How Hackers Outsmarted SolarWinds and Steve Harvey’s Funderdome
“Slice open the city and you’ll find a dozen burglars tucked up inside, like some strange new diorama at the natural history museum. Attics, basements, walls, closets, and crawl spaces; alleys, parks, sewers, streets, and backyards: all of these margins and peripheries, subsidiary rooms and edge-spaces, are put to brilliantly unexpected use by people intent on stealing things.”
In the book A Burglar’s Guide to the City, researcher Geoff Manaugh peels back the layers on a metropolis, exposing the vulnerabilities exploited by expert criminals. While we law abiders are nearly blind to a poorly placed window or view a signpost as a purveyor of information and not an opportunely placed ladder, crooks are constantly scouting for tiny oversights that’ll lead to a big score.
On the internet, a bustling bazaar of both kookily dancing teenagers and 2,500+ Harvard and MIT courses, cyber-swindlers have wormed their way into the digital nooks and crannies. Like a city, the web is also a cross-section of prowlers hidden in the corners of leaky APIs, outdated and unpatched operating systems, and sometimes in the ear of a hapless employee.
Not every burglary involves lasering through a windowpane. Just as 34% of burglars stroll right through your unlocked front door, most cybersecurity crimes happen due to basic human error: we just get outsmarted.
In the SolarWinds hack, evildoers stealthily accompanied an already-welcomed guest: a software patch for an IT administration platform. Sometimes, all it takes is one backdoor, and bad actors can easily weave and worm their way into other connected systems, just like the Baltimore “Drywall Burglar” that slunk through an entire city block of homes by cutting a pathway through the drywall of dozens of residences.
These days, through the tightly interwoven web, you don’t need to break into 18,000 doors to get to 18,000 victims—you only need one.
The interconnectedness of the web: a pro or con for cybersecurity?
Like the “Drywall Burglar,” the SolarWinds hack found one vulnerability and kept cutting through neighboring walls until they found the jackpot. The hack was discovered by a company called FireEye, much further downstream from the initial hack. Unknowingly, SolarWinds pushed an infected software patch to one of their products, Orion, an IT management tool used by FireEye and countless others. By nestling themselves in an aging technology—FTP—SolarWinds hackers were able to worm their way down the lunch line, snaking their way into 18,000 entities, including Fortune 500 companies and the federal government. You can hear more about their nitty-gritty strategy in this podcast episode, The SolarWinds Hack: What Happened?
Another way hackers are finding vulnerabilities is through leaky cloud-based APIs. Using online keyfobs known as an application programming interface, or an API, websites and apps actively exchange information with one another to verify identities (like ‘Log in with Facebook’), show us the location of a new restaurant on Google Maps, or permit us to pay via PayPal. If you’re not interested in building your own network of meteorology satellites or sending your own statistician to every baseball game to tabulate hits and strikes, you can license weather forecasts or box scores from a company already doing the heavy lifting.
While APIs make it very easy for businesses to leverage each other’s expertise, unmonitored APIs can prove risky. They’re how cybercriminals cracked into T-Mobile systems to access the private data of over 2 million customers in 2018—through an API powering an undisclosed feature on their website.
Some large-scale hacks, like the 2018 roust of Twitter accounts, don’t even require walls of arcane Matrix-like code: they go down because a charmer was able to convince someone to send them login information during a particularly disarming phone call. They call it social engineering: a malicious art of manipulating people to give up confidential information like usernames and passwords.
You might receive an email from a hacker disguised as your close friend, goading you to click a link or download a funny picture or video. In other instances, the lottery announces you are the winner of big money—all you need to do is prove your identity by typing in your social security number.
“After 30 years in IT security, I believe it will be easier to secure the cloud than the last 30 years of us trying to secure everybody’s home offices and secure inside four different walls all over the place.”
– Kevin Mandia, CEO of FireEye
It seems like all it takes to avoid bad actors is to keep up with the Joneses: working to keep the lights on for obsolete software is egregiously expensive and time-consuming, costing even the U.S. government $80 billion per year. It’s through these systems running Windows 3.1, 60-year-old programming languages like COBOL, and eight-inch floppy disks that criminals are able to find a sneaky way in.
A portion of IT budgets go towards combating both social engineering and vulnerability exploits through white hat hackers. White hat hackers, like prison academic Sylvester Stallone’s character in the underrated 2013 film Escape Plan, try to exploit systematic vulnerabilities not to steal or prove themselves as agents of anarchy, but to help the good guys patch things up before the real bad guys can make their move. Considering that hackers have shown they can access the power grid and interfere with your monthly delivery of Tide Pods, companies are paying big bounties to white hat hackers who can chase down vulnerabilities in their system.
Cloud-based computing is one way to solve the problem of aging architecture. While skeptics bemoan the cloud’s increased level of computing interconnectedness, in many cases, it’s better to share defenses than splinter them. Instead of everybody using their own slap-shod security system, everyone will have access to best-of-the-best cloud security. Every company won’t have to hire their own independent experts, and even companies with less of a core business focus on security can be locked down by the high standards of a powerful cloud infrastructure.
What do these guys want, anyway?
Unlike most breaches you don’t hear about until years later, FireEye didn’t back out of the spotlight. They immediately announced their findings and vowed to chase down the source of the intrusion. Their findings served as a playbook for any other companies who the hackers targeted. Turns out that the bad guys were hunting down very specific information: technologies and tools that the good guys were using to outsmart them.
“I think there’s an aspect of this that you’d almost put in the context of counter-intelligence. They focus on red team tools, so that they know how to withstand attacks. They look for what a company like Microsoft might know about them, so that they’re able to try to circumvent what we’re doing in the future. And that’s true for other tech companies as well.”
– Brad Smith, President of Microsoft
In the SolarWinds hack, hackers not only burrowed their way through the walls of 18,000 companies and government agencies, but they stole intel into how these entities were protecting their digital domains so they’d be able to breach even bigger, more lucrative targets on their next attack.
In the Emmy nominated series Mr. Robot, Elliot Alderson initiated several attacks by dropping “win a free gift card” fobs in opportune locations or sourcing a street DJ with malware-infected mixtapes to sell to unsuspecting executives. A series of small intrusions eventually leads to the takedown of the world financial system. Hatching an evil plan is often a stepping stone process—one take at a time.
Check out some of the worst case scenarios lawmakers and business leaders are preparing for at our podcast, The SolarWinds Hack: Worst Case Scenarios.
The NotPetya hack in Ukraine is another infamous story of cybercriminals tagging along with a software update. The virus also started out as a malware-infected software patch from Ukraine’s popular accounting software, MeDoc.
From there, it went on a wild ride, collecting credentials to break into more systems along the way, eventually taking down TV broadcasts, the postal service, gas stations, Kyiv’s Boryspil International Airport, and most frightening—the radiation monitoring equipment at Chernobyl.
Not all hackers are interested in causing havoc or toppling regimes: some just want a bit of ransom, or else they’ll leak an unreleased episode of Steve Harvey’s Funderdome. In 2016, hackers perused the web for companies running older systems of Windows and stumbled across the golden toilet: a Los Angeles-based production company using Windows 7. The Dark Overlord, as the team of cyber bad guys called themselves, demanded various ransom payments before releasing almost the entire fifth season of Orange is the New Black.
The larger concern with the SolarWinds attack is that we have yet to fully discover the hackers’ full intentions.
With the trove of information they were able to uncover—some have speculated that Russia’s quickness to market with a COVID-19 vaccine was thanks to hacked intelligence—it might be decades before they play their full hand. If you dare, you can dive into every system shutdown by the NotPeyta attack in our podcast episode, The Hack that Stopped a Country.
These hackers don’t just bang down the door to smash and grab whatever’s in their line of sight. They linger and languish, surveying your defenses, deactivating security systems over time. Like Clive Owen’s crooked character in Inside Man, cyber burglars wait in the walls between strikes, hoarding their bounty until it’s safe to use it.
