I’m one by one pulling the threads
of the two newspaper articles I first wrote about on Saturday, then Sunday,
then yesterday. Yesterday,
I raised the idea that the articles show SolarWinds may have first been
breached by the Russians as part of an attack on an Office365 access reseller –
so this was really a two-stage supply chain attack.
But early this morning – when my
ideas come to me, if they’re going to come at all – I realized that, if this is
true, it means SolarWinds wasn’t the Russians’ target at all. In fact the
Russians were engaging in their normal “spray and pray” approach to supply
chain attacks, which is simply to launch a cluster bomb in a crowded market and
see who it hits.
The Times article said that
40 organizations had their credentials stolen in an initial attack on the
reseller. In one case (CrowdStrike), someone was caught trying to use the credentials
to penetrate the organization’s Office365 instance in the MS Azure cloud, but
there was no word in the articles on who the other organizations were. If one
of them was SolarWinds (and SolarWinds blamed an Office365 compromise for the original
penetration of their organization), then it’s unlikely that the Russians were targeting
them when they stole the credentials from the reseller.
When the attacks were first
announced less than three weeks ago, people marveled (including on the SANS webinar)
at what a brilliant choice it was when the Russians targeted SolarWinds. After
all, they’re by far the leader in network management software, and that
software can’t work unless it has the credentials for network devices. So if the
Russians could penetrate SolarWinds’ customers through a software update, they
would have an intelligence bonanza – which is of course what happened.
But it seems this might not have
been a choice at all, just dumb luck. Some low level guy in Russian military
intelligence was probably taking a lot of heat because his campaign to
penetrate Azure access resellers hadn’t produced any usable results. Then one
day he realized he could get into SolarWinds’ network and that could give them
the keys to customers like the NSA and DHS – which is what happened.
The guy’s probably partying with Uncle
Vlad as I write these words.
Any opinions expressed in this
blog post are strictly mine and are not necessarily shared by any of the
clients of Tom Alrich LLC. If you would like to comment on what you have read here, I would
love to hear from you. Please email me at tom@tomalrich.com.
No comments:
Post a Comment