What's The SolarWind Prognosis?
Probably not great.
I'm still mulling over Jen Dyer's latest on the Trump "Operational Timeline" and some related matters. However commenter DFinley has written at some length on the SolarWind situation, and since Dyer devotes a fair amount of space to that issue, I thought it would be useful to republish that comment. I think you'll quickly see that what he has to say is directly relevant. DFinley:
I've seen several cases where people who should know better are saying that, once this infection is cured we're good, our systems are clean again. But CISA's directive to isolate or power down, and in many cases completely reinstall all software, suggests they don't think so. Neither do I.
Any entity going to as much trouble as the attacker did to blend in, hide, and operate in the background would almost certainly have several other hooks into the system. If they didn't install a couple of root kits, they've been negligent, and properly done root kits can be almost impossible to find and root out.
All they need is a little of the unmapped space on a hard drive, or the storage on a video card or some other place, and a tweak to the Master Boot Record; all very hard to detect.
They almost certainly infected more of SolarWinds' portfolio than has been reported so far. Again, anyone going to this much trouble, showing this much patience and expertise, would not settle for infecting a single file.
WRT breaking in and taking nothing, it's too soon to make that claim. But even if nothing was taken, that doesn't mean a lot. The intrusion was slow and painstaking to avoid catching the attention of SolarWinds' security team (assuming they have one, as they certainly should). The intruder may be only part way to its ultimate goal, which we cannot know at this time. And that ultimate goal could easily be a “cyber Pearl Harbor.”
SolarWinds has many thousands of customers, including critical government agencies and critical infrastructure. If you wanted to take it all down at once, SolarWinds is the way to do it in a massive instantaneous attack with no apparent outside initiation. The attacker has displayed so much patience thus far that we shouldn't discount an ultimate goal far beyond what we've seen, and exercising patience would mean foregoing any short-term gain in order to avoid jeopardizing the ultimate goal.
And there's still another factor I haven't seen adequately addressed yet. The left has demonstrated that they're perfectly willing to do anything to achieve total control. With NSA and US Cyber Command in one organization under one leader, lefty control of someone at the right level (not necessarily at the top) within Cyber Command (especially) gives them access to NSA's hacking tools (and everyone breathing has access to the CIA hacking tools released by Wikileaks a few years ago) and the ability to do the SolarWinds thing unnoticed by NSA or anyone else. I wouldn't put it past them.
In the cyber world, attribution is a bitch. If you're following the flow of outbound data, or backtracking to find the command and control servers, whatever you find isn't the end of it. There's so much smoke and mirrors, and there are so many ways of faking and disguising that you can rarely know you've found the culprit that way. Another method is to reverse compile the hack, examine the results, and try to tie it back to some known entity. Compiled code (the binaries, or executables) contain artifacts the compiling system throws in, and those artifacts may offer a clue. Stuxnet, for example, contained a couple of names from the Old Testament, leading many to believe that Israel was involved. Or the code may look like something previously seen from a known entity.
But an attacker as patient and expert as this one knows how attribution works, so you can bet the farm that any artifacts found in the compiled code will point away from the real attacker. If it looks Russian, it's probably from China, Iran, or North Korea. CIA even had a tool to help with this.
I'd bet there's an insider at SolarWinds and maybe one or more in our government.