BOSTON (AP) – SolarWinds hockey campaign Russian spies are to blame and many are aware of the “grave threat” it poses to US national security. A series of different – and less alarming – pressures discovered in December have also received much less public attention.
High-skilled criminal detectives believed to be working out of Eastern Europe were dragging dozens of companies and government agencies on at least four continents by breaking their own. -into one product they were all using.
Victims include New Zealand’s central bank, Harvard Business School, Australian securities regulator, US high-powered law firm Jones Day – whose clients include former President Donald Trump – the CSX rail freight company and Kroger supermarket and pharmacy. The Washington state inspector’s office was also hit, where the personal data of up to 1.3 million people collected for an investigation into unemployment fraud was exposed.
The two-level mega-hack in December and January of a popular file transfer program from Silicon Valley company Accellion unveils a threat that security experts fear will get out of hand: intrusion by criminal spies and support state into software and third-party supply chains. services.
The casualties sustain the accumulation, with many being blamed by the Russian-speaking cybercriminal group Clop, which researchers threaten could have bought pilfered data from the hackers. Their risk: Pay up or let us share your sensitive data online, whether it’s ownership documents from Canadian aircraft maker Bombardier or a lawyer’s contact from Jones Day.
The hack of up to 100 Accellion customers, which was easily identified by the hackers with an online scan, includes the pain relief of a basic digital age mission owned by both government and the private sector. falling short.
“Attackers are finding it harder and harder to access through traditional means, as vendors such as Microsoft and Apple have hardened the security of operating systems over recent years. So the attackers find easier ways to get in. This often means going through the supply chain. And as we’ve seen, it works, ”said Mikko Hypponen, chief research officer at cybersecurity company F-Secure.
Members of Congress they are already embarrassed by the Texas-managed network management software supply chain company SolarWinds’ supply chain hack that allowed suspicious tiptoe Russian state spies to unconsciously – apparently intending solely on information gathering – for more than half a year through the networks of at least nine. government agencies and more than 100 companies and think tanks. The SolarWinds hockey campaign was just discovered in December, by cybersecurity company FireEye.
France has suffered a similar hack, blaming their cybersecurity group on Russian military personnel, who were also following the supply chain. They slipped malware into an update of network management software from a company called Centreon, allowing them to quietly root around victim networks from 2017 to 2020.
Both hacks snuck malware into software updates. The Accellion hack differed in one major respect: Its file transfer program resided on victim networks either as a standalone device or as a cloud-based app. Its job is to securely move around files too large to be attached to an email.
Mike Hamilton, a former Seattle chief information security officer now with CI Security, said the move to take advantage of third-party service providers does not indicate that they are slowing down because It provides the highest return for invested criminals if they “want to decide on a broad oath of companies or government agencies. ”
Accellion’s bankruptcy could have been affected if the company had contacted customers more quickly, some complain.
New Zealand central bank governor Adrian Orr says Accellion failed to warn him after first learning in mid-December that the nearly 20-year-old FTA bid – using obsolete technology – was filed. and who was ready to retire.
Despite a patch being available on Dec. 20, Accellion did not contact the bank in time to prevent its machine from being broken down five days later, the bank said.
“If we had known at the appropriate time, we could have bypassed the system and avoided the breach,” Orr said in a statement posted on the bank’s website.. The stolen information included files containing personal emails, dates of birth and credit information, the bank said.
Similarly, the Washington state inspector’s office does not have a record of receiving information about the breach until Jan. 12, the same day Accellion publicly announced, spokeswoman Kathleen Cooper said. Accellion then said it released a bad to less than 50 affected customers within 72 hours of learning of the breach.
Accellion is now telling a different story. He says he warned the 320 potentially affected messengers with several emails starting Dec. 22 – and that they would follow up emails and phone calls. Company spokesman Rob Dougherty would not directly address the complaints of New Zealand central bank and Washington state inspector. Accellion says it appears that fewer than 25 customers have been victims of big data theft.
Timeline released March 1 by cybersecurity company Mandiant, which hired Accellion to investigate the incident, saying the company received the first word of the breach on Dec. 16. A person- Washington state investigation says his hack happened on Christmas.
The issue of message time is very serious. Washington state has already been hit by a lawsuit, and several have filed a lawsuit against Accellion seeking class action. They may also be legally or otherwise impacted by other parties.
Last month, Harvard Business School officials emailed students to tell them that some Social Security numbers were compromised in addition to other personal information. Another victim, Singapore-based telecommunications company Singtel, said personal data about 129,000 customers were put at risk.
Too often, software companies have just one or two security people with hundreds of programmers, said Katie Moussouris, CEO of Luta Security.
“We would like to say that organizations were investing money in security. But we see them just dealing with the breaks and then voting to do better in the future. And that has become a business model. ”
Dougherty, an Accellion spokesman, said “the attacks had nothing to do with staff,” but did not say how many people were assigned directly for security that the company was operating in mid-December. .
Cybersecurity threat analysts are hoping a snowball of supply chain hacks will engage the commodity industry in prioritizing security. Another thing, retailers are risking the adventure that has happened with SolarWinds.
In a filing last week with the Securities and Exchange Commission, the company offered a gloomy view.
They said that as supply chain hacks “continue to change at a rapid pace” “they may not be able to identify conventional attacks, anticipate future attacks or implement appropriate security measures. ”
The final, sad result, the document added:
“Future customers may and may not delay the purchase or opt-out or cancel or renew their agreements or memberships.”
—-
Associated journalist Rachel La Corte in Olympia, Washington, contributed to this report.