How do they know it was backed by a foreign government?
I would immediately suspect China or North Korea but that seems too obvious and a bit of a setup?
Israel certainly has the chops to do something like this, but lots of other "friendly" countries with good geeks wouldn't mind having this kind of info.
I would bet on China, not Israel. Nation-states calculate risk/reward. With Jonathan Pollard, the reward was huge: getting your own nukes. Hacking the treasury? Not sure what Israel would gain from that; the costs of being perceived to attack a friend would be relatively higher. Whereas China has obvious reasons to want to know what US economic policymakers are thinking, and has little to lose in terms of reputation.
I said they were concerned about the possible reputational loss. I am also skeptical of overblown arguments that Israel "controls the US media". These tend to shade into antisemitic conspiracy theories. The incident you link seems to be a good example: I see little to persuade me that the USS Liberty wasn't sunk by accident.
I don’t know a lot about how states conduct cyber espionage against one another, but it does feel a bit off to be told that this was the work of a nation state with zero proof as to why.
It worked (a lack of acknowledgement that identities can be spoofed) for the "Russian hackers / disinformation agents" on Twitter meme, it will likely work just as well here.
I think sometimes the proof they have isn't proof they're willing to publicly admit they have because they don't want to let on how they know.
After Jamal Khashoggi was assassinated, for example, it turned out audio of the entire murder had been recorded through surveillance. (I'm still not sure we ever found out how exactly it was recorded?) So there were lots of announcements that certain governments "knew" or "suspected" it was Saudi Arabia with little or no substance to back up their claims until the existence of the recording was later leaked.
I think there was similar discussion after MH17 when western governments "knew" Russia-backed rebels had shot down the plane and only later did we learn there was a recording of a conversation about what happened.
I guess even after Snowden governments like to do their best to pretend they don't have the entire world under surveillance at all times.
Don’t they usually have “styles” of intrusion? I’m certain I’ve read in the past where intelligence agencies could differentiate between Russian backed styles of hacking and Chinese backed styles of hacking. I’m sure Americans have their own style of hacking as well.
I would say it’s also quite likely that the US knows who did this or has known who has been doing it for a while. It’s highly unlikely that this press release wasn’t coordinated by the intelligence agencies to play into some advantageous scenario they’ve drawn up.
If there are such styles of exploit, which means it’s public knowledge, sounds like a great way to cover your tracks then. Just make it look like the other person.
Some of it is based on analysis of the actors motives - if you have 0-day works on fully patched Office 365, that took months/years to work, and throw it at a US government agency, you're clearly not in it for the money, _and_ you have no qualms about blowing your exploit.
Attribution is tricky, but nation-state actors have resources that no other threat type (organized crime, hacktivists, etc.) can muster: multiple 0-days, advanced tools, obviously deep field of programming talent, inside info about targeted networks/apps, etc.
Not to mention, that forensic analysis of tactics, tools, etc. often clearly point to borrowing/surveiling of other APTs.
> The hack involves the NTIA’s office software, Microsoft’s Office 365. Staff emails at the agency were monitored by the hackers for months, sources said.
> The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident, who spoke on condition of anonymity because they were not allowed to speak to the press.
> “This is a nation state,” said a different person briefed on the matter. “We just don’t know which one yet.”
Depends on how they do things. Clicking “yes” on a phone wouldn’t be happening at higher trust levels.
If they offload auth to a on-prem or third party IdP (common in big hybrid O365 tenants), there are often different paths, implementation screwups or bugs that let you bypass MFA. Microsoft’s position is “buy Azure AD, Buy M365, Buy ATP” and other paths are poorly tested, or they explicitly tell you to F off.
Also remember that federal agencies are bigger than most fortune 50 companies, are usually global in scope and have lots of collaborations with other agencies and other third parties, and may have independent pockets within the agency. Those friction points are where problems tend to happen!
This is my experience with Microsoft: they view all security features as binary. As in:
Encryption: Yes.
Multi-factor authentication: Yes.
Do they care if the MFA is simply the user pecking at buttons like a bird trained with seeds: No.
There is a real problem with Azure AD MFA. Unlike the consumer MFA, it shows you exactly zero information about the source of the information. None. You get a choice of "approve" or "do not approve". You don't get any input information for making this decision.
Hacking this is trivial. If you know someone's password, you just have to occasionally try logging in. Eventually the user will accidentally click approve even though they didn't trigger the authentication.
You'd assume that nobody would ever fall for something like this, because surely nobody would be so stupid as to approve an MFA prompt they didn't trigger.
Meanwhile, my Microsoft Authenticator app triggers randomly about 5-10 times per day because every single MS app insists on "reauthenticating" me every 24 hours. So I'll be sitting at my desk and my phone will pop it up randomly. I'll look up, and sure enough, Teams wants me to re-MFA for some stupid reason.
I'm paranoid enough that I'll always reject these MFA prompts and then start the login cycle manually, but most people would just peck the button like a trained bird.
Similarly, I've run scripts before that needed 6 MFA prompts to complete (don't ask). I ran the script once and it asked 7 times... uh-oh. Is this an Azure bug, or a hacker from China? How could I possibly know?! The information is not provided to me!
This is Microsoft's fault, 110%, and I dare anyone here to argue otherwise.
So instead of reaching for the downvote button, make your case on how "yes, yes, yes, yes" is not a security disaster below in the comments please.
That isn’t Microsoft’s fault. They are providing a tool and your admins did not set it up in the most secure or sensible way.
Your actions may make it some
If these things happen as well. I can think of a few organizations where your script would have resulted in your account being locked down and a security incident.
To be honest, though, if they did provide all the details, they'd criticized for "overwhelming" users with too much information -- most of which would probably be useless to the majority of users who either wouldn't (care|pay attention|understand) anyways.
That said, I'm sure there's a reasonable level somewhere in the middle. The current situation certainly doesn't sound like it, although I haven't used any form of Microsoft MFA, so I can't really say either way.
Imagine if an automobile manufacturer allowed you to configure the safety features of your car and had the defaults set to unsafe but convenient values to help sell vehicles... do you think the manufacturers should evade liability?
They absolutely do. In northern climates where there is snow and ice on the roads for 3+ months out of the year, a car MFG will GLADLY sell you a vehicle with sport/summer tires. If you try driving with those in the winter: at best you'll get stuck, at worst you'll slide through the first intersection you come to and die in a fiery crash.
Just about every business will have options that are a perfectly reasonable choice in some circumstances and really, really stupid in others.
I live in New York, where the speed limits on highways vary from 50 mph in NYC to 65 in the rural areas. My car is governed at 110 mph. Why? There is no reasonable scenario where that is smart to discover.
Microsoft has billions of users. The security needs of the US Department of Justice are not the same as my mom’s real estate office.
When you use 3rd party IdP, for example, how does Azure MFA know what the app is?
The configuration described was not out of the can. Somebody decided to make it the way it was.
Most likely due to some physical (not legal) issue that would make it mechanically unsafe to operate the vehicle above that speed even in an otherwise appropriate location. (Or perhaps it's due to some obscure state law, or the manufacturer is just out to spoil your fun, or ... who knows?)
More generally, I agree with the point you make here about the responsibility to configure things correctly. However, it seems to me that Microsoft is also on the hook for failing to include the necessary context when an MFA request is sent. It's a bit like selling a car with seat belts that superficially appear to work but fail at the slightest provocation, no?
I like how when the downvoted messages start to fade away until they say [flagged] and vanish. The creators of the site were only looking for what’s popular because, you know, they’re VC.
In my experience, most dead/downvoted comments are dead/downvoted for good reason.
But that doesn't mean I don't want to see them. Which is why I enabled "showdead." IMHO, that's often a better answer than vouching for a comment, but YMMV.
That's not how it works. Rather, there's a tug of war between upvotes and flags. If the flags get the upper hand, [flagged] appears, and if they dominate, then the post also gets killed. In the latter case users with 'showdead' turned on in their profile will see [flagged][dead].
If your IT department cared, they could disable the app notification MFA method in AAD and force you to either use passwordless or a TOTP code, both of which prevent you from blindly approving a sign-in you aren't involved in.
I authenticate with 10 different Azure AD directories, of which I my company controls 1, and I personally control zero.
Notably, Microsoft's consumer MFA, the type used to protect Hotmail and XBox accounts shows more information in the exact same mobile app!
It's not that they don't have the capability, or don't know that it's important. Microsoft has explicitly chosen to never ever show additional information of any type for enterprise customers only.
They care about the security of their own things, not you stuff, in other words.
WaPo is reporting that this and the FireEye breach were via Solarwinds:
> All of the organizations were breached through a network management system called Solar Winds, according to three people familiar with the matter, who spoke on condition of anonymity because of the issue’s sensitivity.
>SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information
Not knowing anything about this, this could be a good guess. Folks likely jumping the gun blaming a MS vuln above, when the real breach was via SolarWinds and then they were able to spoof/takeover some Active Directory server inside the network or something such thus gaining access to MS 365 emails etc.
> They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
> I'm paranoid enough that I'll always reject these MFA prompts and then start the login cycle manually, but most people would just peck the button like a trained bird.
Similarly, I've run scripts before that needed 6 MFA prompts to complete (don't ask). I ran the script once and it asked 7 times... uh-oh. Is this an Azure bug, or a hacker from China? How could I possibly know?! The information is not provided to me!
I'm just glad I'm not the only one who sees this as a problem.
I literally reported an issue a year ago where under some circumstances, logging out of Microsoft would not actually log you out if their JavaScript redirect fail to execute, which it did on some devices. Nothing. They didn’t give a shit. It made me so angry that we had to code our application around it.
Please, this isn't Reddit. The US just happens to be part of the list of bad guys together with Russia, North Korea, Israel, PRC, etc. The difference is that on sites with a lot of US users pointing the finger at the US is more often than not seen as someone being Edgy or whatever while pointing it at Russia is cool/patriotic/stating the facts/etc.
Yes. Stuxnet being the most famous which brought this to more daylight -'cat out of the bag.'
Trump admin also did a press push after changing policy to ramp up digital offense [1]. Notably these stories were obviously is coordinated and on purpose. e.g. not just someone leaker talking to reporter it was strategy.
That push was actually interesting, since they were intentionally being open about their cyber capabilities. They also had a "press tour" about how they hacked ISIS [0]. There's clearly some mind games going on by showing your hand like that.
Totally interesting! Kind of similar mindset to nuclear weapons it seems being open about our capabilities; if you attack us, we attack you as a deterrent.
But that doesn't seem to stop Russia who doesn't give AF already under huge sanctions, or non-state groups like ISIS
All nations do. It's become very normal. On the surface relations are nice and respectful. But we even spy on our allies behind closed doors. Take the case of Germany, that became public knowledge because of wikileaks. We had Angela Merkel's office wiretapped, among other things[1]. After it became known, they hardly responded past some internal investigations. I think their Senate switched to storing documents offline too. But at this point it isn't something inexcusable. And you can be sure Germany does too[2]. Knowledge is power.
This. There's actually an argument that spying helps peace.
My dad (a journalist, RIP) was once at a UN conference in the 70s, and made the remark to a Chinese official in a light-hearted spirit: "of course you spy on us, we spy on you, and what's wrong with that?" This caused a major row and he was forced to apologize.
It seems like a fair game to me. You can always protect yourself by investing in cyber-security if you don't want to be spied on.
It's not like war where innocent people die and a there's a lot of human suffering. It's just a tech race where the nations doing a good job get a deserved advantage without doing direct damage to the population.
Unless someone exacts extensive damage to something like the electrical grid. In which case it would cause mass suffering and death. Don't underestimate the steel trap of that cold war mentality.
Some are too poor (take your pick). Others are rich, but small (the Vatican). Most just don't care enough to prioritise it over better things they could be doing.
And then, there are countries that simply consider the US an ally, and consider it morally dubious or practically unpromising to spy on them.
Add this up, and I'd be willing to give at least 10:1 odds it's one of a list of maybe ten suspects, even when adjusted for GDP or population.
As an aside, I'd really be curious why this "everyone does it" is used anytime something like this comes up? Is it just macho "I don't have friends but there are useful idiots that consider themselves my friend" talk? Is it nihilistic/cynical pretentiousness? International whataboutism to defend one's team?
Because it certainly isn't based on any actual data. If you add up offensive hacking by the USA, China, Russia, Israel, and maybe two or three others, you're pretty well done with the full list, but still close to <x> nations short, where <x> is the number of nations that exist.
Some does, some don't, is not a new normal, is mostly for power players. But anyway, none is even near at the scale and reach of what the US does. And for most of it they don't even need to hack, just handle a request for the customers data to any US based service (ask Lavabit about that).
Trust me, you will not hear about them. Also, when the US government detects it's been infiltrated, it's also rare to hear about it. That's why whenever you see articles like this that make attribution, I recommend viewing them with skepticism, simply because the information is specifically selected.
They pretty much don't ever want you to hear about them in the news. They don't want compromised entities to know they are compromised so they will keep revealing sensitive information through the systems; they don't want specific vulnerabilities they are using to be known so they won't be patched, or even the general sorts of capabilities they have to be known; and at least traditionally it's thought like it makes the U.S. (or any other country) look bad to be breaking other country's laws and spying on them like this, when it's a country we theoretically aren't in hostilities with. It might make the attacked nations feel they have to retaliate in some way too, if it's public.
Perhaps if the NSA focused more on defense instead of offense, they'd have been better able to protect our own government against this sort of attack. Who can say if some of the vulnerabilities used were ones the NSA in fact knew about but was keeping in it's pocket for it's own use. A well-resourced expert federal agency actually focused on security could make everyone safer from snooping; when they instead prioritize snooping themselves, they instead help make everyone less safe from snooping.
I have seen a couple of corporate hacks (not publicized) who happened to be Russian groups hosted in Syria....
By state 'sponsored' it can mean many things, even if the countries just let them be and some officials get bribed to not do anything.
In this case it was in Syria, which is a fundamental mess, but the fact that it was Russian groups and they have military presence there, it is enough to put it 'state sponsored' label...
..
Edit: This was a purely commercial/blackmail type of thing, so I doubt it was the Russian government/Putin involved directly, but it could just be a side hustle of the same people that do try to hack government targets.
If they have the facilities and the state protection, might as well make some money on the side.
don't underestimate Putin's greed
the very friends who are known to be connected to "private" militias operating in Syria, also own companies making money from all sorts of activities of regular people, like 2% of all regular household transactions goes through their bank etc
he said putin specifically. An oligarch who stole a nation's wealth in a period of mass destabilisation; and is likely the richest person in the world.
I’ve seen these things, including large DDoS attacks from both sides, black hat and white hat. I’ve also been recruited by Cyber Command, NSA, etc. The one thing that rings true is that governments and corporations vastly overestimate the capabilities of nation states, and vastly underestimate the capabilities of unaffiliated hacking groups and individuals. Most of the cutting edge InfoSec work is being done in OSS and the public domain. The Snowden NSA leaks, although ancient history at this point, confirmed a lot of this for me. The only exception would be where the government can flex muscle in low tech applications they can throw money or legal resources at (MiTM/interception, obsolete tech like SCADA) but otherwise I’ve never been been impressed.
And if you arent RPCing into a random Russian computer 5 minutes after browsing darknet markets, what are you doing aside from being discriminated against by captcha’s all day?
I would not trust any declaration of “state sponsored hack” and it is a distinction that doesn't really matter but causes more harm than good
>...wow. you're aware that "obsolete tech" is what basically all critical infrastructure uses, right? The world is bigger than FAANG webapps...
Wow! 2010 called. They want their ideas about what makes the world go back.[0]
That's just crazy talk. Everyone knows that hardware has been completely deprecated. It's all clouds. Mostly cumulo-nimbus, in fact.
Power plants, chip fabs, heavy machinery, machine tools, factory automation and logistics systems are completely obsolete and never, ever used anymore.
Because there's cloudiness, hardware is just a waste of money and space, which is why we can stack 600MB of js libraries on top of each other so we can have the browser render an opaque 40x40px box.
Twenty-five year ago that would fool people. Now things are complex enough that you can't help but leave clues even as you're trying to plant them.
The DPR was caught in part from a post on Stack Overflow where he was asking a question unique to his platform. Imagine how hard it would be to write the Flame malware. Now imagine the NSA and CIA hunting for traces afterword. Building that malware required deep information on many system that would likely require badges or intensive social engineering to access, both of which leave traces. Do you really think you could hide?
I'm an expert (of sorts) and I'm not sure that I could buy drugs on the dark web 100% securely if those resources were hunting me.
Key fact of government is that it NEVER fails, NEVER.
It always just a matter of spending a few more billions in tax payer money, you see the program/agency/task/what ever would have work perfectly if we just spend more money
‘Nation state’ is such a stupid term for them to use as two of the usual suspects, Iran and Russia, are not nation states but rather multiethnic states. If they don’t have a clue who it is, it seems unlikely they would rule out these two states specifically and do so in this subtle way.
For some reason it is very common amongst people who are interested in cybersecurity (or national security in the US).
Comptia's Security+ exam refers to countries as "nation states" when it talks about government entities targeting businesses or other governments, and that nomenclature has become commonplace.
Sec+ is also a requirement for a lot of government related computer work, so it's not surprising that the guy they interviewed used the term.
Just because an attack originated in a certain place does not mean it was supported by a nation state. For some reason it seems like a large number of security folks don’t understand this. I know lots of intelligent Russian engineers who could easily break into US corporate or government systems or orchestrate a DDoS attack. And if they chose to do so there would be zero legal consequences since they live in Russia and are Russian citizens. Doesn’t mean they are on Putin’s payroll.
Yes, I don't understand why you would assume government backing, but you don't know which government. If you don't know who it is, it could be anybody.
I think people use Nation-State to suggest that they are not so incompetent that some random hacker could get access.
I had to look up the difference, and I don't think that distinction is something most people are aware of. I've only ever known "nation state" to mean "country", and suspect I'm in the majority. I don't think most people use that term intentionally, because few countries would qualify. That list gets even shorter when you limit it to countries that might be antagonistic to the US, and even shorter when you get to those that are threats. In addition to your two examples, China certainly doesn't qualify either, which basically just leaves North Korea.
Ya, I think I consume far beyond the average for political news and had never heard of that distinction until now. I just always equated nation-state to country.
I always assumed it was a way to sidestep discussing whether certain contested territories were legitimately "countries" in their own right. By which I mean places like Palestine, Taiwan, and the way North and South Korea each kinda claim the other as part of their territory.
I think it's a mistake to limit the scope of consideration to countries that are antagonist to America. I doubt it was them, but at least in theory, might not Canada have an interest in having advanced knowledge of things the US Treasury might decide? Certainly the US economy impacts Canada as well, as it does nearly any other country to one degree or another.
Hahaha our military can't even figure out boots for the troops, you think we can hack the US Government?
As much as Canadians like to shit on America, one thing they gave going for them south of the border is that "Fuck yeah America" attitude that leads people to pursue excellence.
We don't have that in our public sector. We just have passive aggression, mediocrity and memes about being polite.
Well, maybe Canada is pretty unlikely I concede. But it seems possible that it might be some other first world nation that has friendly relations with America. I mean, America spied on Germany, right? Maybe Germany spies on America. I really haven't the foggiest clue who did it, but I wouldn't limit consideration to overtly adversarial countries.
And you’re holding up the US public sector as your shining city on a hill?
Canada is leading the world in procuring the vaccine, and has had a very well-considered response to the pandemic. How long did it take for CERB cheques to arrive? Days? Look at the cluster that was the US response, even at the basic “get money in people’s hands” level.
Getting back to the original point - I’m sure there are a dozen or more countries with the capability to pull off something this sophisticated, which would include Canada. Highly unlikely that it was us, obviously.
>And you’re holding up the US public sector as your shining city on a hill?
Certainly not. I'm only holding the US's cybersecurity complex as a shining city on the hill. Our government is so inept that I very much doubt CSE has the funding it needs or the ability to hire skilled people.
Happy to be proven wrong.
>Canada is leading the world in procuring the vaccine
Because we don't have any domestic production capacity due to decades of federal mismanagement. The same mismanagement that bought us used, obsolete fighter jets and submarines that catch fire at the slightest provocation. We lead the world in procuring those items too.
This is a US-vs-everyone-else terminology difference. In most of the world "state" refers to a sovereign entity, "nation" refers to an ethnic group, and "nation-state" is a state identified with an ethnic nation.
But all of that terminology solidified in the 19th century, so outside of academic political science the US uses "state" to refer to individual entities in a federation (e.g. translating German "Bundesland" as "state"), "nation" to refer to non-ethnic bodies politick, and "nation-state" to specify "what we call a nation, what the Old World calls a state".
Which of course leads to a lot of confusion about the connotations of "EU member state", which in European discourse implies real sovereignty, but in US discourse implies a federalist Europe.
This confusion is easily avoided by saying “country,” or if you still want your writing to be verbose you could say “government” or “government-backed actor.”
"Country" is also ambiguous. Lots of "countries" are not independent, e.g. the UK is made up of four "countries" - England, Scotland, Wales, and Northern Ireland. Similarly, the "Land" example I used above for the German federal subjects literally means "country".
"Governmental actor" would be a better international-friendly term for use in computer security, outside of the parochial world of US national security discourse.
US law actually uses "state" in a sense closer to the European and broader international sense. e.g. a "state actor" includes both the states and the federal government, and is used to describe any entity bound by the restrictions of the Bill of Rights. (e.g. state actors are bound by the First Amendment, whereas private actors can restrict speech all they want)
This is a US-vs-everyone-else terminology difference. In most of the world "state" refers to a sovereign entity, "nation" refers to an ethnic group, and "nation-state" is a state identified with an ethnic nation.
But all of that terminology solidified in the 19th century, so outside of academic political science the US uses "state" to refer to individual entities in a federation (e.g. translating German "Bundesland" as "state"), "nation" to refer to not-necessarily-ethnic bodies politick, and "nation-state" to specify "what we call a nation, what the Old World calls a state".
Which of course leads to a lot of confusion about the connotations of "EU member state", which in European discourse implies real sovereignty, but in US discourse implies a federalist Europe.
"monitoring internal email traffic at the U.S. Treasury Department _and_ an agency that decides internet and telecommunications policy"
That's an interesting way of saying a U.S. organization. Does this mean the NSA? I would have assumed they were talking about the FCC, but why not name them?
Good thing we have Christopher Krebs, director of the Homeland Security Department's Cybersecurity and Infrastructure Security Agency, on the job......Oh,wait,, Trump fired the guy responsible for defending against just such at attack? Brilliant.
If this is really an exploit of Microsoft's authentication services, then who knows what all got hacked. More likely, a Treasury IT admin got phished for their password, no?
And if this is a hack of data hosted on Microsoft Office 365 servers, how does it get detected?
Does Microsoft implement traffic monitoring for high-value clients?
Or do sophisticated organizations embed tracking pixels in emails to see what clients load them, and then check that those are authorized clients?
Don't confuse the .gov DNS/email domain and network monitoring tools like Einstein.
The brave new world of govt cloud computing use makes this not as straight forward as it might have been 10 years ago.
That’s a good point and one I had thought of afterwards. That being said, I have to imagine there is some kind of perimeter established, which cloud providers would exist within (at least the FedRAMP accredited segments).
Then again, I have seen crazier things and sometimes government takes quite a while to catch up with technology implementations.
"Ah yes we are from IT and found suspicious behavior, we need to reset your password, can you provide it immediately? No? Okay well we will be contacting your manager immediately for insubordination. You may want to gather your belongings.
This is absolutely my favorite thing. I at one point had a weeks long debate about what "patched" means with the vuln scanning team. They couldn't understand why I thought checking the running kernel in addition to the file on disk might matter.
> Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.
They probably don't but what better way to absolve themselves of any fault?
If it's a nation state, then the attack is so sophisticated, that surely they can't be blamed for not having prevented it and following best practices would certainly not have been enough.
My company was the target of a rather interesting office 365 hack. I would not be surprised if the hackers gained access to the Treasury the same way.
A link sent from an existing trusted sender was sent to one of our employees from a vendor’s procurement director, inviting us to an RFP. The link took the user to a “notion.io” page. I do not recall the contents of the page (may have been a login spoof, but it didnt matter).
The hackers then appeared to hijack the “remember me” login session from our employees Chrome.app. Within a few hours, online webmail logins (edit sessions not logins) were occurring all over the world for this user’s mailbox. The hackers then spread the “virus” by emailing this employee’s known contacts the same spoof.
I don’t think Microsoft ever fixed the bug, as far as I know. Our method to protect ourselves was to upgrade to IP restricted logins on a higher level of Microsoft 365, and disable the “remember me for 30 days” feature. We’re debating turning off access to web-mail entirely because it does scare me that I think its still possible to do.
How did you determine that the attacker hijacked the existing O365 session rather than logging in with the phished username and password? For an app like O365, usually that kind of cookie-stealing doesn't happen without malware on a user's computer.
This was about 6-9 months ago and I didn’t lead the postmortem, so to be honest I don’t recall how we determined that.
However anecdotal, the user who was compromised is aware enough not to re-enter their credentials outside URL schemes that match our password manager database, and they wouldnt have entered anything.
“Oh but how can you trust the user, they clicked a bad link?!”... again this email came from a very reputable vendor who we email with regularly, and the link would have been completely normal for a Monday morning in Q1 2020.
I also think part of our reasoning for why the credentials were not re-used was because all the sessions seemed to be headless chrome sessions, but no logins.
I’m not a data security expert, but in my best summary, it seemed they:
- Had a “virus” that spread really well. I’m assuming they had two kinds of users. Spreaders, and targets. Our employee was a spreader, sending this bug out to his/our network. Once the targets were hit, they’d be selected out of the spreader pool (so the hackers could remain undetected).
- The hack relied upon identifying ,mutually high volume (trusted) email senders.
- The hack had something to do with leveraging the platform of Notion.io. Unsure if there is a bug on that platform which was also being abused, or if they just have a good system for hosting phishing pages.
- The user’s authenticated sessions seemed to be hijacked and replicated across the globe in headless chrome browsers, which appeared to renew the session until the hack ended.
I sympathize, it's difficult to get a satisfying answer in a situation where you trust the user to accurately remember and own up to a mistake. You need both good logs (Microsoft's default logging and retention usually don't cut it) and a security vendor that knows O365, AAD, and the attacks on them well enough to make useful conclusions.
Notion.so is popular for phishing pages because it's a "reputable" "enterprise" application that doesn't raise the spam score when it's linked to in an email, can require signing in to view the page which further deters spam filters that actually check the links, and has less robust anti-phishing systems than Google Docs and Sharepoint (which are still used for the same purpose but require more tweaking of the template to avoid being auto-flagged).
We actually had something similar happen, almost to a “T”.
Individual’s account was compromised and was used to send emails to their address book asking them to review an RFP. They would then delete the emails that were sent and the account owner was none the wiser.
I am not 100% certain as to how the initial compromise happened, but it was an O365 environment and MFA was on. O365 did pick it up and send an alert, but due to a configuration error it did not disable the account.
Anyways, it worked out and we transitioned to M365 as well.
Just generally they spent the last 10 years cramming so much crap into the outlook desktop client that it’s horrible to use. The web client is better than the desktop one now.
Rest of office is pretty good. Do not worry about this. It works well.
That might also be a bias because very few companies or organizations use things like open office (or the google suite for that matter) so there would be fewer people interested in attacking those software suites. Also it’s more fun to report on bad stuff that happens to Microsoft then and stuff that happens to some relatively small and unknown software company.
Growth for Google Workspace (previously G Suite) and Office 365 is insane. Office 365 has >258 million paid seats[0], while Google claims they have 2 billion paid seats (or "users")[1]. Soon enough more businesses will be using one of these than those that aren't (as in, those that are using Exchange or another email server).
Google claims 2 billion users across all their cloud services, not paid seats.
For example, if you have a hangout and invite 20 people, that's 20 users. You don't have to be logged in to use a hangout link, so if you join another hangout later, and still aren't logged in, you're a new user.
I'm always skeptical of these "nation state" claims, it seems like an easy way out of any tough question about the security of these systems.
"No, no, you don't understand, it's not that our systems are insecure, it's that the attackers where highly sophisticated and had the resources of a nation state, otherwise it would never have worked out".
I suppose "we think it could be done by a group of two or three teenagers with decent knowledge of wget" doesn't have the same ring to it.
I wish we had more concrete evidence than "according to people familiar with the matter" though. That's kind of my issue: if these attackers are so sophisticated, how can they be sure it's this particular group?
I realize that there are probably many good reasons for not sharing deep technical details in such cases, but from the point of view of an external observer it's really hard to know who should be trusted and how solid these claims are.
I totally agree with your point (and would trust a hazy dream more than anything coming from this government), but I'd add that even if they claim to identify these parties forensically, they're often using parallel construction through their own espionage. like in the mueller investigation, they had a lot of firsthand knowledge of the IRA's business from inside the building (and the names of everyone that worked there). It's often not a technical conclusion based on the intrusions, but a conclusion reached by evidence gathered through other means
bellingcat has also done a pretty remarkable job of identifying state-employed hackers and spies just through buying russian passport control information and other private information that's out there on the market
Sounds reasonable but I don't remind reading it from the released pdf of the investigation. I actually read the whole thing, it's long but rather interesting from the hacker and espionage spirit.
> bellingcat has also done a pretty remarkable job of identifying state-employed hackers and spies just through buying russian passport control information and other private information that's out there on the market
A very common source of information to reporters are people who aren't authorized to speak about an issue, or people who have informal relationships with the press and don't want their names revealed publicly.
There are indeed many good reasons why specific people aren't cited in these articles, but who you're trusting is the Washington Post, not these individuals. The trust comes from what the Washington Post does when it finds out it has published false information, and its track record of making sure what it publishes as news is accurate, or corrected when discovered to be false.
As a overly generic rule, trust (or don't) the Institution over the individuals.
I'm perfectly willing to trust that the WaPo is reporting truthfully and that their sources are legit, but without concrete evidence it's hard to judge how serious the allegation really is.
Is it "they forgot to switch their VPN on once and we got a direct connection from an IP that belongs to the Russian state" like that other time (still manipulable but fairly conclusive IMO) or is it "that really looks like the modus operandi of those damn russians and we really need somebody to pin it on right now"?
To be clear I'm not making one of those "fake news" pro-russian rants, I can totally believe that Russia would very much do the things being reproached here if given the opportunity, I just have a really hard time taking the word of an anonymous source without concrete elements in these matters because the potential for manipulation is so absolutely tremendous.
I tend to consider news reports more akin to a, “here’s what we know now” report than a, “this is the definitive explanation of what’s taken place.”
So in that spirit I agree with you. What this looks like, so far, is a sophisticated Russian attack. From here, we’re going to learn more, and that new info may change how we understand what’s happened substantially.
Though I will say I personally don’t care much that the source is anonymous, because I trust WaPo to vet what they’ve said with other sources. It’s not a perfect system, but it’s not like journalists are unaware of the groups trying to manipulate them.
> As a overly generic rule, trust (or don't) the Institution over the individuals.
That is precisely the same line of reasoning that started the Iraq War based on lies. The New York Times claimed to have intel from anonymous sources showing that Saddam Hussein had nuclear weapons, and their false reporting is what led the US to declare war. That snafu didn't happen all that long ago, and yet most people in 2020 seem to have blocked it out of their minds.
The difference is that it wasn't hard to work out the claims were nonsense. WMDs are hugely expensive, and the Iraqi economy was running on fumes at that point. That combined with US belligerence against Iraq made the claims improbable.
But Russia actually does have a strong black hat culture, with links to the political establishment. Putin is a technologically savvy kind of despot who likes sneaky low-cost high-return actions. So this fits the profile - both as a workable hack and also as a proof of concept for future attacks.
Consider the cost/benefit. Instead of physically blowing up infrastructure and security systems you can cripple them, possibly permanently, for the cost of - what? - 20 or 30 specialists, some PCs, and maybe some supercomputer time. Although even that may be optional.
It's unlikely conclusive evidence will be released, because that might reveal too much information about defence strategies. So circumstantial evidence will be as good as it gets.
But whatever the cause, clearly - clearly - all countries and larger orgs need to work much harder on security. Some decorative pen-testing isn't going to be nearly enough in the 2020s.
That's all well and good, but it fails to account for potential action by state actors other than Russia. Everything you have said applies just as much to China, if not more so.
Vetting and sourcing information accurately is a Hard Problem. I don’t expect WaPo (or anyone) to get it right all the time, but I do trust WaPo reporters to be very aware of the best ways to do it, and to let me know when they end up getting it wrong.
At some point you have to trust others to be good at their jobs, and when an org like WaPo demonstrates their proficiency over and over again, their believability rises.
Often, people who "aren't authorized" are used to plant an idea in the press, without the agency in question having to make an official statement. Whether that information is reliable depends on whether you trust the agenda of whoever decided to leak the information.
The Washington Post's record on verifying the claims of the US national security apparatus is poor. The newspaper uncritically reported false claims by the Bush administration about Iraqi WMD. Many people people at the time found those claims extremely dubious, but critical voices were belittled or shut out of most mainstream reporting. More recently, the Washington Post has been all-in on Russia paranoia. That doesn't mean that everything they publish about Russian hackers is wrong, but it very well may be misinformation leaked by US intelligence officials, or something insignificant blown out of proportion and presented without any context. In December 2016, for example, the Washington Post reported that the Russians had hacked a Vermont utility. That story turned out to be complete nonsense, but the Washington Post never fully retracted it. If you look at the story today, you'll still get the impression that the Russians attempted to hack the utility, even though that aspect of the story completely fell apart. The Washington Post on Russia is a bit like Bloomberg on Chinese hackers (e.g., Supermicro).
But you should also keep in mind that organizations (or factions within organizations) will use these channels for their own purposes, to test public opinion before an official announcement, as propaganda channel or to undermine elected officials who are politically in charge.
Because those people would lose their jobs, possibly do jail time, and possibly the story would never have broken in the first place if reporters were required to always give up their sources in the article. Usually they do vetting or it's people they've worked with before and they trust.
You either believe it or you don't. There have been instances where more details were released (the Clinton campaign hack, IIRC), and it just gave more opportunity for people who did not want to believe it to nitpick details.
Whoever does such things doesn't exactly sign their exploits to prove ownership. So the evidence might be something like IP addresses in log files: totally convincing if it's your log file, but so easy to manipulate it's useful to convince someone who does not trust you.
So far as I understand it, "hacker groups," private or state-level, are generally identified by the tools they use. The same groups will re-use the tools and exploits they have over and over, including some known libraries. Security researchers capture the malware sent out from those groups and reverse engineer them. These allow groups of malware signatures to be created, which allows researchers to start to identify potential actors. It didn't take long for the security community to start blaming certain organizations for Stuxnet, despite there being little proof of their claims...
Right. There are situations where we can see that the only apparent way to do something needed very considerable resources, which suggests a state actor.
Equation Group is presumed to be (a front for) the NSA. It forged a (code signing) certificate that otherwise shouldn't exist, using an MD5 collision. But not the MD5 collision painfully created by researchers a little earlier to demonstrate that MD5 was vulnerable, it used a brand new collision purpose made for this attack. That's a considerable investment.
Then also, we can look at who benefits from what was done. Equation Group's "Flame" malware damaged the Iranian nuclear programme. That's something the US government, Israel, some other countries wanted, but it isn't something a bored teenager wants, or a drug cartel, or most for-profit corporations.
As described so far I don't see either the resource needs or the outcome satisfying this conclusion.
Perhaps? I can't find any evidence easily that Dan did have such tool, but "by the early 2000s" it's not at all unthinkable certainly. If you have a link that'd be great.
However the trouble is MD5 collision isn't like that hilarious "Send all zeroes" Microsoft bug from a few weeks back where you just try it a few times then it works because someone was very stupid - the MD5 collision is pretty hard, the Merkle–Damgård construction actually works, your attack avenue is hammering on the compression function, everything else in MD5 (and any other Merkle–Damgård construction) works because of mathematics unless you can break that compression function - so having a program that when you run it spits out an MD5 collision with your preferred shape is great, it's a cryptographic breakthrough - but maybe it'll take 5000 years to run on a typical home PC. If you're a government or a big crime boss then money turns that into 5 days or (if you've enough of it) 5 hours instead, but if you're a bored teenager or small time crook not so much.
And like I said, Flame depends on a never before seen collision, so it isn't like they just re-used work somebody else had done.
Do you have any idea what time window they had to generate collisions in?
The MS article on the collision says the attack required knowledge of, among other things, the predictable serial numbers. They could have had as little as the usual inter-cert issuance time, or in the worst-case scenario with entirely predictable numbers could have had months or more.
Depending on the window the funds required would change dramatically.
I agree that there is a wide range of costs for the attack, however for the sake of the discussion I would point out that the lower bound of that cost is likely to still be prohibitive for a teenager.
As far as I know you can reliably change a few bits and get a collision, not create arbitrary data with padded info whose hash collides with the original data.
The HashClash tool [1] was written back in 2006 and can construct chosen-prefix md5 collisions. Don't know if it has anything to do with Dan Kaminsky though.
FWIW, I'm also sceptical of comments like yours. A nation state involved in a lot of hacking would be interested in spreading your kind of doubts on social media. I'm not trying to accuse you personally, I don't know you from Putin, I'm just wondering why this response has become so popular recently.
I'm not usually very distrustful of mainstream news (at least, by internet standards) but I am very distrustful of the news' capacity to vet very technical issues correctly. Remember that Bloomberg "the Chinese put spy microchips on our motherboards" story?
I'm not accusing the WaPo of being distrustful here, I just think that in these cases the potential for manipulation, half-truths and technical mistakes from their sources is very high, and without either knowing who these sources are or what are the concrete element they're using to make their conclusions I find it very hard to blindly trust these sources.
I have the exact same attitude. Reading WaPo, Bloomberg, and even NYT (though I think NYT has a slight edge here) report on technical issues make me cringe. You can tell they're trying to hardest to understand and to explain it in a comprehensible way but it's just so bad. Then I think to myself, if that's the way it is for computing, what about other technical/STEM/specialized fields? I trust them for their reporting on those but what if they have missing the important nuances there too?
> "I'm just wondering why this response has become so popular recently."
There is a huge divergence in understanding of the purport of recent events, starting with the Wikileaks release of DNC emails in 2016, and continuing through to Hunter Biden's laptop
One camp believes or suspects that Russia is more of a useful bugbear and scapegoat for certain political factions in the US, used cynically as FUD to manipulate public perceptions, than something to be so worried about
The other believes in good faith that Russia is a dangerous and sophisticated adversary with assets in the highest levels of the US government, and finds the first camp to be incomprehensibly obtuse at best
It's difficult for these 2 camps to communicate effectively for some reason
Maybe someone with more familiarity on the topic can chime in, but I don't think it's the effective PR move you think it is. Nobody, I think, actually cares who from a blame perspective.
The idea that there's face saving to be had by blaming it on someone sophisticated just doesn't ring true to me. It still happened, the details specifically about who and how don't make your board, your boss, or Wall St. care.
It's way more relevant how you react to the breach, than it is that the breach took place.
This attack is a supply chain attack on enterprise software used by huge government organizations. Where can teenagers with wget pull that off?
When a leading security group (FireEye) says it's a state-level actor, I don't think they are doing PR.
It's fine to be skeptical, but why are you being skeptical? Perhaps it's lost on me but I don't think the claim that PR would look bad _if it were teenagers_ is a good reason to promote widespread distrust of ???.
I see the compromise of SolarWinds Orion software as far more likely to be carried out by state level actors than by script-kiddies. What would script-kiddies stand to gain?
388 comments
[ 2.8 ms ] story [ 305 ms ] threadIsrael certainly has the chops to do something like this, but lots of other "friendly" countries with good geeks wouldn't mind having this kind of info.
Nothing to lose at all. Deny the attacks and thank the news gods for publicity that distracts from reporting on their ongoing concentration camps.
Don't think israel is really concerned about attacking "friends".
https://en.wikipedia.org/wiki/USS_Liberty_incident
They live by different rules when it comes to the US due to their control/influence over our political parties, media, etc. But you already knew that.
After Jamal Khashoggi was assassinated, for example, it turned out audio of the entire murder had been recorded through surveillance. (I'm still not sure we ever found out how exactly it was recorded?) So there were lots of announcements that certain governments "knew" or "suspected" it was Saudi Arabia with little or no substance to back up their claims until the existence of the recording was later leaked.
I think there was similar discussion after MH17 when western governments "knew" Russia-backed rebels had shot down the plane and only later did we learn there was a recording of a conversation about what happened.
I guess even after Snowden governments like to do their best to pretend they don't have the entire world under surveillance at all times.
I would say it’s also quite likely that the US knows who did this or has known who has been doing it for a while. It’s highly unlikely that this press release wasn’t coordinated by the intelligence agencies to play into some advantageous scenario they’ve drawn up.
Not to mention, that forensic analysis of tactics, tools, etc. often clearly point to borrowing/surveiling of other APTs.
> The hackers are “highly sophisticated” and have been able to trick the Microsoft platform’s authentication controls, according to a person familiar with the incident, who spoke on condition of anonymity because they were not allowed to speak to the press.
> “This is a nation state,” said a different person briefed on the matter. “We just don’t know which one yet.”
I bet it was someone on r/wallstreetbets
So they social engineered the password, and if MFA was on it was push based MFA and the user just clicked OK to all popups on their phone?
If they offload auth to a on-prem or third party IdP (common in big hybrid O365 tenants), there are often different paths, implementation screwups or bugs that let you bypass MFA. Microsoft’s position is “buy Azure AD, Buy M365, Buy ATP” and other paths are poorly tested, or they explicitly tell you to F off.
Also remember that federal agencies are bigger than most fortune 50 companies, are usually global in scope and have lots of collaborations with other agencies and other third parties, and may have independent pockets within the agency. Those friction points are where problems tend to happen!
Encryption: Yes.
Multi-factor authentication: Yes.
Do they care if the MFA is simply the user pecking at buttons like a bird trained with seeds: No.
There is a real problem with Azure AD MFA. Unlike the consumer MFA, it shows you exactly zero information about the source of the information. None. You get a choice of "approve" or "do not approve". You don't get any input information for making this decision.
Hacking this is trivial. If you know someone's password, you just have to occasionally try logging in. Eventually the user will accidentally click approve even though they didn't trigger the authentication.
You'd assume that nobody would ever fall for something like this, because surely nobody would be so stupid as to approve an MFA prompt they didn't trigger.
Meanwhile, my Microsoft Authenticator app triggers randomly about 5-10 times per day because every single MS app insists on "reauthenticating" me every 24 hours. So I'll be sitting at my desk and my phone will pop it up randomly. I'll look up, and sure enough, Teams wants me to re-MFA for some stupid reason.
I'm paranoid enough that I'll always reject these MFA prompts and then start the login cycle manually, but most people would just peck the button like a trained bird.
Similarly, I've run scripts before that needed 6 MFA prompts to complete (don't ask). I ran the script once and it asked 7 times... uh-oh. Is this an Azure bug, or a hacker from China? How could I possibly know?! The information is not provided to me!
This is Microsoft's fault, 110%, and I dare anyone here to argue otherwise.
So instead of reaching for the downvote button, make your case on how "yes, yes, yes, yes" is not a security disaster below in the comments please.
Your actions may make it some If these things happen as well. I can think of a few organizations where your script would have resulted in your account being locked down and a security incident.
That said, I'm sure there's a reasonable level somewhere in the middle. The current situation certainly doesn't sound like it, although I haven't used any form of Microsoft MFA, so I can't really say either way.
Just about every business will have options that are a perfectly reasonable choice in some circumstances and really, really stupid in others.
Microsoft has billions of users. The security needs of the US Department of Justice are not the same as my mom’s real estate office.
When you use 3rd party IdP, for example, how does Azure MFA know what the app is?
The configuration described was not out of the can. Somebody decided to make it the way it was.
Most likely due to some physical (not legal) issue that would make it mechanically unsafe to operate the vehicle above that speed even in an otherwise appropriate location. (Or perhaps it's due to some obscure state law, or the manufacturer is just out to spoil your fun, or ... who knows?)
More generally, I agree with the point you make here about the responsibility to configure things correctly. However, it seems to me that Microsoft is also on the hook for failing to include the necessary context when an MFA request is sent. It's a bit like selling a car with seat belts that superficially appear to work but fail at the slightest provocation, no?
It is is on by default however when using the same mobile app for Hotmail or XBox live accounts.
Microsoft thinks the data of Fortune 500 companies is less valuable than your Minecraft skins.
Actually, I don’t. Downvoting turns your comments grey. Flagging is a separate action.
Sometimes flags/downvotes are warranted.
In my experience, most dead/downvoted comments are dead/downvoted for good reason.
But that doesn't mean I don't want to see them. Which is why I enabled "showdead." IMHO, that's often a better answer than vouching for a comment, but YMMV.
A fair point. And a correct one too. I took that as a given, but apparently folks are unable to read my mind. :)
Thanks for clarifying. I should have been more explicit.
Would you please review the site guidelines? Your comment breaks more than one of them: https://news.ycombinator.com/newsguidelines.html
Also, as bigyikes pointed out, downvotes don't flag things. Flag flag things.
Notably, Microsoft's consumer MFA, the type used to protect Hotmail and XBox accounts shows more information in the exact same mobile app!
It's not that they don't have the capability, or don't know that it's important. Microsoft has explicitly chosen to never ever show additional information of any type for enterprise customers only.
They care about the security of their own things, not you stuff, in other words.
> All of the organizations were breached through a network management system called Solar Winds, according to three people familiar with the matter, who spoke on condition of anonymity because of the issue’s sensitivity.
https://www.washingtonpost.com/national-security/russian-gov...
>SolarWinds N-central before 12.1 SP1 HF5 and 12.2 before SP1 HF2 allows remote attackers to retrieve cleartext domain admin credentials from the Agent & Probe settings, and obtain other sensitive information
I personally found and reported the unpublished CVE-2019-10690 in N-Central, but that was only local privesc.
> They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
I'm just glad I'm not the only one who sees this as a problem.
> I bet it was someone on r/wallstreetbets
Both could be true? ;-)
So now that I think about it maybe they did do it... That's the only way to find out what the Fed is up to next.
Hack a hot stock tip.
Gotcha.
I feel like we never hear about them in the news.
I know "America Bad" is trendy now, but I don't see the connection.
Let's not let every post about international politics degenerate into a contest about which state is the wickedest.
The bias is apparent and I fear the trend is accelerating.
Trump admin also did a press push after changing policy to ramp up digital offense [1]. Notably these stories were obviously is coordinated and on purpose. e.g. not just someone leaker talking to reporter it was strategy.
[1] https://www.nbcnews.com/politics/national-security/under-tru...
[0] https://www.npr.org/2019/09/26/763545811/how-the-u-s-hacked-...
But that doesn't seem to stop Russia who doesn't give AF already under huge sanctions, or non-state groups like ISIS
1- https://www.reuters.com/article/us-germany-usa-spying-idUSKC...
2- https://m.dw.com/en/how-the-uss-cia-and-germanys-bnd-spied-o...
My dad (a journalist, RIP) was once at a UN conference in the 70s, and made the remark to a Chinese official in a light-hearted spirit: "of course you spy on us, we spy on you, and what's wrong with that?" This caused a major row and he was forced to apologize.
It's not like war where innocent people die and a there's a lot of human suffering. It's just a tech race where the nations doing a good job get a deserved advantage without doing direct damage to the population.
Some are too poor (take your pick). Others are rich, but small (the Vatican). Most just don't care enough to prioritise it over better things they could be doing.
And then, there are countries that simply consider the US an ally, and consider it morally dubious or practically unpromising to spy on them.
Add this up, and I'd be willing to give at least 10:1 odds it's one of a list of maybe ten suspects, even when adjusted for GDP or population.
As an aside, I'd really be curious why this "everyone does it" is used anytime something like this comes up? Is it just macho "I don't have friends but there are useful idiots that consider themselves my friend" talk? Is it nihilistic/cynical pretentiousness? International whataboutism to defend one's team?
Because it certainly isn't based on any actual data. If you add up offensive hacking by the USA, China, Russia, Israel, and maybe two or three others, you're pretty well done with the full list, but still close to <x> nations short, where <x> is the number of nations that exist.
Perhaps if the NSA focused more on defense instead of offense, they'd have been better able to protect our own government against this sort of attack. Who can say if some of the vulnerabilities used were ones the NSA in fact knew about but was keeping in it's pocket for it's own use. A well-resourced expert federal agency actually focused on security could make everyone safer from snooping; when they instead prioritize snooping themselves, they instead help make everyone less safe from snooping.
By state 'sponsored' it can mean many things, even if the countries just let them be and some officials get bribed to not do anything.
In this case it was in Syria, which is a fundamental mess, but the fact that it was Russian groups and they have military presence there, it is enough to put it 'state sponsored' label...
..
Edit: This was a purely commercial/blackmail type of thing, so I doubt it was the Russian government/Putin involved directly, but it could just be a side hustle of the same people that do try to hack government targets.
If they have the facilities and the state protection, might as well make some money on the side.
greed comes worse from the other side.
I would not trust any declaration of “state sponsored hack” and it is a distinction that doesn't really matter but causes more harm than good
...wow. you're aware that "obsolete tech" is what basically all critical infrastructure uses, right? The world is bigger than FAANG webapps...
>...wow. you're aware that "obsolete tech" is what basically all critical infrastructure uses, right? The world is bigger than FAANG webapps...
Wow! 2010 called. They want their ideas about what makes the world go back.[0]
That's just crazy talk. Everyone knows that hardware has been completely deprecated. It's all clouds. Mostly cumulo-nimbus, in fact.
Power plants, chip fabs, heavy machinery, machine tools, factory automation and logistics systems are completely obsolete and never, ever used anymore.
Because there's cloudiness, hardware is just a waste of money and space, which is why we can stack 600MB of js libraries on top of each other so we can have the browser render an opaque 40x40px box.
[0] https://en.wikipedia.org/wiki/Poe%27s_law
(Please refer to the above link reference to resolve any confusion.)
What would make that 600MB of javascript secure would be to auto-generate a random CPU architecture and recompile your server to run on it!
FORBORNE PENDLETON PIEDMONT
They all seem to suggest some level of breakthrough with regards to cryptography, including public key cryptography.
Guaranteed nobody will come looking for me.
Sincerely yours,
Evil mastermind
The DPR was caught in part from a post on Stack Overflow where he was asking a question unique to his platform. Imagine how hard it would be to write the Flame malware. Now imagine the NSA and CIA hunting for traces afterword. Building that malware required deep information on many system that would likely require badges or intensive social engineering to access, both of which leave traces. Do you really think you could hide?
I'm an expert (of sorts) and I'm not sure that I could buy drugs on the dark web 100% securely if those resources were hunting me.
And I don't mean computer viruses.
It always just a matter of spending a few more billions in tax payer money, you see the program/agency/task/what ever would have work perfectly if we just spend more money
For some reason it is very common amongst people who are interested in cybersecurity (or national security in the US).
“Nation state adversary” says something without saying it.
A distinction without a difference? I don't know a whole lot about Pakistan, but that's the way it seems to me.
Sec+ is also a requirement for a lot of government related computer work, so it's not surprising that the guy they interviewed used the term.
I think people use Nation-State to suggest that they are not so incompetent that some random hacker could get access.
But I could have been more specific that nation state tends to imply government of a country. Whereas country might include all citizens.
As much as Canadians like to shit on America, one thing they gave going for them south of the border is that "Fuck yeah America" attitude that leads people to pursue excellence.
We don't have that in our public sector. We just have passive aggression, mediocrity and memes about being polite.
https://en.m.wikipedia.org/wiki/Communications_Security_Esta...
Do you think a Wiki article can capture the staggering incompetence that's endemic within the Canadian public sector?
Canada is leading the world in procuring the vaccine, and has had a very well-considered response to the pandemic. How long did it take for CERB cheques to arrive? Days? Look at the cluster that was the US response, even at the basic “get money in people’s hands” level.
Getting back to the original point - I’m sure there are a dozen or more countries with the capability to pull off something this sophisticated, which would include Canada. Highly unlikely that it was us, obviously.
Certainly not. I'm only holding the US's cybersecurity complex as a shining city on the hill. Our government is so inept that I very much doubt CSE has the funding it needs or the ability to hire skilled people.
Happy to be proven wrong.
>Canada is leading the world in procuring the vaccine
Because we don't have any domestic production capacity due to decades of federal mismanagement. The same mismanagement that bought us used, obsolete fighter jets and submarines that catch fire at the slightest provocation. We lead the world in procuring those items too.
This is a US-vs-everyone-else terminology difference. In most of the world "state" refers to a sovereign entity, "nation" refers to an ethnic group, and "nation-state" is a state identified with an ethnic nation.
But all of that terminology solidified in the 19th century, so outside of academic political science the US uses "state" to refer to individual entities in a federation (e.g. translating German "Bundesland" as "state"), "nation" to refer to non-ethnic bodies politick, and "nation-state" to specify "what we call a nation, what the Old World calls a state".
Which of course leads to a lot of confusion about the connotations of "EU member state", which in European discourse implies real sovereignty, but in US discourse implies a federalist Europe.
"Governmental actor" would be a better international-friendly term for use in computer security, outside of the parochial world of US national security discourse.
US law actually uses "state" in a sense closer to the European and broader international sense. e.g. a "state actor" includes both the states and the federal government, and is used to describe any entity bound by the restrictions of the Bill of Rights. (e.g. state actors are bound by the First Amendment, whereas private actors can restrict speech all they want)
Or Israel. Israel is the nation state that has subverted the US govt more than any other.
Its used because it makes the victim seem less incompetent, and doesn’t misidentify the attacker, doubling the ownage.
https://www.bnnbloomberg.ca/gavin-newsom-declares-california...
But all of that terminology solidified in the 19th century, so outside of academic political science the US uses "state" to refer to individual entities in a federation (e.g. translating German "Bundesland" as "state"), "nation" to refer to not-necessarily-ethnic bodies politick, and "nation-state" to specify "what we call a nation, what the Old World calls a state".
Which of course leads to a lot of confusion about the connotations of "EU member state", which in European discourse implies real sovereignty, but in US discourse implies a federalist Europe.
That's an interesting way of saying a U.S. organization. Does this mean the NSA? I would have assumed they were talking about the FCC, but why not name them?
> Treasury and the Commerce Department’s National Telecommunications and Information Administration
> Staff emails at the agency were monitored by the hackers for months, sources said.
so krebs was in fact not defending against such an attack?
And if this is a hack of data hosted on Microsoft Office 365 servers, how does it get detected?
Does Microsoft implement traffic monitoring for high-value clients?
Or do sophisticated organizations embed tracking pixels in emails to see what clients load them, and then check that those are authorized clients?
However, the US government has their own IDS/IDP that they use for the .gov domain, namely EINSTEIN (and its variants).
Then again, I have seen crazier things and sometimes government takes quite a while to catch up with technology implementations.
0. Forgot to secure access with password.
100. Nation state.
"Ah yes we are from IT and found suspicious behavior, we need to reset your password, can you provide it immediately? No? Okay well we will be contacting your manager immediately for insubordination. You may want to gather your belongings.
Ok, any capital letters?"
I really dislike how deflection pretty much absolved the actual hacker of any scrutiny or liability.
Its like the old bugs bunny cartoons where the hacker - bugs bunny - puts on a disguise and says “he went that way”
Anyway, was this hack related to the one for FireEye last week?
> Two of the people said that the breaches are connected to a broad campaign that also involved the recently disclosed hack on FireEye, a major U.S. cybersecurity company with government and commercial contracts.
The Washington Post also stipulates that the group behind it also hacked FireEye [1].
Makes me wonder if the TTP used for this attack is similar to the FireEye breach (if of course it really was APT29 behind both attacks).
Edit: Reuters reporter Chris Bing says he is hearing the way FireEye got hacked is similar to these government agencies [2].
[1]: https://www.washingtonpost.com/national-security/russian-gov...
[2]: https://twitter.com/Bing_Chris/status/1338233592347045892
So, how do they know then?
A link sent from an existing trusted sender was sent to one of our employees from a vendor’s procurement director, inviting us to an RFP. The link took the user to a “notion.io” page. I do not recall the contents of the page (may have been a login spoof, but it didnt matter).
The hackers then appeared to hijack the “remember me” login session from our employees Chrome.app. Within a few hours, online webmail logins (edit sessions not logins) were occurring all over the world for this user’s mailbox. The hackers then spread the “virus” by emailing this employee’s known contacts the same spoof.
I don’t think Microsoft ever fixed the bug, as far as I know. Our method to protect ourselves was to upgrade to IP restricted logins on a higher level of Microsoft 365, and disable the “remember me for 30 days” feature. We’re debating turning off access to web-mail entirely because it does scare me that I think its still possible to do.
Anyone else experience this?
However anecdotal, the user who was compromised is aware enough not to re-enter their credentials outside URL schemes that match our password manager database, and they wouldnt have entered anything.
“Oh but how can you trust the user, they clicked a bad link?!”... again this email came from a very reputable vendor who we email with regularly, and the link would have been completely normal for a Monday morning in Q1 2020.
I also think part of our reasoning for why the credentials were not re-used was because all the sessions seemed to be headless chrome sessions, but no logins.
I’m not a data security expert, but in my best summary, it seemed they: - Had a “virus” that spread really well. I’m assuming they had two kinds of users. Spreaders, and targets. Our employee was a spreader, sending this bug out to his/our network. Once the targets were hit, they’d be selected out of the spreader pool (so the hackers could remain undetected). - The hack relied upon identifying ,mutually high volume (trusted) email senders. - The hack had something to do with leveraging the platform of Notion.io. Unsure if there is a bug on that platform which was also being abused, or if they just have a good system for hosting phishing pages. - The user’s authenticated sessions seemed to be hijacked and replicated across the globe in headless chrome browsers, which appeared to renew the session until the hack ended.
Notion.so is popular for phishing pages because it's a "reputable" "enterprise" application that doesn't raise the spam score when it's linked to in an email, can require signing in to view the page which further deters spam filters that actually check the links, and has less robust anti-phishing systems than Google Docs and Sharepoint (which are still used for the same purpose but require more tweaking of the template to avoid being auto-flagged).
Individual’s account was compromised and was used to send emails to their address book asking them to review an RFP. They would then delete the emails that were sent and the account owner was none the wiser.
I am not 100% certain as to how the initial compromise happened, but it was an O365 environment and MFA was on. O365 did pick it up and send an alert, but due to a configuration error it did not disable the account.
Anyways, it worked out and we transitioned to M365 as well.
I work for Abnormal Security (https://abnormalsecurity.com), and we build products to try and catch these type of account takeover attacks.
You can reach me at egreenstein@abnormalsecurity.com.
Edit:: Another commenter in this thread indicated MFA did Not protect them.
Not buying off on more than the fact the report was made.
Skepticism is the order of the day.
We're moving to 365 and I'd like to know what f*ckery to expect. =(
Rest of office is pretty good. Do not worry about this. It works well.
0: https://office365itpros.com/2020/10/28/teams-115-million-use....
1: https://www.axios.com/google-g-suite-total-users-9a6d3df6-c9...
For example, if you have a hangout and invite 20 people, that's 20 users. You don't have to be logged in to use a hangout link, so if you join another hangout later, and still aren't logged in, you're a new user.
>Soltero declined to offer a breakdown of how many of those 2 billion users are for products beyond Gmail or how many are paid versus free.
"No, no, you don't understand, it's not that our systems are insecure, it's that the attackers where highly sophisticated and had the resources of a nation state, otherwise it would never have worked out".
I suppose "we think it could be done by a group of two or three teenagers with decent knowledge of wget" doesn't have the same ring to it.
https://www.washingtonpost.com/national-security/russian-gov...
I realize that there are probably many good reasons for not sharing deep technical details in such cases, but from the point of view of an external observer it's really hard to know who should be trusted and how solid these claims are.
https://wikileaks.org/ciav7p1/cms/page_14588467.html
bellingcat has also done a pretty remarkable job of identifying state-employed hackers and spies just through buying russian passport control information and other private information that's out there on the market
Wow, I just looked some stuff up on bellingcat. It appears that Russia is pretty bad at covering its tracks. This is a good example: https://www.bellingcat.com/news/uk-and-europe/2019/11/07/how...
There are indeed many good reasons why specific people aren't cited in these articles, but who you're trusting is the Washington Post, not these individuals. The trust comes from what the Washington Post does when it finds out it has published false information, and its track record of making sure what it publishes as news is accurate, or corrected when discovered to be false.
As a overly generic rule, trust (or don't) the Institution over the individuals.
Is it "they forgot to switch their VPN on once and we got a direct connection from an IP that belongs to the Russian state" like that other time (still manipulable but fairly conclusive IMO) or is it "that really looks like the modus operandi of those damn russians and we really need somebody to pin it on right now"?
To be clear I'm not making one of those "fake news" pro-russian rants, I can totally believe that Russia would very much do the things being reproached here if given the opportunity, I just have a really hard time taking the word of an anonymous source without concrete elements in these matters because the potential for manipulation is so absolutely tremendous.
So in that spirit I agree with you. What this looks like, so far, is a sophisticated Russian attack. From here, we’re going to learn more, and that new info may change how we understand what’s happened substantially.
Though I will say I personally don’t care much that the source is anonymous, because I trust WaPo to vet what they’ve said with other sources. It’s not a perfect system, but it’s not like journalists are unaware of the groups trying to manipulate them.
That is precisely the same line of reasoning that started the Iraq War based on lies. The New York Times claimed to have intel from anonymous sources showing that Saddam Hussein had nuclear weapons, and their false reporting is what led the US to declare war. That snafu didn't happen all that long ago, and yet most people in 2020 seem to have blocked it out of their minds.
But Russia actually does have a strong black hat culture, with links to the political establishment. Putin is a technologically savvy kind of despot who likes sneaky low-cost high-return actions. So this fits the profile - both as a workable hack and also as a proof of concept for future attacks.
Consider the cost/benefit. Instead of physically blowing up infrastructure and security systems you can cripple them, possibly permanently, for the cost of - what? - 20 or 30 specialists, some PCs, and maybe some supercomputer time. Although even that may be optional.
It's unlikely conclusive evidence will be released, because that might reveal too much information about defence strategies. So circumstantial evidence will be as good as it gets.
But whatever the cause, clearly - clearly - all countries and larger orgs need to work much harder on security. Some decorative pen-testing isn't going to be nearly enough in the 2020s.
At some point you have to trust others to be good at their jobs, and when an org like WaPo demonstrates their proficiency over and over again, their believability rises.
The Washington Post's record on verifying the claims of the US national security apparatus is poor. The newspaper uncritically reported false claims by the Bush administration about Iraqi WMD. Many people people at the time found those claims extremely dubious, but critical voices were belittled or shut out of most mainstream reporting. More recently, the Washington Post has been all-in on Russia paranoia. That doesn't mean that everything they publish about Russian hackers is wrong, but it very well may be misinformation leaked by US intelligence officials, or something insignificant blown out of proportion and presented without any context. In December 2016, for example, the Washington Post reported that the Russians had hacked a Vermont utility. That story turned out to be complete nonsense, but the Washington Post never fully retracted it. If you look at the story today, you'll still get the impression that the Russians attempted to hack the utility, even though that aspect of the story completely fell apart. The Washington Post on Russia is a bit like Bloomberg on Chinese hackers (e.g., Supermicro).
Whoever does such things doesn't exactly sign their exploits to prove ownership. So the evidence might be something like IP addresses in log files: totally convincing if it's your log file, but so easy to manipulate it's useful to convince someone who does not trust you.
Equation Group is presumed to be (a front for) the NSA. It forged a (code signing) certificate that otherwise shouldn't exist, using an MD5 collision. But not the MD5 collision painfully created by researchers a little earlier to demonstrate that MD5 was vulnerable, it used a brand new collision purpose made for this attack. That's a considerable investment.
Then also, we can look at who benefits from what was done. Equation Group's "Flame" malware damaged the Iranian nuclear programme. That's something the US government, Israel, some other countries wanted, but it isn't something a bored teenager wants, or a drug cartel, or most for-profit corporations.
As described so far I don't see either the resource needs or the outcome satisfying this conclusion.
However the trouble is MD5 collision isn't like that hilarious "Send all zeroes" Microsoft bug from a few weeks back where you just try it a few times then it works because someone was very stupid - the MD5 collision is pretty hard, the Merkle–Damgård construction actually works, your attack avenue is hammering on the compression function, everything else in MD5 (and any other Merkle–Damgård construction) works because of mathematics unless you can break that compression function - so having a program that when you run it spits out an MD5 collision with your preferred shape is great, it's a cryptographic breakthrough - but maybe it'll take 5000 years to run on a typical home PC. If you're a government or a big crime boss then money turns that into 5 days or (if you've enough of it) 5 hours instead, but if you're a bored teenager or small time crook not so much.
And like I said, Flame depends on a never before seen collision, so it isn't like they just re-used work somebody else had done.
The MS article on the collision says the attack required knowledge of, among other things, the predictable serial numbers. They could have had as little as the usual inter-cert issuance time, or in the worst-case scenario with entirely predictable numbers could have had months or more.
Depending on the window the funds required would change dramatically.
[1]: https://www.win.tue.nl/hashclash/
Nihilistic cynicism sounds a lot like smartitude to stupid people.
I'm not accusing the WaPo of being distrustful here, I just think that in these cases the potential for manipulation, half-truths and technical mistakes from their sources is very high, and without either knowing who these sources are or what are the concrete element they're using to make their conclusions I find it very hard to blindly trust these sources.
There is a huge divergence in understanding of the purport of recent events, starting with the Wikileaks release of DNC emails in 2016, and continuing through to Hunter Biden's laptop
One camp believes or suspects that Russia is more of a useful bugbear and scapegoat for certain political factions in the US, used cynically as FUD to manipulate public perceptions, than something to be so worried about
The other believes in good faith that Russia is a dangerous and sophisticated adversary with assets in the highest levels of the US government, and finds the first camp to be incomprehensibly obtuse at best
It's difficult for these 2 camps to communicate effectively for some reason
Also, the attack was carefully crafted. How could anyone expect or defend against a carefully crafted attack, by a nation state no less.
The idea that there's face saving to be had by blaming it on someone sophisticated just doesn't ring true to me. It still happened, the details specifically about who and how don't make your board, your boss, or Wall St. care.
It's way more relevant how you react to the breach, than it is that the breach took place.
https://www.fireeye.com/blog/threat-research/2020/12/evasive...
If this is not sophisticated, I don't know what is.
When a leading security group (FireEye) says it's a state-level actor, I don't think they are doing PR.
It's fine to be skeptical, but why are you being skeptical? Perhaps it's lost on me but I don't think the claim that PR would look bad _if it were teenagers_ is a good reason to promote widespread distrust of ???.
I see the compromise of SolarWinds Orion software as far more likely to be carried out by state level actors than by script-kiddies. What would script-kiddies stand to gain?