UPDATED: A Cyber Pearl Harbor?
The last time I posted extensive videos and print material from a purported expert, it was Michael Osterholm. 'Nuff said.
Nevertheless, there's stuff going on with this cyber attack of incredible proportions--if we're to believe half of what we're hearing. I certainly haven't the background to assess what's being said, nor to know to which expert to turn. Presumably the people backing up Lou Dobbs have a handle on who Lou should be having on his show, so I present this interview of Morgan Wright :
Prelude to War: @MorganWright_US lays out how a foreign power infiltrated our federal agencies to carry out a cyberattack #MAGA#AmericaFirst#Dobbspic.twitter.com/t4QJvYM6Iu
— Lou Dobbs (@LouDobbs) December 17, 2020
I offer no opinion here because I really have no basis for doing so. Information at my usual sources has been scanty at best. Does this play into the election politics--Ratcliffe's delayed report, the shutdown of DoD transition talks? I don't know, and I'm loath to speculate. And yet we should be paying attention.
Insights, assessments, are welcome.
ADDENDUM: I just saw that TGP has a very partial transcript of what Wright had to say, so as tease to the video above ...
Lou Dobbs said he doesn’t remember the cyber community ever saying an attack was of “grave, grave danger” and that the Department of Homeland Security has no capacity to stop it.
Here are portions of what Wright said in response:
Any time you call a meeting on Saturday in the National Security Counsel it’s serious. This is almost like a prelude to war! … Not only were the government agencies hit, we got Lockheed Martin, we’ve got Firerite…this very well could have started after the 2018 election…. this is Russia’s way of getting back in the game… they attacked… SolarWinds…the updates were secure but they contained a malicious payload … it could be hundreds, it could be thousands of companies.
The companies in the military – industrial complex – were attacked. This looks like what Russia did to Ukraine in 2016.
UPDATE: At the FireEye site there's a fairly lengthy report. I'm pasting in just the executive summary. Note that while this report characterizes the "actor" as "highly skilled", it makes no attempt to identify the actor, nor even to speculate in that regard as to whether this is a State sponsored actor or others. Notably, while the compromise is characterized as "global" in its effects, I couldn't find any suggestion as to how access was gained, i.e., was access gained by an outside actor or could the actor have had some form of internal access:
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
December 13, 2020 | by FireEye
Executive Summary
We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
The campaign is widespread, affecting public and private organizations around the world.
FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page . FireEye products and services can help customers detect and block this attack.
Summary
FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.