How the “Solar Winds” hack went down

Image Source: Republican Policy Committee, US Senate

Nearly every day in our digital lives, we see a multitude of apps on our phones or laptops get updated – innocuous maintenance updates that invariably include words to the effect of “This release addresses maintenance updates, stability improvements, and bug fixes.” It was during one of these routine releases late last year that triggered one of the more immensely damaging and wide ranging hacks the US has ever seen, commonly known as the Solar Winds hack. It is named after the company of the same name, and was triggered by an update of their widely used Orion software that helps companies and major technology operations in the US Government monitor network activity. Like a tiger laying in wait, the seemingly boring update triggered what many believe is one of the largest and most damaging hacks the US has ever seen. For many who analyze this sort of thing, the true impact of this will not be able to be calculated for months if not years.

In the months since it happened, NPR has been doing its research to learn more about how exactly it went down and where the checks and balances failed. As was reported when it happened, the brilliance and sophistication of the hack can not be understated.

Network monitoring software is a key part of the backroom operations we never see. Programs like Orion allow information technology departments to look on one screen and check their whole network: servers or firewalls, or that printer on the fifth floor that keeps going offline. By its very nature, it touches everything — which is why hacking it was genius…

The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can’t prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.

“The tradecraft was phenomenal,” said Adam Meyers, who led the cyber forensics team that pawed through that tainted update on behalf of SolarWinds, providing details for the first time about what they found. The code was elegant and innovative, he said, and then added, “This was the craziest f***ing thing I’d ever seen.”

Dina Temple-Raston, NPR

The first foundation blocks of the hack started in late 2019 when the hackers inserted a seemingly simple line of code into the software that would indicate to them if the server used a 32-bit or 64-bit processor. Once the hackers were able to see a response to that simple query, they knew they could wreak some havoc. And five months later, they set down further foundational blocks by inserting code that would inform them whenever there was an impending software update.

Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.

They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers’ malicious code told the machine to swap in their temporary file instead of the SolarWinds version. “I think a lot of people probably assume that it is the source code that’s been modified,” Meyers said, but instead the hackers used a kind of bait-and-switch.

But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.

Dina Temple-Raston, NPR

Similar to the situation that happened in the days and weeks leading up to the 9|11 attacks, there were small signals and flags that were picked up by random people in random places, however none of those pieces were put together to demonstrate that something nefarious was going on. It was only after a network administrator at FireEye discovered that there was a listing for two phones for a single employee that they realized that there was a hacker within their network.

Another reason why this hack was such a ‘work of art’ was that all the normal trackers look for ‘normal techniques’ which usually account for 90 to 95% of all attacks. This one was so unique and so stealth that it completely bypassed all normal checks.

Like other catastrophic failures of all shapes and sizes, this hack had its warning signs. There was just no one there looking at the big picture that could have put these pieces together to see what may be happening just beneath the surface. The NPR article is a really great read, and probably worth a second read, just to really grasp the level of sophistication some of these nefarious hacking organizations have.

Confirmed Russian Collusion

In case this was overlooked with all the other news that is out there these days, a press release from the US Treasury department confirmed what most thought was true but had not been confirmed by the Mueller Report or the bi-partisan Senate Intelligence Committee – what actually happened after Paul Manafort provided Konstantin Kilimnik with the polling data and campaign strategy back in 2016? Yup, Kilimnik passed it on to the Russian Intelligence Agency (aka the “new” KGB) and it likely made its way to Putin himself. From the always excellent Letters From An American Substack:

We also knew from the Senate Intelligence Report that Manafort had provided Kilimnik with secret polling data from the Trump campaign in 2016—his business partner and campaign deputy Rick Gates testified to that—but the committee did not have evidence about what Kilimnik had done with that data.

Today’s Treasury document provides that information. It says: “During the 2016 U.S. presidential election campaign, Kilimnik provided the Russian Intelligence Services with sensitive information on polling and campaign strategy.”

It is hard to overestimate the significance of this statement. It says that Trump’s 2016 campaign manager, Paul Manafort, provided secret polling data and information about campaign strategy to a Russian intelligence officer, who shared it with Russian intelligence. Russian intelligence, as we also know from both the Mueller Report and the Senate Intelligence Committee report, both hacked emails of the Democratic National Committee and the Clinton campaign, and targeted U.S. social media to swing the 2016 election against Democrat Hillary Clinton and to Donald Trump.

By itself, the statement that the Trump campaign worked with Russian intelligence is earthshaking. But aside from the information about the exchange of this particular kind of intelligence in 2016, this statement also indicates that the Trump campaign itself was not simply operating in happy if unintentional tandem with Russian intelligence– which was as far as the Muller Report was willing to go– but in fact had an open channel with Russian operatives. That’s a game-changer in terms of how we understand 2016 and, perhaps, the years that have followed it.

Heather Cox Richardson

Just so we’re clear, 70 million US citizens voted to re-elect a US President who worked directly with the Russians to ‘win’ the 2016 election, got impeached twice, incited an insurrection on the US Capitol on January 6, 2021, and botched the country’s response to the COVID-19 pandemic to the tune of 500,000+ dead US American citizens. Amongst other things.

Abandoned Soviet era copycat Space Shuttles

Two Russian, Soviet era, space shuttles abandoned in Kazakhstan. via CNN

Back in the 1980s and early 1990s, with the US and Russia locked in the depths of the “Cold War”, the US took a major step ahead of Russia in the ‘space race’ by launching the inaugural Space Shuttle mission. Russia felt the need to compete with the US and develop their own version of the Space Shuttle, which they did with great similarity.

A few years ago, some photographers from Europe found their way to sneak into an abandoned hangar in Kazakhstan (neither was named Borat) not too far from the active Russian space launch pads that are currently used today, where these two old Russian shuttles still sit.

It was the Soviet response to the space shuttle, designed to take the Cold War into space. But after just one flight, it was mothballed. Now, the ruins of what was called the Buran program are left to rust in the steppe of Kazakhstan.

Two shuttles and a rocket lie in disused hangars, not far from the launchpad of that first flight, at the Baikonur Cosmodrome. It’s an active spaceport about 1,500 miles southeast of Moscow, still used today to send and retrieve astronauts from the International Space Station.

The site is not open to the public, but a few adventurers have mustered the courage to sneak in and take a look.Among them is French photographer David de Rueda, who visited the site three times between 2015 and 2017: “The space shuttles are only a few hundred meters from active facilities. Getting there was an epic adventure, we didn’t know if we would make it because the Kazakh steppe is a hostile environment. But it was entirely worth it. This place is unreal,” he said in an email interview.

CNN

These shuttle, called Buran (Russian for ‘blizzard’), only went on one flight in 1988, a year before Communism and the Cold War fell along with the Berlin Wall. As the world changed, the Russian money used to fund this experiment dried up and they never did any further flights.

The photos in this article are spectacular and you have to think that the sheer thrill that the photographers had in sneaking into these hangars must have been off the charts.

Like A Poker Player Drawing to an Inside Straight

From Vanity Fair’s Scott Turow

Robert Mueller, presumably, still doesn’t know what a truthful Manafort would have to say, but Trump does. If Manafort is, in fact, playing for a pardon, a route that even disgraced former N.S.A. chief Michael Flynn, whom Trump steadily defended, didn’t take it would speak volumes about how damaging Manafort’s testimony could be to Trump or to those close to him, such as his son, Donald Trump Jr., and his son-in-law, Jared Kushner. If Manafort’s truthful testimony was simply going to absolve all of them of conspiring with the Russians, he could have made a deal long ago. Such testimony would have been as likely to earn an eventual pardon, once the smoke cleared. Manafort’s problem, then, seems to be that Mueller may already have evidence of collusion that threatens to endanger him, his former colleagues on the campaign, and possibly Trump himself.

Turow’s article does an amazing job of laying out how deftly “Bobby Three Sticks” is playing this and how Manfort’s already limited options are rapidly dwindling to nothing.  Even if Manfort holds out in the hopes of getting a pardon from 45, Mueller can still bring him in front of a grand jury because in that scenario, Manafort would have to talk as he would lose his Fifth Amendment right to silence since he has no risk of prosecution based on his testimony.  But if he lies in that scenario, he could still face the music.  If 45 fired Mueller, Washington would explode, not to mention the electorate, and impeachment hearings would start faster than you could say “kompromat”.