'Unforced Error' in Suspected Russian Data Breach May Have Led to Its Discovery (cnn.com) 50
CNN reports:
US officials and private sector experts investigating the massive data breach that has rocked Washington increasingly believe the attackers were ultimately discovered because they took a more aggressive "calculated risk" that led to a possible "unforced error" as they tried to expand their access within the network they had penetrated months earlier without detection, according to a US official and two sources familiar with the situation... FireEye was tipped off to the hackers' presence when they attempt to move laterally within the firm's network, according to the sources, a move that suggested the hackers were targeting sensitive data beyond emails addresses or business records.
Whether that exposure was the result of a mistake by the attackers or because they took a calculated risk remains unclear, the sources said. "At some point, you have to risk some level of exposure when you're going laterally to get after the things that you really want to get. And you're going to take calculated risks as an attacker," one source familiar with the investigation said...
Now, the hackers are attempting to salvage what access they can as the US government and private sector are "burning it all down," sources said, referring to their complete overhaul of networks, which will force the attackers to find new ways of getting the information they seek. Meanwhile, US officials continue to grapple with the fallout and assess just how successful the operation was, the US official said, noting that it is clear the nation-state responsible invested significant time and resources into the effort. While the scope of the hacking campaign remains unclear, government agencies that have disclosed they were impacted have said there is no evidence to date that classified data was compromised. But the way the hackers were discovered suggests the operation was intended to steal sensitive information beyond what was available on unclassified networks and sought to establish long-standing access to various targeted networks, the sources said.
The fact that FireEye — not the federal government — discovered the breach has also raised questions about why the attack went undetected at US government agencies.
The article also notes FireEye's acknowledgement that the breach "occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes."
Whether that exposure was the result of a mistake by the attackers or because they took a calculated risk remains unclear, the sources said. "At some point, you have to risk some level of exposure when you're going laterally to get after the things that you really want to get. And you're going to take calculated risks as an attacker," one source familiar with the investigation said...
Now, the hackers are attempting to salvage what access they can as the US government and private sector are "burning it all down," sources said, referring to their complete overhaul of networks, which will force the attackers to find new ways of getting the information they seek. Meanwhile, US officials continue to grapple with the fallout and assess just how successful the operation was, the US official said, noting that it is clear the nation-state responsible invested significant time and resources into the effort. While the scope of the hacking campaign remains unclear, government agencies that have disclosed they were impacted have said there is no evidence to date that classified data was compromised. But the way the hackers were discovered suggests the operation was intended to steal sensitive information beyond what was available on unclassified networks and sought to establish long-standing access to various targeted networks, the sources said.
The fact that FireEye — not the federal government — discovered the breach has also raised questions about why the attack went undetected at US government agencies.
The article also notes FireEye's acknowledgement that the breach "occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes."
No "unforced error" whatsoever (Score:5, Insightful)
Sooner or later after hacking it, the attacker has a choice - to continue waiting for Godot or to try to get at any of the 2FA protected resources. They tried. The system logged it. They failed.
This is VERY different from the Solar Winds clusterf*ck and I have absolutely no idea why they are mixed up in the same bag of sh*t. The Solar Winds clusterf*ck is about a totally idiotic, incompetent obsession which has engulfed the "security" part of the USA, NATO and their primary contractors overt the last few years.
Single panes of glass and single click and point solutions (like Solar Winds Orion) are the mother of all backdoors. You hack it and it's game over (longer explanation off-site): https://www.fagain.co.uk/node/... [fagain.co.uk]
IMHO, mixing them deliberately into a "single bag of sh*t" with the FireEye and other hacks is a deliberate attempt for a distraction by the architects of the "Total Information (Security) Awareness" sh*t sandwich which begot us Solar Winds Orion and the hack. Nope, did not work. Try harder and devise a better distraction next time.
Re: (Score:1)
Maybe SolarWinds functioned as designed, giving the spooks eyes into the entire federal government. In the process diluting security such as some party used the backdoor to break in. Remember that Gmail backdoor that the NSA got Google to insert into gmail, that the Chinese discovered.
Re:No "unforced error" whatsoever (Score:5, Insightful)
Mod parent up (though I wish it were more clearly worded).
My initial thought on this topic was whether any one individual is liable to catch the blame for exposing the operation. However on reading this comment, my reaction is modified so something along the lines of "Surely they must have had an internal discussion about whether or not to try it?"
Been reading a lot of books on such topics. I think the only one that really had legs was Cyber War by Richard Clarke. High level perspective is still relevant after the ink dried. Main point is that China is the only major player with a balanced game of both offense and defense, which is especially important when relative vulnerabilities are considered. I'm not saying that the other books were bad, but there's a fundamental problem in that most cyber-security books are basically historical artifacts by the time the ink has dried. But if you can recommend a good book, then it's quite likely that I'll see if I can round up a copy. (Unless I've already read it, of course.) Just about to start (the peripherally related) Zucked even though I'm already pretty sure we already are.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
It is because they are what is called, as a term of art, stupid dumb fucks. They do not know how to do Risk Assessments and have yet more stupid dumb fucks that install "updates" because "updates" without doing any Risk Assessment at all.
All these stupid dumb fucks should be shown to the Welfare line or sent off as Cannon-fodder for the next shooting-war.
The sooner they are eliminated the better off the world will be.
Re: (Score:2)
I suppose you don't know that anyone, including your cat, can get a Cybersecurity degree these days.
Seriously, check your inbox (the spam folder): no doubt it is filled with offers from (small, accredited) University. The same way MBAs were offered by everyone a decade ago.
Re: (Score:2)
> a totally idiotic, incompetent obsession
The obsession isn't idiotic and incompetent, the people behind it are.
The PHB's want to be able to look at a source of truth they can understand so they aren't reliant on their underlings. It's the Culture of Power at work. Good managers, by contrast, are delighted to have hyper-competent employees and go to bat for them.
This isn't to say that data fusion isn't useful but that's not what's being marketed to those who hold the budgets.
Re: (Score:2)
This is VERY different from the Solar Winds
Actually it is not, FireEye is a Solar Winds customer and they are the ones that discovered the malware that was implanted in the Solar Winds Orion product when investigating this breach.
It turns out that Solar Winds was compromised and the malware implanted in the Orion product back in 2019. So all the customers using Orion product were vulnerable to a supply chain attack when they installed subsequent patches from Solar Winds.
What would be interesting to know is how Solar Winds missed the trojaned DLL in
Re: (Score:2)
Adding link to some of the analysis on the Solar Winds issue from Rapid7 [slashdot.org] that I forgot to include in the original response.
Re: No "unforced error" whatsoever (Score:2)
This is VERY different from the Solar Winds clusterf*ck and I have absolutely no idea why they are mixed up in the same bag of sh*t.
You need to read the article, because you're just winging it.
This is about how FireEye detected intruders on their network, which led to the discovery of the Solar Winds infiltration and hacked updates. If you have no idea how they're related, then you're being willfully ignorant, or dumb?
The hackers got in with the hacked Solar Winds update, stole some employee creds, and they were discovered while attempting to register their own device with the MFA system. You are making it seem like the MFA auth itsel
Re:Suspected? (Score:5, Informative)
I thought the media had already made it a forgone conclusion that evil old Russia is attackIng poor Uncle Sam.
No, that was MIke Pompeo [foxnews.com] who said it was clearly the Russians behind the hack.
"[T]here was a significant effort to use a piece of third-party software to essentially embed code inside of U.S. Government systems and now it appears systems of private companies and companies and governments across the world as well," Pompeo said. "This was a very significant effort, and I think it’s the case that now we can say pretty clearly that it was the Russians that engaged in this activity."
Re: (Score:2)
El Trumpo says it was China and nothing to do with the Ruskies. /s /s /s
Everything he says is 100% true. After all, he is El Presidente isn't he
Re: (Score:1)
No, he's la Presidenta.
Re: (Score:2)
Eternal leader of the Democratic People's Republic of North America.
Re: (Score:2)
more correctly, he's la Presidenta, given that he's such a wuss.
Tampa Bay #12 is Tom Brady (Score:5, Insightful)
If you're watching the Tampa Bay Buccaneers and a guy with #12 on his jersey trots out and stands behind the center, you know that's Tom Brady. But you haven't actually proven that beyond a reasonable doubt if the context is a murder case. You'd referer to the man in Brady's jersey as "presumably Tom Brady" or similar wording.
We know it's the Russians. We haven't proven that beyond a reasonable doubt in open court. They were playing in the Russian stadium, wearing the Russians jerseys.
Re: (Score:1)
We know it's the Russians.
Uh huh..
Re: (Score:2)
We know it's the Russians. We haven't proven that beyond a reasonable doubt in open court.
This probably isn't going to an 'open court'. So yeah. The evidence may not measure up to legal standards. Some of it may expose the intelligence sources that collected it. And cannot be revealed without compromising those sources. It's not inconceivable that the NSA has connections inside APT29 (Cozy Bear) and the FireEye discovery was some sort of parallel construction to hide them.
Re: Tampa Bay #12 is Tom Brady (Score:3)
* taking the US government's word for it. Also taking the UK government's word for interference there too. And Germany's government. And the EU as a whole. In fact we can entirely ignore the media and still be left with a lot of national security agencies and government select committees across a lot of countries all pointing their fingers at Russia.
Re: (Score:3)
> Also taking the UK government's word for interference there too. And Germany's government. And the EU as a whole. In fact we can entirely ignore the media and still be left with a lot of national security agencies and government select committees across a lot of countries all pointing their fingers at Russia.
And Crowdstrike, and FireEye, and me, and Schneier, and literally everyone else who has knowledge of the topic.
It's kinda like if you haven't personally done electrolysis, maybe you haven't proven
Re: Tampa Bay #12 is Tom Brady (Score:4, Interesting)
> Who is we? I do not know.
We is those of us who do this stuff for a living, or otherwise know the topic. I'll spend at least 2 1/2 weeks chasing this particular intrusion full time, not doing much of anything else 9-5.
Kinda like you may not know that kno3 is potassium nitrate, yet "we" know that kno3 is potassium nitrate - meaning it is known by those knowledgeable in the relevant fields.
I personally don't know the players on the Detroit hockey team, that doesn't mean they are a mystery and I make screeching noises when someone who does know about hockey mentions one of the players.
Re: (Score:1)
Re: (Score:3)
You're more than welcome to learn about it. In addition to the tens of thousands of pages of information about how attribution is done generally, tere have been over a thousand pages written about this particular event already, and I haven't even started writing yet other than internal reports. You're welcome to read up on it!
If you'd rather refuse to learn anything, that's also fine with me. I'm perfectly okay with you deciding you don't want to know anything, if that's your choice.
Now when somebody says e
Re: (Score:2)
We know it's the Russians. We haven't proven that beyond a reasonable doubt in open court. They were playing in the Russian stadium, wearing the Russians jerseys.
Typically, if all evidence points to Russians, then the Chinese did it, if all evidence point to the Chinese, then the Russians did it, if there is no evidence then blame the Russians because nobody wants to anger the Chinese if they can help it.
Re: (Score:2)
Exactly. You'd think nobody had ever heard of a false flag.
Rule of Acquisition, er, Espionage #37: Always leave evidence pointing to somebody else.
Re: (Score:2)
It's more difficult to intentionally leave someone else's fingerprints (and none of your own) at a crime scene than you might think, especially when it's your hands that have to touch everything with gloves off.
This isn't a case of someone seeing one word written in Russian and assuming this is a Russian operation. Digital intruders' signatures are all over their work, often in ways they're unaware of. It is possible to follow an individual hacker through a network, knowing that they'll generally try a buff
Re: (Score:1)
> They were playing in the Russian stadium, wearing the Russians jerseys.
Those Russian jerseys are Made In China (just like the other jerseys), so anybody could wear them.
You snoop we snoop we all snoop for (Score:1)
Federal agencies made that claim, not media. Donald just happens to disagree with the feds, but he's not so reliable.
As far as "evil", we spy on everybody and their dog. Germany caught us snooping, and Germany was also exposed for snooping on allies. It's snoop doggity dogs all the way down.
Re: (Score:1)
> I thought the media had already made it a forgone conclusion that evil old Russia is attackIng poor Uncle Sam.
Yeah, FireEye says attribution is unclear, the media says Russia, Russia, Russia!
I guess Slashdot is compromising between the informed and uninformed positions.
hope there are still competent people in govt (Score:3, Insightful)
This is a really bad time to have a government full of Trumpian apparatchiks.
There go-to reaction is going to be to lie about how bad it is.
quality or quantity? (Score:2)
when you're going laterally to get after the things that you really want to get.
that sounds as if the stuff that the hackers did get (despite press reports about the severity of the leak) wasn't really very important.
Either that, or they had tapped that source dry and had little to lose by going after more sensitive / better protected material.
However, if that "better" material was also better protected - as the story suggests - then it does sound as if those higher levels of protection did actually do what they were supposed to.
News about security breaches are always exaggerated.
Reminds me of Iran (Score:2)
Consistency Plus! (Score:2)
ASCII art however is apparently perfectly fine and is posted no problem at all. We know it wasn't Slashdot's programmers that did the hack.
Why didn't govt detect the breach? (Score:2)
The fact that FireEye â" not the federal government â" discovered the breach has also raised questions about why the attack went undetected at US government agencies.
lack of people to notice the problem? Lack of people who give a shit knowing that their job or agency is on the White House's hit list ? I think Trump has had some success at emptying govt agencies. One of the things he campaigned on.
The neglect of defense is alarming (Score:2)
Read the excellent recent Bruce Schneier article in The Guardian (https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols)
He can't stress enough why focusing on offensive measures and strategies at the expense of defensive ones will certainly lead to disaster.
Where’s the evidence? (Score:2)
Boomer here skeptical of all the drumming into our heads “nation-state”!
Vietnam body counts were also drummed into our tiny little brains. Thank you USA. Show your work like the US education system makes you do. Otherwise move-on. You got hacked.