BOSTON (AP) – The SolarWinds Hack Campaign blamed on Russian spies and the “grave threat” it poses to US national security are widely known. A series of very different – and no less alarming – coordinated intrusions also detected in December attracted much less public attention.
Nimble and highly skilled criminal hackers suspected of operating in Eastern Europe hacked into dozens of businesses and government agencies on at least four continents by introducing a single product they all used.
Among the victims are the New Zealand central bank, Harvard Business School, the Australian securities regulator, the very powerful American law firm Jones Day – whose clients include former President Donald Trump – the rail freight company CSX and the Kroger supermarket and drugstore chain. The Washington State Office of Auditors has also been affected, where the personal data of up to 1.3 million people collected for an unemployment fraud investigation has potentially been exposed.
The two-step mega-hack in December and January, a popular file transfer program from Silicon Valley-based Accellion company highlights a threat security experts fear is getting out of hand: intrusions by high-level criminals and backed-up hackers. State in software supply chains and third party service delivery.
Operating system companies such as Microsoft have long been bull-eyed – with thousands of installations countless of its Exchange mail server violated around the world in the past few weeks, mainly after the company released a fix and revealed that Chinese hackers had penetrated the program.
Accellion’s victims continued to pile up, in the meantime, with many being extorted by the Russian-speaking cybercriminal gang Clop., which researchers believe may have purchased stolen data from hackers. Their threat: Pay or we disclose your sensitive data online, whether it’s proprietary documents from Canadian aircraft manufacturer Bombardier or attorney-client communications from Jones Day.
The hacking of up to 100 Accellion customers, who were easily identified by hackers through online analysis, brings painful relief to a fundamental mission of the digital age that governments and the private sector have failed to achieve.
“Attackers are finding it increasingly difficult to gain access through traditional methods, as vendors like Microsoft and Apple have dramatically increased the security of operating systems in recent years. Thus, attackers find easier access routes. This often means going through the supply chain. And as we’ve seen, it works, ”said Mikko Hypponen, director of research at cybersecurity firm F-Secure.
Members of Congress are already dismayed by the hack into the supply chain of Texas network management software company SolarWinds, which allowed suspected Russian state-backed hackers to tiptoe without being government agencies and over 100 businesses and think tanks. It wasn’t until December that the SolarWinds hack campaign was discovered, by cybersecurity firm FireEye.
France has suffered a similar hack, blamed by its cybersecurity agency on Russian military agents, who also played the supply chain. They slipped malware into an update to network management software from a company called Centreon, leaving it to quietly take root around victimized networks from 2017 to 2020.
Both of these hacks introduced malware into software updates. The Accellion hack was different on one key point: its file transfer program resided on the victims’ networks, either as a stand-alone appliance or as a cloud-based application. Its job is to safely move files that are too large to attach to an email.
Mike Hamilton, former head of information security in Seattle, now at CI Security, said the trend to exploit third-party service providers shows no signs of slowing down as it offers criminals the best return on their investment. ‘they’ want to compromise a wide range of businesses or government agencies. “
The impact of the Accellion breach could have been mitigated if the company had alerted customers more quickly, some are complaining.
New Zealand central bank governor Adrian Orr said Accellion did not warn him after learning in mid-December that the application of the nearly 20-year-old FTA – using outdated technology intended for retirement – had been violated.
Although a fix was available on December 20, Accellion did not notify the bank in time to prevent its device from being breached five days later, the bank said.
“If we had been informed at the appropriate time, we could have corrected the system and avoided the breach,” Orr said in a statement posted on the bank’s website.. Among the information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Likewise, the Washington state auditor’s office was not made aware of the breach until January 12, the same day Accellion publicly announced it., said spokeswoman Kathleen Cooper. Accellion then said it released a fix for the less than 50 affected customers within 72 hours of discovering the breach.
Accellion now tells a different story. He says he alerted the 320 potentially affected customers with multiple emails from December 22 – and followed up with emails and phone calls. Company spokesman Rob Dougherty is reportedly not responding directly to complaints from New Zealand’s central bank and Washington state auditor. Accellion says less than 25 customers appear to have experienced significant data theft.
A timeline posted on March 1 by cybersecurity firm Mandiant, which Accellion hired to investigate the incident, claims the company got first word of the breach on December 16. The Washington state auditor said his hack took place over Christmas.
The problem of the timing of notification is serious. Washington state has already been hit by a lawsuit, and several have been brought against Accellion to seek a class action lawsuit. Other organizations could also face legal or other consequences.
Last month, officials at Harvard Business School emailed affected students telling them that certain social security numbers had been compromised along with other personal information. Another victim, Singapore-based telecommunications company Singtel, said personal data about 129,000 customers was compromised.
Too often, software companies with hundreds of programmers only have one or two security officers, said Katie Moussouris, CEO of Luta Security.
“We wish we could say that organizations invest uniformly in security. But we actually see them deal with the violations and then promise to do better in the future. And that’s sort of the business model. “
Dougherty, spokesman for Accellion, said the attacks “had nothing to do with staffing,” but he did not say how many people directly involved in security the company employed in the area. mid-December.
Cyber security threat analysts are hoping the snowball of supply chain hacks is stunning the software industry and prioritizing security. Otherwise, vendors risk the fate that befell SolarWinds.
In a filing last week with the Securities and Exchange Commission, the company offered grim prospects.
He said that as supply chain hacks “continue to evolve at a rapid rate,” he “may be unable to identify current attacks, anticipate future attacks, or implement countermeasures. adequate security.
Ultimate and painful result, adds the document:
“Customers have and may in the future defer their purchases or choose to cancel or not renew their agreements or subscriptions with us.”
Associated Press editor Rachel La Corte of Olympia, Washington contributed to this report.