BOSTON (AP) – The SolarWinds Burglary Campaign Russian spies blamed and the “serious threat” it poses to US national security are widely known. A very different – and no less worrying – coordinated series of intrusions, which were also detected in December, received significantly less attention from the public.
Clever, highly skilled criminal hackers suspected of operating from Eastern Europe have hacked dozens of companies and government agencies on at least four continents by breaking into a product they all used.
The victims include New Zealand Central Bank, Harvard Business School, the Australian security regulator, US law firm Jones Day – which includes former President Donald Trump – the railroad company CSX and the Kroger supermarket and pharmacy chain. The Washington State Audit Office was also hit, where the personal data of up to 1.3 million people collected for an unemployment fraud investigation may have been exposed.
The two-phase mega-hack in December and January of a popular file transfer program from Silicon Valley company Accellion, pointing out the threat that security experts fear could get out of hand: intrusions by top-quality criminal and state-backed hackers into software supply chains and third-party services.
Operating system companies like Microsoft have long been a sight to behold – with countless thousands of installations from his Exchange email server violated worldwide in recent weeks, mostly after the company released a patch announcing that Chinese state hackers had invaded the program.
Accellion’s victims have meanwhile continued to pile up, while many are being blackmailed by the Russian-speaking Clop cybercriminal gang., which according to threats researchers apparently bought data from the hackers. Their threat: pay up whether we’re leaking your sensitive data online, whether it’s Canadian aircraft manufacturer Bombardier’s documents, or a Jones Day lawyer-client communication.
The hacking of up to 100 Accellion customers, which can be easily identified by an online scan by the hackers, hurts a core digital-era mission that both governments and the private sector are lacking.
“Attackers are finding it more and more difficult to access via traditional methods, as vendors such as Microsoft and Apple have significantly tightened the security of operating systems in recent years. The attackers therefore find easier ways to get in. This often means that they go through the supply chain. And as we have seen, it works, ”said Mikko Hypponen, head of research at cybersecurity firm F-Secure.
Congress Sled has already reported on the supply chain hack from Texas network management software firm SolarWinds that allowed suspected Russian state-backed hackers to set off unnoticed – apparently only on intelligence gathering – for more than half a year by the networks of at least nine government agencies and more than 100 companies and think tanks. It was not until December that the SolarWinds hacking campaign was discovered by cybersecurity firm FireEye.
France had a similar hack, by its cyber security agency blamed Russian military agents, who also played the supply chain. They threw malware into a network management software update from a firm called Centreon, which allowed them to quietly roam around victim networks from 2017 to 2020.
Both of these hacks have dragged malware into software updates. The Accellion hack was different in one important respect: the file transfer program was on the victims’ networks, either as a standalone device or a cloud-based app. Its job is to securely move files that are too large to attach to email.
Mike Hamilton, a former head of information security in Seattle, now at CI Security, said the tendency to take advantage of third-party service providers shows no signs of slowing down, as it gives criminals the highest return on their investment if they ‘ a broad range of companies or government agencies. ”
The impact of the Accellion breach might have been watered down if the company had warned customers faster, some complain.
The governor of the Central Bank of New Zealand, Adrian Orr, says Accellion did not warn him after only learning in mid-December that the nearly 20-year-old FTA application – using outdated technology and for retirement – had been violated.
Despite the fact that a patch was available on Dec. 20, Accellion did not notify the bank in a timely manner to prevent the device from breaking five days later, the bank said.
“If we were notified at the right time, we would be able to load the system and avoid the breach,” Orr said in a statement on the bank’s website.. Among the information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Similarly, the audit office in Washington has no record of being informed of the violation until January 12, the same day that Accellion publicly announced it., said spokeswoman Kathleen Cooper. Accellion then said that within 72 hours of being informed of the breach, it had released a patch to less than 50 customers.
Accellion now tells a different story. It says it has alerted all 320 customers potentially affected by December 22 with multiple email addresses, and was followed up with emails and phone calls. The company’s spokesman Rob Dougherty does not want to address the complaints of the New Zealand central bank and the Washington auditor directly. According to Accellion, it appears that less than 25 customers have experienced significant data theft.
A timeline released on March 1 by cyber security firm Mandiant, which hired Accellion to investigate the incident, says the company received first word of the breach on Dec. 16. The state auditor in Washington says his hood took place at Christmas.
The issue of notification timing is serious. The state of Washington has already been hit by a lawsuit, and several have been filed against Accellion asking for class action. Other organizations may also have legal or other consequences.
Last month, Harvard Business School officials emailed the students involved to tell them that some Social Security numbers had been compromised, as well as other personal information. Another victim, Singapore-based telecommunications company Singtel, said personal data compromised on approximately 129,000 customers.
Software companies with hundreds of programmers too often have only one or two security people, said Katie Moussouris, CEO of Luta Security.
‘We wish we could say that organizations are investing uniformly in security. But we actually see that they only deal with the transgressions and then promise to do better in the future. And that was kind of the business model. ”
Accellion spokesman Dougherty said the attacks “had nothing to do with staff”, but declined to say how many people were deployed directly to secure the company in mid-December.
Analysts of cybersecurity threat hope the snowballing of hacks in the supply chain stuns the software industry to prioritize security. Otherwise, traders risk the fate that befell SolarWinds.
In the past week at the Securities and Exchange Commission, the company has given a bleak outlook.
It is said that the heels of the supply chain “may continue to evolve at a rapid pace” that it may not be able to identify current attacks, anticipate future attacks or implement adequate security measures. “
The final, painful result, the document added:
“Customers can and may postpone purchases in the future or revoke or not renew their agreements or subscriptions with us.”
—-
Associated Press author Rachel La Corte in Olympia, Washington, contributed to this report.