Injecting a Backdoor into SolarWinds Orion

Crowdstrike is reporting on a sophisticated piece of malware that was able to inject malware into the SolarWinds build process:

Key Points

  • SUNSPOT is StellarParticle’s malware used to insert the SUNBURST backdoor into software builds of the SolarWinds Orion IT management product.
  • SUNSPOT monitors running processes for those involved in compilation of the Orion product and replaces one of the source files to include the SUNBURST backdoor code.
  • Several safeguards were added to SUNSPOT to avoid the Orion builds from failing, potentially alerting developers to the adversary’s presence.

Analysis of a SolarWinds software build server provided insights into how the process was hijacked by StellarParticle in order to insert SUNBURST into the update packages. The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers.

This, of course, reminds many of us of Ken Thompson’s thought experiment from his 1984 Turing Award lecture, “Reflections on Trusting Trust.” In that talk, he suggested that a malicious C compiler might add a backdoor into programs it compiles.

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

That’s all still true today.

Tags: , ,

Posted on January 19, 2021 at 6:16 AM21 Comments

Comments

Winter January 19, 2021 6:55 AM

Although Ken Thompson’s “Reflections on Trusting Trust” is well known, the solution by David A Wheeler (in his PhD thesis) is not so well known:

Fully Countering Trusting Trust through Diverse Double-Compiling (DDC) – Countering Trojan Horse attacks on Compilers

An Air Force evaluation of Multics, and Ken Thompson’s Turing award lecture (“Reflections on Trusting Trust”), showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this “trusting trust” attack goes undetected, even complete analysis of a system’s source code will not find the malicious code that is running. Previously-known countermeasures have been grossly inadequate. If this attack cannot be countered, attackers can quietly subvert entire classes of computer systems, gaining complete control over financial, infrastructure, military, and/or business system infrastructures worldwide. This dissertation’s thesis is that the trusting trust attack can be detected and effectively countered using the “Diverse Double-Compiling” (DDC) technique, as demonstrated by (1) a formal proof that DDC can determine if source code and generated executable code correspond, (2) a demonstration of DDC with four compilers (a small C compiler, a small Lisp compiler, a small maliciously corrupted Lisp compiler, and a large industrial-strength C compiler, GCC), and (3) a description of approaches for applying DDC in various real-world scenarios. In the DDC technique, source code is compiled twice: once with a second (trusted) compiler (using the source code of the compiler’s parent), and then the compiler source code is compiled using the result of the first compilation. If the result is bit-for-bit identical with the untrusted executable, then the source code accurately represents the executable.

https://dwheeler.com/trusting-trust/

Dael January 19, 2021 8:47 AM

“You can’t trust code that you did not totally create yourself”

… or the simpler 1980’s version:

“If you run somebody else’s software on your computer– it’s no longer your computer”

Clive Robinson January 19, 2021 10:21 AM

@ Winter,

The problem with the David Wheeler solution is it still requires “a trusted component” in the system.

Thus how do you establish trust when there is nothing you can use as a “root of trust” in the system?

Or let me put it another way, you’ve used all sorts of mathmatics and logic to work your way down to the CPU ISA level and it’s all 100%. Is it trustworthy? Heck NO the CPU microcode or RTL could be backdoored.

So OK you are a Level III or state level organisation and you design your own CPU logic RTL and microcode and that’s all 100%. Is it trustworthy? Heck NO the fab plant may be perverting the design.

So you are a more technological level III player and you have your own fab and that’s all 100%. Is it trustworthy? Heck NO what about the MMU…

And so on down the computing stack. Eventually you end up at the capacitors in the DRAM are they trustworthy? Heck NO as RowHammer shows.

The fact is the lower down the computing stack the attack takes place the more devistating it is, because every layer above assumes the layers below it are trustworthy in their proofs of trust…

Such attacks are like the bubbles in a glass of Champagne a very very tiny flaw (nucleation site) causes an invisibly small buble of gas to form in the liquid, as it rises the bubbles effect causes more gas to be added the bubble not only gets larger, it rises faster as well eventually causing great deistirbance at the top.

Thus the ability to flip just one bit in memory can remove all security protections as it rises through the stack, hence it’s a “Bubbling Up attack” and there is little or nothing the upper layers csn do to either detect it or stop it due to the way we currentlyvdesign our computer systems.

The other thing RowHammer demonstrates is a “Reach Around attack”. If computer systems were properly designed “thrashing memmory” at the untrusted user level would not alow the flipping of a bit in a secure area of memory thus effectively alowing the untrusted user to turn system and kernel level security off.

But it’s not just RowHammer, there are a whole heap of CPU design faults that are quite deliberately designed in to get improved CPU bench marks. They made a big noise a few years ago but variations and similar are still being found. That was “the Xmas gift that kept giving”…

@ ALL,

So understanding top down security is guarenteed to fail if trust in the full computing stack can not be fully established, which it can not… Where do you think we should go?

Mayra January 19, 2021 10:41 AM

In that talk, he suggested that a malicious C compiler might add a backdoor into programs it compiles.

The paper makes no claims of malice, and suggests Thompson was doing this for fun (“I would like to present to you the cutest
program I ever wrote.” … “before video games, we would amuse our-
selves by posing programming exercises.”). Similarly, the Solarwinds hack seems more likely to have been motivated by patriotism than malice, just as most of the NSA’s offensive operations probably are.

We should stop talking about these things in terms of malice. Apart from being a misstatement of motivation, the motivation isn’t all that relevant to defense anyway. Even if it’s just the NSA breaking into my computer to see how my software works, to help national security, it exposes flaws in my personal security that could be used by an actual malicous person.

(Nevermind that malice requires sapience, and we’re therefore a long way from creating a truly malicious C compiler.)

MikeA January 19, 2021 10:42 AM

@Winter — DDC relies on the source code under examination being written in a standard-complying language. Extant code that relies on vendor-specific extensions (some of which are treated as errors by standard-complying compilers) could be an issue.

Winter January 19, 2021 10:59 AM

@Clive
“Heck NO the CPU microcode or RTL could be backdoored.”

You cannot solve all problems in one go. If you use technology, you need some trust. Without trust or technology, you die.

@MikeA
“Extant code that relies on vendor-specific extensions”

Then you have to write your own compilers written in standards compliant language. Not Wheeler’s or Thompson’s problem.

David Leppik January 19, 2021 1:44 PM

@Impossibly Stupid:

Having a monoculture also means you’re more likely to have people with deep understanding of that one environment. Also, it’s really hard to design a robust system without a single point of failure. Having more OSes means an exploit in any one of them could be used.

Every system that uses compilers has the potential to be exploited with this sort of attack; the OS may provide specific entry points, but even that isn’t necessary. Any Continuous Integration toolchain is littered with passwords and authenticated components above the OS level, from the database to the various CI & CD servers.

As much as I like Linux/Unix, there isn’t a single component of the exploit that they describe that actually depends on any particular OS. It’s all about moving around source files and exploiting long-running build daemons. This would be just as easy to do in platform-independent Java/Scala/Kotlin/Gradle or Swift. (Rust, Python, and JavaScript don’t have build daemons, but I wouldn’t assume those are safer.)

JonKnowsNothing January 19, 2021 2:14 PM

@Impossibly Stupid @All

re: Monocultures

There are very few options for end-user systems. Windows won because Linux-etc was last to the game of GUI integration which is what permitted the non-cognoscenti to use them.

There are still a lot of programmers very happy to show you their complete mastery of piping by writing a multi-line instruction on the command prompt.

The other aspect is that for a good number of businesses their options are few or none. The Market Place does not tolerate N+2 Losers, the choice of systems becomes less over time. Global Market economics generally means winner takes all or nearly all.

Adding to the restrictions are that some businesses need or require “Officially Authorized” systems. They are not allowed to buy from just anywhere or anyone. Government procurement lists are restricted buying lists. Non-Government groups have similar restrictions. Universities in the USA often have a “designated” computer provider for students: Your choice of 1, kickbacks from sales go to the University and Bookstore Operator (often having a double tie back to the University in order to maintain the bookstore monopoly).

If monoculture is a problem, then consider what happens when that is challenged.

HUAWEI we go… or not.

ht tps://en.wikipedia.org/wiki/Huawei
(url fractured to prevent autorun)

Clive Robinson January 19, 2021 3:48 PM

@ Winter,

You cannot solve all problems in one go. If you use technology, you need some trust. Without trust or technology, you die.

In security the weakist link rule applies therefore if you don’t pull all the weak links you have no security, just a pretty desktop with unknown invaders running around behind it.

I’ve shown that you can have no trust in current technology, especially if you are daft enough to try doing it from the top of the computing stack down.

So where do you go?

Oh and by the way you can live quite successfully without trust and most certainly without technology… How do you think your ancestors survived without either?

Impossibly Stupid January 19, 2021 7:00 PM

@ David Leppik

Having more OSes means an exploit in any one of them could be used.

GOOD. That’s entirely my point! You don’t trust individual systems unless they can reach consensus. If one of them get exploited, you find out immediately, rather than waiting for months/weeks/years to go by before someone stumbles across it.

As much as I like Linux/Unix, there isn’t a single component of the exploit that they describe that actually depends on any particular OS.

And yet Windows almost always seems to be the one that has its vulnerabilities exploited so effectively. Regardless, you can’t do proper verification/validation based on a single measurement.

SpaceLifeForm January 19, 2021 9:34 PM

Hmmm. Double encryption with different algorithms.

Where have I seen that before? How did that work out?

hx tps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

The malware will then perform the following actions:

  • Extract the encoded payload. This involves simply copying data from pre-determined locations that happen to correspond to immediate values of the relevant machine instructions.
  • Decrypt the extracted payload. This uses the AES algorithm in CBC mode.
  • Decompress the decrypted payload. This uses the LZMA algorithm.
  • Decrypt the decompressed payload. This is simple XOR with byte key and as such does not impact compression ratio.
  • Execute the decrypted payload as shellcode.

SpaceLifeForm January 19, 2021 9:47 PM

Large grain of NaCl recommended.

hxt ps://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/

Winter January 20, 2021 12:29 AM

@Clive
“How do you think your ancestors survived without either?”

They survived for a short time and there were only few of them.

Humans have depended on fire from before they were Homo sapiens, and on tools even longer. The aboriginals of Tasmania lost most technology and even the use of fire. There were only ~5000 of them left.

There is no human life without trust. Never has been. You trust your relatives and your neighbors because you need them, and they need you.

Modern life has been possible because our ancestors were able to set up a web of trust with people we do not know. A country where this web of trust is ripped apart collapses. See the USA.

For the interested reader, I recommend Trust: The Social Virtues and the Creation of Prosperity By Francis Fukuyama and all the criticism and follow up publications.

https://www.foreignaffairs.com/reviews/capsule-review/1996-03-01/trust-social-virtues-and-creation-prosperity

Clive Robinson January 20, 2021 12:48 AM

@ SpaceLifeForm,

Hmmm. Double encryption with different algorithms.

Double encryption, depending on how far you go back ment different things. But the important thing to note was that each encryption was actually doing rather more than just encryption.

Prior to WWII it usually ment a message that was first “coded”[1] from a secret code book not unlike a translation dictionary which did things like compress entire frequently used phrases and words into five unit number groups whilst codes were seen as the “aristocrats” of crypto systems they had their faults re-use being the big one. To solve these faults the “coded” message was then “superencrypted” with a daily or hourly “cipher”[1].

During and after WWII when machine ciphers became the norm and code books were nolonger used as much, Double encryption was used to provide message protection at both internal and external organisational levels. Most normally seen in larger entities such as large military groups[2] and Diplomatic Corp “traffic hubs” where you had messages relayed through several nodes to get it around the world. You thus had “message specific ciphers” and traffic “link specific ciphers”. Often message specific encryption used an encryption level appropriate to those handling the message beyond the “traffic crypto-cell” such as an ordinary field machine cipher or sometimes a one time pad, thus a betrayal or poor operating practice effected only that part of the organisation within the organisation. Link specific ciphers were for traffic links carrying messages from multiple parts of the organisation. The link specific cipher machines were not just “traffic concentrators” they served other purposes including reducing the effectiveness of traffic analysis. So the actual broadcast was of a long fixed duration of continuous encryption even if 99% of it was just dummy/fill traffic.

But we see that the inner encryption of this attack on SolarWinds is,

“This is simple XOR with byte key and as such does not impact compression ratio.”

It’s realy a very simple substitution cipher so much so it’s realy only “whitening”[1] so not realy “Double encryption” so why do they do it?

My guess is that it’s to just make the life of an analyst harder. It’s not said but I suspect a chunk of this code is very short lived and gets overwritten fairly rapidly. Until it’s been de-whitened ordanary analytic tools like IDA Pro etc would see it not as “executable code” but “data”.

However there may be other reasons and it could just be a hangover from much earlier work in the past on the “old habits die hard” principle. One such might be to allow for “easy morphing” to slip by AV detectors looking for signiture strings.

If it is an artifact of “old habits” then potentially the developers who ever they are have “left a tell” in their code. But equally it could be a “false flag” deliberately added to mislead many who use such things for what is too simplistic attribution…

Ahh the joys of the smoke and mirrors in the “Great Game”.

[1] These days few people get to know about “codes” and “ciphers” as seperate entities and what strengths and weaknesses the respectively brought to the crypto security party. In essence “codes” are simple substitution algorithms that work at the “language level” of a message. Thus work on “language statistics” that is frequently used phrases or terms could be replaced with just a single five number code group. Thus not only did they flatten the language statistics they also acted as a “compression algorithm” as well. The XKCD “horse battery staple…” pass phrase generator is actually directly equivalent to the “de-code” function of a code book, in that it converts a number to a word or even phrase. The difference is that the numbers are randomly generated so in effect it’s “decoding noise”. In essence “ciphers” work at a lower level generically called the “alphabet level” and these range in size or bit width from individual bits, characters, and blocks of various sizes. Though they use complex algorithms they usually are “one to one” mappings or simple substitution ciphers. With very small alphabet sizes such as the bit they do not have very much security thus the mappings are changed by another algorithm on a bit or charecter basis, and are usually called “stream ciphers”. Larger alphabet sizes or blocks have different properties due to the size of the algorithm alphabet. Being more secure the mappings are not usually changed in a message or time period and are usually called “block ciphers”. Block ciphers do have their own failings though, so the cipher algorithm is used as a building block in another algorithm usually called a “block cipher mode”. Normally both stream and block ciphers are language statistics independent and do not offer any kind of compression. However there are ciphers that exist between stream and block ciphers and historically were often paper and pencil “hand ciphers”. These ciphers worked at the “letter frequency” statistical level and were often not “one to one” mappings, whilst some did flatten the statistics by rudimentary compression others actually expanded the alphabet size to flatten the statistics. Whilst others worked on pairs of letters to provide more complex statistical flattening, often in response to certain types of cryptanalysis techniques. There is also an oddity called “whitening” it’s uses are to break up alphabet structure statistics but mainly these days to “noise shape” to spread signal energy across a communications channels entire band width. It was also used in the NSA designed DES algorithm to make software implementation of the algorithm both more complex and slower than hardware implementation to discorage the use of software implementation…

[2] In military and diplomatic organisations you have a basic split between those who administrate/direct and those who labour/follow so officers/NCOs. Officers are not supposed to labour thus would have NCOs to do the general crypto work of encoding/enciphering and decoding/deciphering typing up etc. However this means the basically untrusted NCOs could become privy to information they are not supposed to see hence the “above my paygrade” comment you still hear. The solution used by the Germans during WWII was the “officer cipher” thus an NCO would receive an encrypted message decode it to find another encrypted message with a plain text header indicating the officer it was for. They would come to the cipher cell and order out the NCOs and decrypt this officer message. Whilst it was supposed to be “secret” all the officer did was take the rotor set out of the enigma machine and reverse the order of the rotors from ABC to CBA then decode the message in exactly the same way as normal then they “should” put the rotors back in the correct order, thus due to officers being “thinkers not doers” they often forgot to do this so the NCOs new exactly what the oh so secret officer cipher was, and generally they were “bad news”, thus I suspect that more than a few NCOs read the messages any way…

Clive Robinson January 20, 2021 2:00 AM

@ SpaceLifeForm,

Large grain of NaCl recommended.

Yes… you will note that they are in no way attributing to any individual, group, or any nation state.

However the then US executive, was fast to jump on the “t’was Russian wot dunit”. Way to fast, in fact we know they were lying through their teeth without doubt.

So the question would be “Why?” for which there are several answers,

1, Political rhetoric
2, Need to look in command
3, Cover up.

Whilst the first two have been endemic in the outgoing administration, I can not see the diplomatic and intel agencies within the US Government going along with it unless there was something for one or both of them in it.

Hence I’m favouring “cover up” but for what?

We know that the SolarWinds software is used world wide by a third of a million customers many of whom are in Government or Government related businesses such as the various MIC, Law, Health, Welfare, Banking entities. Basically all the stuff you would need to asses what is going on in a sovereign nation state, from forward planning right down to individuals.

We also know that whilst being seen as a US Company, a lot of their work was being done in other nations geographically closer to Russia, and where the socio-economics are such that labour is cheap thus in all probability coruption is cheap as well and arguably more likely.

Which makes for a good “cover”, even better the attack was carried out through workflow software for developers that is actually produced by a Russian company. Not through a “bugdoor” or “vulnerability” but through “misconfiguration”. So “double cover”…

Which leaves the question of “Who?” configured the software so the attack could be carried out and “When?”, but also “Where?”… that is was the misconfiguration local or more global to the organisation?

But also has the “who” covered their tracks well enough so that somebody else appears to be the originator of the misconfiguration?

Such things are hall marks of a sophisticated, well resourced organisation that has the resources to not only know what is goining on in the government related entities in terms of IT but the ability to place or manipulate the person in exactly the right spot. Gathering such intel would have to be on an industrial basis, and unsuprisingly the best placed entity to do a big chunk of that is Microsoft, closely followed by some US AV vendors all through their “Phone Home” telemetry.

Thus my gut keeps telling me this is more likely to have started as a Five Eyes SigInt or Intel organisation excercise with lots of “deniability” cover built in.

The fact that none of the actual investigating companies has jumped into line with the US executive “t’was Russian wot dunit” is actually quite unusual…

So I’m thinking this is at least a two bowls of popcorn problem[1]…

But most of all this is a “gut reaction” of a hypothesis, without a skeleton to hang any meat on. What we need is more information from which evidence can be teased and gathered to make the thread for whole cloth. As you’ve probably noticed there is actually darn little of that currently which again is a bit odd considering what normally happens.

So yeah my gut is telling me “cover up” but I don’t have anything to turn it into a hunch or actual line of enquiry.

[1] Yeah I know Arthur Conan-Doyle had Sherlock say it was “a two pipe problem” but these days we are supposed to be healthier, well OK a little bit healthier so no sugar or butter with the popcorn 😉

JR January 20, 2021 12:17 PM

  1. Numerous Federal and State laws require breach disclosure. This includes filing a SEC Form 8K. No corps have filed a SW 8K breach notice other than SW and FE. This means that enterprise do not consider it a risk or liability. sec. gov/ix?doc=/Archives/edgar/data/1739942/000162828020017451/swi-20201214.htm
  2. SW and FE had very few Federal contracts. They were winding down. FE only had 1 finishing up in 2021. See usaspending. gov – and search “advanced” > “keyword” and “year active” 2020 and 2021. After you download expand the columns to the far right and you will see where exactly SW was installed. You will then notice that all of the ‘heads’ that were fired in October lead the agencies where SW was installed.
  3. Under FISMA and DFARS, SW and FE do not qualify to sell to the Fed Gov because they are primarily offshored. Look at both companies on LinkedIn and then navigate to People and locations. Looking at the people profiles, it is easy to ascertain that both companies performed all of their tech support and DevOps from offshore.
  4. Trace all the various submarine cables from the US to India. How many times does the data land and in which countries? submarinecablemap. com
  5. Encryption keys cannot legally be exported to India. Someone please explain how data can be protected in transit to countries with encryption export controls?
  6. At the end of the month the Paige Thompson trial begins if it is not delayed again. Is she a whistleblower of sorts? She was released from jail very quietly in 2019 without bail.
  7. A few weeks ago an article in Bleeping Comp about MSFT notifying Crowdstrike that their 365 email was compromised in the attack. However, Crowdstrike claims that they do not use MSFT email and they couldn’t ascertain whether their Azure tenants were secure bleepingcomputer. com/news/security/crowdstrike-releases-free-azure-security-tool-after-failed-hack/
  8. In 2019 DHS released a RFI saying that their $33 Billion Eagle II cloud migration project was stalled because they couldn’t figure out how to do it with Zero Trust. The project was supposed to be complete in 2020, but in 2019 it was only 6% complete. datacenterdynamics. com/en/news/department-homeland-security-plans-cloud-shift-data-center-consolidation/
  9. All together what does this mean? Cloud can never be zero trust, especially with the amount of Federated SSO + offshoring and outsourcing on both sides of the fence.
  10. My career has been about data centers and data governance. I’ve been in data centers with exceptional security and armed guards with very big guns. But Google and FB practices (which are public) indicate even greater security than I’ve ever personally experienced. Both build vs buy wherever doable. This is to reduce any third party access to their ecosystem. I also doubt they ever let their datacenter or cyber staff quit. I’ve also seen online videos showing third party equipment that I recognize, but it is caged. Meaning if a third party vendor needs to access their DC the humans are caged.
  11. I have severe Whataboutism so of course I am thinking about all of the brilliant Google, AWS and MSFT cloud employees, like Paige Thompson that might have access to that which they shouldn’t. Maybe employers turn a blind eye and maybe even employers know this is happening?
  12. SW is not ubiquitous. It was explained to me that it is primarily legacy and ICS equipment that dominant enterprise class competitors do not support. If you look at their income (statistics) on Yahoo finance, they are a fledgling tech company. Not enterprise class. If they do have the amount of customers they claim, then most aren’t charged or if they are, they pay $300. I suspect that SW is installed by MSP’s and their customers aren’t even aware of it. PAM is non-existent in places I’ve worked with a lot of outsourcing. It’s all about convenience, not security.
  13. One final story. A few months ago I was working as a Cybersecurity Data Governance Analyst and my boss wouldn’t let me have access to any of their GRC, SIEM and ITSM tools that I was aware of. I was unable to do my job. I discussed this repeatedly on Teams with him. Suddenly, for the 1st time ever in my life I receive an invite from MSFT for free Compliance Center training. It arrived in my longtime personal MSFT account. My boss absolutely bugged out when I requested permission to attend this training. He accused me of speaking to MSFT, which I never did. The training was for the next day before my core hours, so I took the training on my work computer hoping that my boss would calm down. It was over 2.5 hours long and I noticed it was conducted from outside the USA. During the training I was invited to access this Compliance tool for a complimentary trial. I clicked on the link and next thing I know I receive an email in my work account from 5 (five) MSFT employees – all offshore telling me my company already had a license for Compliance Center and I should contact the Administrator for access. But there was also a link for it and I followed the link hoping to find the Administrator and I saw that my company wasn’t using the tool. Was MSFT trying to show me my employer wasn’t using the tool? Or were they trying to get me fired? I am no longer working there. Moral of the story. If an employee spied on a customer in the USA they’d likely face the same consequence as Paige Thompson. But in India that behavior is not even illegal, nor extraditable. I’m not inclined to believe SW was espionage as FE states, but was someone in our Gov trying to figure out where the leaks and vulnerabilities were. And there’s lots and our vendors are most guilty. The USA is the only developed nation in the world that allows our sensitive data to be offshored or supported from offshore, despite knowing there’s no way to protect it. Of course SIEM vendors want everyone to believe this is preventable because that’s their bread and butter.
  14. I hope Paige Thompson’s trial is not delayed again. justice. gov/usao-wdwa/united-states-v-paige-thompson

SpaceLifeForm January 20, 2021 10:24 PM

@ Clive, JR

My Q’s where rhetorical. It was a TLA that had assets burned.

Yes, the double encryption could be false flag. Maybe not.

JR, I have thoughts, but I need to go thru your points with much more thought. A lot to digest and mind meld with other stuff. Appreciate your input.

Consider this scenario: Matryoshka APTs/TLAs.

Think about Compartmentalization.

The Solarwinds Orion backdoor feels like a platform.

Microsoft has collected and analyzed a lot. But I think they realize they have not found enough yet.

hxt ps://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

Clive Robinson January 21, 2021 3:37 AM

@ SpaceLifeForm,

Microsoft has collected and analyzed a lot. But I think they realize they have not found enough yet.

Interestingly even their researchers are calling the US Gov “t’wos Russia wot dunnit” a lie from the very first sentence,

“More than a month into the discovery of Solorigate, investigations continue to unearth new details that prove it is one of the most sophisticated and protracted intrusion attacks of the decade.”

And so on through the first paragraph…

I’ve a feeling that there are a number of people who feel they are in a dentist’s chair over this one, and all they want is for the pressure and pain of this relentless drilling down without anesthetic to stop before it realy hits a nerve.

But I suspect the now numerous players know this is not just a game, but a full on blood sport and the fox is running. Worse for the fox they want not just sport but blood and revenge.

Thus the question is just how far are they prepaired to chase the fox, and will all the players get daubed / bloodied with the brush…

SpaceLifeForm January 28, 2021 11:40 PM

@ Clive, JR

I parse this as misdirection.

hx xtp s://www.axios.com/american-cyber-warfare-solarwinds-d50815d6-2e03-4e3c-83ab-9d2f5e20d6f5.html

Clive Robinson January 29, 2021 3:17 AM

@ SpaceLifeForm,

What Axios is reporting is as far as we can tell in line with the facts as we know them.

But as I’ve pointed out the facts are still being collected, and I suspect that one of two things will happen,

1, Egg all over certain faces.
2, Hard radio silence to protect the same faces.

As for what the US is upto, none of that should even remotely be a surprise to anyone reading this blog.

I’ve forgoton how often I point out the fact that US behaviour with regards cyber-espionage is to lie to the US public in an Orwellian play straight out of the book 1984…

As I ask people,

Have you noticed that firstly, the US has a list of only four cyber-existential threats, “China, Iran, North Korea, Russia” which is obvioulsy false. They are all “far away” thus not realy “known” to those in the US so easy to demonize. Especially as they fill the “johnny foreigner brown/yellow/slavic face characteurs” that match the brutilist art posters of the “Reds Under the Bed” period. But also they only attack one at a time, which is ludicrous, and almost always in line with current US Political rhetoric…

If people thought about it logically, every country would be attackibg the US cyber-infrastructure looking for opening and information. That includes all the Five-Eyes and most especially the US it’s self… Yes folks one part of the US the so called “Inteligence Community” and “Law Enforcment Community” see the rest of the US as a threat, thus they find ways to snoop on them, hack them and subvert them…

Once you see that and you’ve read Orwell’s 1984 you will realise what is going on currently politically and has done since WWII. It’s the US citizens that are seen politically as the real existential threat to the US political classes. So the politicians pump tax money into the Military Industrial Complex (MIC), Inteligence Community (IC), and Law Enforcment Agencies (LEA) and various other grubby grasping hands shoveling taxes into bottomless pockets that show few or no returns that justify the vast cost. And in one way or another they all carry out propaganda against the US citizens, who by and large fall for it.

We know that the US Politicians lied over saying “t’was Russia whot dunit” simply because there was no evidence at the time the political claim was made to support it…

As I also noted, the industry that was normally supportive and compliant of such political claims took considerable care not to attribute to Russia. The only one that eventually did was the Russian AV firm Kaspersky.

All a bit odd, unless of course the US industry assumed it was a US “back door” and followed the usuall process of not talking about US cyber-espionage activities.

Which is why I suspect it’s a “bug-door” probably of US origin that has been found and exploited by others. Who the others are has not yet been publicly demonstrated.

The trouble is the US instant news-cycle demands instant answers. Thus public attribution has been wrong a number of times… there was blaiming North Korea for Russian activities disrupting the Olympics, then for those with memories the false target assumptions over stuxnet, where the real target for the US was North Korea, and North Korea darn well knew it was and thumbed their nose at the US Government.

It’s why I urge people to keep an open mind especially when we know that the US IC and others in the Five-Eyes have “False Flag tools”.

So wait for verifiable evidence in the public domain otherwise be skeptical of anything from the political or intelligence communities of the US Government…

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.