Russian Hacker’s Latest Hack Or Did They?

Will 2021 become the year of heightened cyber security? What will it take for the U.S. Government get their act together? Here we are reported yet another cyber attack that gained entry through a supply chain. 2021 Year of Cyber Security!


As a Cyber Security company, Enigma Forensics is always interested in the 4W’s and 1H of a Cyber Attack. We would be remiss if we didn’t write a post about the most recent SolarWinds Hack allegedly by the Russians. Did the Russians time this cyber attack at precisely the moment in time when the United States is preoccupied? Amidst the Coronavirus shutdowns, the election results, the holidays, and the COVID-19 relief plan, it’s almost as if this particular Russian Hack completely flew under the radar.

What happened?

The attackers gained entry by using a software update sent out by Texas-based software company SolarWinds, which counts multiple U.S. government agencies as customers. In early December 2020, the news media reported at least 200 organizations, including U.S. government agencies and other companies around the world, have been hacked as part of this suspected Russian cyber attack.

Government’s response

The New York Times reported on December 13, 2020, “The Trump administration acknowledged on Sunday that hackers acting on behalf of a foreign government almost certainly a Russian intelligence agency, according to federal and private experts — broke into a range of key government networks, including in the Treasury and Commerce Departments, and had free access to their email systems.” We can’t find any reporting on what information was stolen.

Who raised the alarm?

It looks like FireEye, a computer security firm first raised the alarm about the Russian cyber attack after its own systems were compromised back in early Spring of 2020. What perfect timing to stage an attack considering the whole country is preoccupied with the rise of the pandemic! FireEye discovered a supply chain attack that was accessed through SolarWinds Orion business software updates in order to distribute malware that they called “SUNBURST.” Experts agree this is the work of highly-skilled actors and was performed with significant operational security. But, the real issue is why didn’t the government cyber protection agencies that are sworn to protect recognize the breach? It took an outside company to inform them of the cyber attack.

Where was the Cyber Attack aimed?

In this case, the U.S. government agencies seemed to be the target. As noted before, the hack was done through what is called a “supply chain attack,” in which malicious code is hidden in legitimate software updates and meant to target third parties. Could it have been the Chinese masquerading as the Russians? President Trump laid claim that there was potential it could have been the Chinese and not the Russians.

When was the Attack Noticed?

As reported by the New York Times, in a statement after a briefing for committee staff members, Senator Ron Wyden of Oregon, who has often been among the sharpest critics of the National Security Agency and other intelligence agencies, said that the Treasury Department had acknowledged that “the agency suffered a serious breach, beginning in July, the full depth of which isn’t known.” But no one will say just how serious the breach was!

Today, as reported in the Hill, the headline reads, “Intel vice chair says government agency cyber attack ‘may have started earlier’.” Sen. Mark Warner (D-Va.), the vice-chairman of the Senate Intelligence Committee, said on Wednesday, December 30, 2020, that the cyberattacks on U.S. government agencies reported at the beginning of the month may have begun earlier than previously believed.

How did the Hackers Hack?

The hackers used malicious code inserted into legitimate software updates for the SolarWinds Orion software. This allowed the hacker to remotely access the victim’s electronic environment. In order to avoid detection, they used a very small footprint and went to significant lengths to lay low and blend in. Very stealth-like in nature! The malware attacked slowly and moved with precision, covering its tracks and using tools that were hard to detect. Does this sound familiar?

Check out another Enigma Blog

https://www.forbes.com/sites/thomasbrewster/2021/01/26/google-warning-north-korean-hackers-breach-windows-and-chrome-defenses-to-attack-security-researchers/?utm_source=newsletter&utm_

Data Breach Response

A forensic expert will help you avoid a data breach and save you money.

A planned data breach response is imperative and will save millions of dollars in litigation and forensic fees. Enigma Forensics CEO & President, Lee Neubecker engaged in a video discussion with Privacy Expert, Jackie Cooney from Paul Hastings Law. These experts provide solutions for many clients who seek operation privacy and cyber security. A planned data breach response can save companies millions of dollars.

The transcript of the video follows

Lee Neubecker: So, I’m here with Jackie Cooney from Paul Hastings, and she’s their privacy expert here. Can you tell me a little bit about your practice and how you help your clients?

Jackie Cooney: Sure, so I am the senior director of the Privacy and Cyber Security Solutions Group, here at the law firm. We’re kind of a unique part of the law firm, in that we’re very much integrated into the legal practice, but what my group does is really provide solutions for clients to operationalize privacy and cyber security requirements.

Lee Neubecker: So what happens when a company suspects they have a issue? What do you typically advise your clients to do if they’re concerned about a potential breach?

Jackie Cooney: A potential breach, so that’s a good question, and I get these calls actually pretty frequently, maybe even on a weekly basis. Hey, we think something has happened to our data, what do we do? And there’s a few threshold questions that I ask. Number one, do you have cyber insurance, and have you called your cyber insurance company? Because often cyber insurance companies will cover you, but only if you use their counsel and you use their forensic experts. So, it’s important for you to understand what your coverage is there. Now, if you don’t have those kind of limitations, or you don’t have cyber insurance, and hopefully most of your clients do have some coverage, or if Paul Hastings is on the approved list of those cyber insurance vendors, then we go onto step two. So, that first question, 30 seconds, one minute, do you have cyber insurance, have you called them yet? And what I typically like to do is say, okay, give me the two-minute version of what happened, and then I can pretty quickly decide, okay, this is a purely cyber incident or this is a cyber incident that has some privacy implications. And then there are questions that go from there. And, of course, if there’s something that has privacy implications, that there’s a lot of regulations that you have to worry about that require notification, too.

Lee Neubecker: So, can you tell me a little bit more about some of the new regulations that face companies that operate in the U.S., related to data breach requirements

Jackie Cooney: Sure.

Lee Neubecker: and responsibilities?

Jackie Cooney: So, in the United States, if you’re talking about a U.S. company that operates only in the United States, and those are becoming fewer and fewer. Most companies are international, or becoming international, or have an international market. But if you’re talking about a incident that happens in the United States, U.S. only, it’s important to remember a couple of things. Depending on the type of information, there might be federal laws that are implicated. So, if it’s financial information, there’s requirements for reporting under Gramm-Leach-Bliley. And if it’s medical information, specifically, protected health information, if your an insurance carrier or health care provider, there might be reporting under HIPAA. And even if you don’t fall under any of those federal statutes, there are 50 states that all have different breach notification requirements. And, for instance, there are 14 that have medical information as the threshold for having to notify people for breaches. So, it’s important to understand, in the United States, because we’re sectoral, and because our laws are federated among the states, that there are a lot of different places where you might have to notify. If it’s international, of course, the thing on everybody’s mind right now, is GDPR, the General Data Protection Regulation, which has breach notifications requirements in there and they’re pretty onerous. Here’s the thing, companies have a responsibility, not only to provide you with things like a privacy policy that tells you what they do with your information, but they also have a responsibility to not do things with your data that you wouldn’t expect, even notwithstanding the privacy policy. They shouldn’t be doing things that violate your trust.

Lee Neubecker: Well, you explained that very well. I thank you for being on the show today and this was really informative.

Jackie Cooney: You’re welcome.

Lee Neubecker: Thanks.