Tuesday, December 29, 2020

Was SolarWinds even the Russians’ target?


I’m one by one pulling the threads of the two newspaper articles I first wrote about on Saturday, then Sunday, then yesterday. Yesterday, I raised the idea that the articles show SolarWinds may have first been breached by the Russians as part of an attack on an Office365 access reseller – so this was really a two-stage supply chain attack.

But early this morning – when my ideas come to me, if they’re going to come at all – I realized that, if this is true, it means SolarWinds wasn’t the Russians’ target at all. In fact the Russians were engaging in their normal “spray and pray” approach to supply chain attacks, which is simply to launch a cluster bomb in a crowded market and see who it hits.

The Times article said that 40 organizations had their credentials stolen in an initial attack on the reseller. In one case (CrowdStrike), someone was caught trying to use the credentials to penetrate the organization’s Office365 instance in the MS Azure cloud, but there was no word in the articles on who the other organizations were. If one of them was SolarWinds (and SolarWinds blamed an Office365 compromise for the original penetration of their organization), then it’s unlikely that the Russians were targeting them when they stole the credentials from the reseller.

When the attacks were first announced less than three weeks ago, people marveled (including on the SANS webinar) at what a brilliant choice it was when the Russians targeted SolarWinds. After all, they’re by far the leader in network management software, and that software can’t work unless it has the credentials for network devices. So if the Russians could penetrate SolarWinds’ customers through a software update, they would have an intelligence bonanza – which is of course what happened.

But it seems this might not have been a choice at all, just dumb luck. Some low level guy in Russian military intelligence was probably taking a lot of heat because his campaign to penetrate Azure access resellers hadn’t produced any usable results. Then one day he realized he could get into SolarWinds’ network and that could give them the keys to customers like the NSA and DHS – which is what happened.

The guy’s probably partying with Uncle Vlad as I write these words.

Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would love to hear from you. Please email me at tom@tomalrich.com.

 

No comments:

Post a Comment