In March 2020, Americans realized that the coronavirus was deadly and would be a real problem. What no Americans knew at the time was that the Russian government’s hack of SolarWinds’ own software orion network monitoring program had destroyed the Russian government, the security of top US government agencies, and technology companies. There were no explosions, no deaths, but it was the Pearl Harbor of American IT.
We now know that Russia has used SolarWinds’ hacked program to infiltrate at least 18,000 government and private networks. The data within these networks, user IDs, passwords, financial records, source code, you name it, could probably now be in the hands of Russian intelligence agents.
The Russians even have the crown jewels of Microsoft software stack: Windows and Office. In a twist, which would be hilarious if it weren’t so serious, Microsoft claims it’s not a big deal.
This is because Microsoft “has an internal source approach – using open-source software development and an open source-like culture – to make source code visible within Microsoft.” It’s nice that Microsoft recognizes that the open source approach is the right way to secure – something I and other proponents of open source have been saying for decades. But inner source is not the same as open source.
When hackers, not Microsoft developers, gain access to their own code, the door is open for attacks. It is true that Microsoft’s “threat models assume that attackers have knowledge of source code. Reading source code is therefore not linked to increasing the risk.” But the assumption is one thing. Dealing with reality is something else.
For decades, one of the stupid assumptions of the software has been that ‘security by ambiguity’ works. While it may help – no, it really can if used intelligently – this is not the case with proprietary code. Even with the best will in the world, I doubt that Microsoft has really undertaken the hard security code review needed to lock its own code. The almost weekly revelations of new Microsoft security holes and accidents do not make me feel hot and unclear about the security of the software.
While President Donald Trump completely ignored the actions of Russian President Vladimir Putin’s government, the US Agency for Cyber Security Infrastructure and Security (CISA) said the hacks posed a “serious risk” to US governments at all levels.
Worse has been revealed. Over the Christmas holidays, CISA said all U.S. government agencies should update to Orion’s 2020.2.1HF2 version by the end of the year. If they can not, they should take these systems offline.
Why? Because another SolarWinds’ Orion vulnerability is being used to install the Supernova and CosmicGale malware. This vulnerability, CVE-2020-10148, is an authentication bypass in the Orion API that allows attackers to execute remote code on Orion installations.
I have a better idea than updating Orion. Big Orion. Throw it off now. And start an investigation into SolarWinds’ mediocre security record.
Over time, more and more government institutions and industries are being hacked. These include the Department of Foreign Affairs; Department of Homeland Security; National Institute of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Safety Administration.
Everyone claims that nothing has been revealed too important, but then they would say it, would they not?
Sen. Mark Warner (D-Virginia), a member of the Senate Intelligence Committee, told the New York Times the hack looks much, much worse than first feared. “Its size continues to expand.”
How much bigger will it get? We do not know. Personally, I would assume that if I had used my SolarWinds Orion software during 2020, I would have been hacked
It does not come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies could do even more damage to our national security and our prosperity in business. Now we’ll see if US developers, system administrators, and managers can offer the opportunity to rebuild their systems like their grandparents did in the 1940s.
Related stories: