FireEye Fallout Part 1: Tip of the Iceberg
A Deep Dive Into 2020’s Most Dire Cyber Rabbit Hole
Exclusive: Claim a 50% off on our cybervisibility assessment reports here.
“Reports that say that something hasn’t happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns — the ones we don’t know we don’t know. And if one looks throughout the history of our country and other free countries, it is the latter category that tends to be the difficult ones.”
~ Donald Rumsfeld, 2002
As 2020 draws to a close, we are still being deluged with surprises that just keep on giving: Last week, cybersecurity giant, FireEye, reported to the SEC that it had been hacked, likely by a foreign government. In a vacuum, a company such as FireEye getting hacked is, of course, massively damaging to their bottom line , as well as their reputation, client relations, and potentially, client data. But FireEye has been a trailblazer in the world of cybersecurity since its inception in 2004, so there was definite cause for concern regarding ripple effects, as a particular set of their own Red Team tools (read: zero-day exploits) was stolen by whomever hacked them. While FireEye was initially opaque about who might have hacked them, they referred their breach to the FBI, who suspect that the APT29 or Cozy Bear hacking team might be responsible.
This year, while our government and their partners were singularly focused on deterring foreign interference on our most consequential election in decades, hackers may have made a sinister sleight of hand with some of the most potent homegrown tools we have to detect and direct hacks of our own.
Thus, our cyber rabbit hole began to deepen, as the fallout from the FireEye hack has resonated within the cybersecurity community for all the worst reasons. There are hacks like what you might remember from Equifax, which are indeed dire (mostly for consumers, and company bottom lines), hacks like what happened to the NSA in 2017 where Red Team tools [that are eerily similar to those stolen from FireEye] were stolen from a sloppily secured server. And then there are truly staggering hacks like what we are just now beginning to grasp as we assess the fallout from FireEye’s situation.
It turns out that FireEye was just the tip of a very dark cyber-iceberg, as the means with which they were penetrated were what we in the industry refer to as a supply-chain attack. To understand the nature of a supply-chain attack, imagine a monster of a madman who wanted to ruin the reputation of Cap’n Crunch cereal in the sneakiest of ways. Said madman would not launch a public smear campaign against the buttery behemoth; rather, he’d mess with the grain or sugar — i. e. an ingredient — that goes into the final mouthwatering (and mouthscraping!) product. Thus, the tainted grain and sugar in our breakfast analogy are the means with which the Cap’n’s ship sinks, because the final buttery product can no longer be trusted.
Now that you’re an expert in supply-chain attacks, exactly how was the supply-chain of FireEye spoiled? The likeliest culprit right now seems to be a little piece of software called SolarWinds Orion , which means, in true 2020 fashion, that this story takes several more unfortunate turns before we even begin to fully grasp the global implications of this hack.
SolarWinds also happens to be a major cybersecurity firm, and they specialize in software that allows system administrators to remotely peer into and take control of computers on company networks to solve otherwise routine problems. [If your company’s IT guy does not use a variant of SolarWinds software, they likely use TeamViewer, which serves roughly the same purpose.] There are, of course other similar solutions, but those are the big guns for those who mean business.
The central problem to this cyber-Gordian knot is that we are just now learning that SolarWinds’ Orion software itself was hacked as far back as 2019, and every update since then has contained malware that allowed foreign hackers to peer into every computer that Orion had issued those updates to since then. If over 400 of the Fortune 500, and dozens of critical US agencies did not have Orion installed, perhaps the alarm bells would not be ringing — but it’s 2020! Of course they were using Orion and are now compromised in myriad ways.
Until now, Orion was the premier tool for organizations to remotely manage the health and security of individual computers, and as you can imagine, our government is scrambling (or shambling, depending on who you talk to) to assess and mitigate the mind-numbing amount of damage inflicted throughout their computers and networks. Signs point to everything from the Department of Homeland Security to the National Nuclear Security Agency being compromised, with new agencies being added to the list of organizations affected each day.
If you have been keeping score, you might remember and see the hubris in John Bolton having fired the National Security Council’s very own cybersecurity coordinator way back in 2018. With a new administration on its way in, however, we can take some comfort that they will take steps to restore and elevate the role of cybersecurity coordinator.
In the interim, SolarWinds’ stock has plummeted, but not before several key investors sold $286 million worth of shares — just days before all this news was made public, which begs the questions the SEC and others will ask: who knew what, and when?
As this thrilling, yet unnerving cyber-drama continues to unfold, we at OpenAVN want to keep you informed, as well as protected. While this is a developing story, we are already beginning to see the potential fallout of such a massive cyber attack, and, as an antivirus network ourselves, we know that it is our professional duty to stay ahead of this story. Likewise, we want to make sure that our users are equally well-equipped to deal with such nerve-wracking situations, which is why our products have been designed on a decentralized global network, to identify potential digital threats before they materialize on your system.
For continued updates, subscribe to OpenAVN’s blog right here on Medium, at medium.com/openavn. In addition to writing about breaking news, thought leadership, and deep-dives into cyber intel, we are also rolling out a new series beginning in 2021 called Threat-Intel Thursdays. Join us as we break down the different genera of digital threats in an easy, digestible, and (dare we say) fun way.
For more information on how OpenAVN can protect your system — from the home user to scalable enterprise solutions — contact me, OpenAVN’s Head of Product, right here.
