack of DNC by APT28, fancy bear, identified by how they used the hacking software that all the cool russians use. The russian hackers. Several years old software that russians use...d.

    Now the next APT is russians hacking various US institutions, definitely being hacked by that APT thing the russians are doing with old ukrainian hacking tools that are publicly available.

    Kina disappointed at how low-information the editing on /. is these days.

    • Several years old software that russians use...d.

      Half of the world by now has copies. It is used by everyone when they need a false flag.

  • Evil?
    Or the other evil?

    Oh, I know! ME! Us!

    Fight! Fight! Fight!
    Popcorn for everyone!
    *puts on 3D glasses*

  • by smooth wombat ( 796938 ) on Monday December 14, 2020 @04:22PM (#60830632) Journal

    Christopher Krebs, who was the head of the Cybersecurity and Infrastructure Security Agency, was fired by the con artist on November 17th because he, Krebs, stated unequivocally this election was the most secure ever. This in contrast to the continuing lies by the con artist of "massive" vote fraud despite a) providing no evidence of vote fraud and b) not listing vote fraud in any of the 50 lawsuits they've filed and had slapped back in their faces by the courts as without merit.

    You don't suppose the con artist put another pillow salesman in charge of this security and this is the result, do you?

    • by prisoner-of-enigma ( 535770 ) on Monday December 14, 2020 @04:40PM (#60830686) Homepage

      You don't suppose the con artist put another pillow salesman in charge of this security and this is the result, do you?

      If you bother to look up the details on what happened, you'll find Solarwinds was compromised as far back as March 2020. The hack injected malware code into Solarwinds, which was distributed as legitimate software from that point forward. You can argue that automatic updates should not be turned on, but beyond that it's difficult to pin blame on anyone who got caught in the hack. The Solarwinds Orion software that got distributed came from a "trusted" source (Solarwinds itself), had a valid digital certificate, etc. If you installed the update there was nothing to indicate it was boobytrapped unless you're doing detailed analysis of network traffic and happened to catch the C2 communications.

      The real blame lies with Solarwinds, who got rooted somehow (they're saying email is involved so I suspect someone got a malicious attachment and opened it) and eventually got their source code compromised.

  • Another super dupe from the dynamic duo of dupers.. FFS do your job properly and stop post duplicate stories just to get your quota!!! We need a dupe tag so the owners of /. Can see how shit the editors are at their job!!!
  • There was a time when this country had the balls to respond to outright acts of war by foreign powers. Not any more, though... People might have to put down their phones and actually DO something. Heaven forend!

  • ...we've now confirmed that some of the best hackers in the world are in DHS...
  • A team of sophisticated hackers believed to be working for the Russian government won access to internal communications at the U.S. Department of Homeland Security

    Well then, silly Homeland Security for standardizing on Microsoft Windows to keep all their secrets on :]
  • OK, we know that hostile state actors are working constantly to compromise other nation states, politically those considered adversarial on political/philosophical or economic grounds. That just goes with the territory.

    But I find myself thinking about this from a larger context. With all the focus on the Russians "hacking" the 2016 election, with the implementation of CISA and the Team run by Chris Krebs in support of protecting election security, is it possible/likely that hostile agents would have effe

Avoid strange women and temporary variables.

Working...