December 18, 2020

There is no absolute security

There is no absolute security

"There is no absolute security", I sigh.

Organizations with plenty of security experts  were broken into via cyber attacks recently, such as FireEye and US National Nuclear Security Administration, what more about the local SMEs who are IT-resource strapped?

FireEye first discovered that they were hacked this month, and traced the break-in to the compromised network management software SolarWinds that they were using.

It was believed that the same technique is used to compromise many companies, including some US Federal agencies.

It was reported that National Nuclear Security Administration were broken into while Federal Energy Regulatory Commission (FERC) has reported suspicious activities in their networks since that incident.

What are the attackers after?  The following attack tree might give you some hints:

Attack tree (1st level)

SolarWinds software distribution
|__ (target) FireEye Security penetration tools
|__ US National Nuclear Security Administration networks
|__ Federal Energy Regulatory Commission networks (FERC)
|__ Other US federal agencies networks

Attack tree (2nd level)

FERC networks
|__ (target) National electric grid

If the nation's bulk electric grid was disrupted due to cyber attacks from the knowledge gained in the compromise (if there was any), you can imagine the severity of the problem.

Incidentally, although the exact technique (inserting a backdoor in SolarWinds software) is new, the method that they used is not.

In 2017, NotPetya ransomware was unleashed on computer systems in Ukraine on the eve of a Ukrainian holiday.  To deliver NotPetya, attackers compromised a company that made products explicitly for the Ukrainian market and abused their software distribution mechanism to infect victims.

Some researchers believe that this attack was carried out by a Russian state-sponsored actor in order to target Ukraine.

Sounds familiar?