> The Department is responding to this incident as if the Advanced Persistent Threat (APT) group responsible for the SolarWinds breach had access to all email communications and attachments found within the compromised O365 accounts. The APT is believed to have access to compromised accounts from approximately May 7 to December 27, 2020. The compromised data included all sent, received, and stored emails and attachments found within those accounts during that time.
Never liked the term APT. It just makes the 'blame game' easier to commit, instead of focusing on the more important task of securing your country's infra. Now the US just screams: 'China up to no good again'. 'Oh those damn Russians and their cyber-attacks'. No. Fix. Your. Infra.
I don't think anyone thinks we shouldn't be doing (a lot) more to fix our infra.
But if we do, is it even possible to fix enough to stop dedicate states as big as CCP or Russia?
I think we need more consequences to deter this type of behavior, it's a new type of attack.
And yes I'm sure the US is guilty too but we don't have the same type of state owned/sponsored corporations that we hand over hacked materials to copy nor do we support crypto-hacking and hostage taking.
> is it even possible to fix enough to stop dedicate states as big as CCP or Russia?
In effect yes, because this is an arbitrarily asymmetric environment. You can make them spend say $1Bn for every $1 you spend, if you actually put the work in. And they can't afford that.
The US President is just a man, the Russians could, in principle, shoot him in the head. But the US spends a lot of money to make that really hard, and so it isn't worth it and only random American nutjobs try. Most countries don't do that, it's certainly interesting how relatively few of their political leaders get shot in the head...
But that's the wrong mindset to have in this space, and it's how you get this outcome. The US focuses resources on protecting a few high value assets and so your opponent just seizes whatever low value assets they want and leverages those to achieve their goals. The right strategy is to jack up the baseline. That is, rather than spend more money protecting those you perceive as biggest targets, spend that money protecting everybody, including ordinary folks so that these broad attacks are too expensive to pursue.
Suppose you're an adversary today, somebody in your team figures out a way to target maybe 80% of California Department of Food & Agriculture employees for $1 each. You won't get the most senior people, or those most on the ball about security, but hey, 80% of all employees for $1 each is a bargain so of course you take that.
Now suppose the price goes up steeply due to a better approach to this problem from the US government, and they cost $1000 each. That sucks. Instead of just saying "Do it" on your own authority you need to go talk to management about budget. Nobody wants to authorise $2M for this speculative work that might not go anywhere. They authorise you to spend $100 000 identifying the best targets and attacking those instead. A month later you've identified twenty good targets at the CDFA and successfully breached twelve accounts instead of hundreds. This sucks.
Imagine if instead of $1000 it was $1M. Or $1Bn. At some point it gets escalated so that an aide is explaining to Putin that it's a choice whether to spend money on fixing the Kuznetsov or breaking into the accounts of some more US civil servants moaning about the coffee machine in their office on the hope that it helps somehow down the line. This is not a hard choice.
> I'm sure the US is guilty too but we don't have the same type of state owned/sponsored corporations that we hand over hacked materials to copy
This is startlingly naive. Of course the NSA can and goes obtain commercially sensitive information for US corporations like Boeing. Maybe the US counts as stupider for not insisting on a cut of the proceeds, who can say.
How can we make them spend $1bb for each $1 we spend? I think it's asymmetric in the opposite direction. We spend billions, it only takes one small genius to find a tiny crack.
Deploying cryptographic authentication where presently far too much relies on crap like "passwords", this is easily a billion-to-one factor
"I bet they used the same password" still has real traction for actual government employees in 2021 and there is no reason to leave such low-hanging fruit on the tree.
I’m tired of this assumption being treated as intellectually valid. Where is the proof? Maybe we did stuxnet, but that’s a far cry from solarwinds and other high profile incidents (OPM) that hurt innocent citizens. The US is better because we have more regard for ethics in our system than does a totalitarian or despotically ruled quasi-legitimate regime.
How many infinite free passes are tech companies going to get? Either stop using them altogether, or start passing some legislation mandating safety standards. Anyone who purveys these faulty products has no conscience or shame.
> While other districts were impacted to a lesser degree, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in the U.S. Attorneys’ offices located in the Eastern, Northern, Southern, and Western Districts of New York.
Think about what is unique about these districts. What was going on between May and December that an “actor” or a downstream information consumer might want to know about?
It still works as a random fishing expedition as well though. There were certainly lots of legal strategy messages that would be very valuable to the subjects of investigations or ongoing cases. Some of those subjects may be initially ignorant they were even on the radar yet. Some of those would be very wealthy and willing to pay for the information.
If it were just the Southern district, sure. But Albany (Northern) and Buffalo (Western) are sleepy backwaters for random walks through prosecutor email. Who or what would a threat actor want to know about in Albany or Buffalo last year?
21 comments
[ 28.3 ms ] story [ 778 ms ] threadCOVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
COVID COVID COVID
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
covid covid covid covid covid covid
Never liked the term APT. It just makes the 'blame game' easier to commit, instead of focusing on the more important task of securing your country's infra. Now the US just screams: 'China up to no good again'. 'Oh those damn Russians and their cyber-attacks'. No. Fix. Your. Infra.
But if we do, is it even possible to fix enough to stop dedicate states as big as CCP or Russia?
I think we need more consequences to deter this type of behavior, it's a new type of attack.
And yes I'm sure the US is guilty too but we don't have the same type of state owned/sponsored corporations that we hand over hacked materials to copy nor do we support crypto-hacking and hostage taking.
In effect yes, because this is an arbitrarily asymmetric environment. You can make them spend say $1Bn for every $1 you spend, if you actually put the work in. And they can't afford that.
The US President is just a man, the Russians could, in principle, shoot him in the head. But the US spends a lot of money to make that really hard, and so it isn't worth it and only random American nutjobs try. Most countries don't do that, it's certainly interesting how relatively few of their political leaders get shot in the head...
But that's the wrong mindset to have in this space, and it's how you get this outcome. The US focuses resources on protecting a few high value assets and so your opponent just seizes whatever low value assets they want and leverages those to achieve their goals. The right strategy is to jack up the baseline. That is, rather than spend more money protecting those you perceive as biggest targets, spend that money protecting everybody, including ordinary folks so that these broad attacks are too expensive to pursue.
Suppose you're an adversary today, somebody in your team figures out a way to target maybe 80% of California Department of Food & Agriculture employees for $1 each. You won't get the most senior people, or those most on the ball about security, but hey, 80% of all employees for $1 each is a bargain so of course you take that.
Now suppose the price goes up steeply due to a better approach to this problem from the US government, and they cost $1000 each. That sucks. Instead of just saying "Do it" on your own authority you need to go talk to management about budget. Nobody wants to authorise $2M for this speculative work that might not go anywhere. They authorise you to spend $100 000 identifying the best targets and attacking those instead. A month later you've identified twenty good targets at the CDFA and successfully breached twelve accounts instead of hundreds. This sucks.
Imagine if instead of $1000 it was $1M. Or $1Bn. At some point it gets escalated so that an aide is explaining to Putin that it's a choice whether to spend money on fixing the Kuznetsov or breaking into the accounts of some more US civil servants moaning about the coffee machine in their office on the hope that it helps somehow down the line. This is not a hard choice.
> I'm sure the US is guilty too but we don't have the same type of state owned/sponsored corporations that we hand over hacked materials to copy
This is startlingly naive. Of course the NSA can and goes obtain commercially sensitive information for US corporations like Boeing. Maybe the US counts as stupider for not insisting on a cut of the proceeds, who can say.
Deploying cryptographic authentication where presently far too much relies on crap like "passwords", this is easily a billion-to-one factor
"I bet they used the same password" still has real traction for actual government employees in 2021 and there is no reason to leave such low-hanging fruit on the tree.
I’m tired of this assumption being treated as intellectually valid. Where is the proof? Maybe we did stuxnet, but that’s a far cry from solarwinds and other high profile incidents (OPM) that hurt innocent citizens. The US is better because we have more regard for ethics in our system than does a totalitarian or despotically ruled quasi-legitimate regime.
Can we make employees use Wireguard instead of a buggy Cisco implementation of OpenVPN?
Can we NOT put vital shit behind a webserver, and expect it to be A-OK?
If I do this crappy thing and there is no punishment associated with it AND I save 10% I am going to do it. It’s my obligation to the shareholders.
If I do this crappy thing and if I get caught it’s a business ending event it’s my obligation to the shareholders not to do it.
These are classified gov systems. We are lucky to get an acknowledgment that something even happened.
Think about what is unique about these districts. What was going on between May and December that an “actor” or a downstream information consumer might want to know about?
If it were just the Southern district, sure. But Albany (Northern) and Buffalo (Western) are sleepy backwaters for random walks through prosecutor email. Who or what would a threat actor want to know about in Albany or Buffalo last year?