Consider This from NPR - The Story Behind The SolarWinds Cyberattack

Episode Date: April 23, 2021

Last year, hackers believed to be directed by the Russian intelligence service, the SVR, slipped a malicious code into a routine software update from a Texas- based company called SolarWinds. They the...n used it as a vehicle for a massive cyberattack against America and successfully infiltrated Microsoft, Intel, Cisco and other companies, and federal agencies including the Treasury Department, Justice Department, Energy Department and the Pentagon.The Biden administration recently announced a roster of tough sanctions against Russia as part of what it characterized as the "seen and unseen" response to the SolarWinds breach.NPR investigative correspondent Dina Temple-Raston has spent months examining the landmark attack that — based on interviews with dozens of players — reveals a hack unlike any other.In participating regions, you'll also hear from local journalists about what's happening in your community.Email us at considerthis@npr.org.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy

Transcript
Discussion (0)
Starting point is 00:00:00 This message comes from Indiana University. Indiana University performs breakthrough research every year, making discoveries that improve human health, combat climate change, and move society forward. More at iu.edu slash forward. One Friday late last year, Kevin Mandia was scanning his schedule, and he didn't know it then, but he was about to kick off one of the biggest cyber espionage stories in recent memory. It just appeared on my calendar. It was one of those events where I just looked down, what's next? Oh, in five minutes, I have a security brief. Mandia is the CEO of the cybersecurity firm FireEye. And that briefing was about a suspicious incident. I would say about 10 minutes into it, I felt we had a problem.
Starting point is 00:00:44 Here's what happened. The company uses two-factor authentication to protect its network. Maybe you know it from your email or bank account. Just like everybody, we get six digits pushed to our cell phones when we're logging into network resources remotely. They send a code to your phone that you need in addition to your password to log in, the FireEye security team noticed that one of these codes was sent to a newly registered phone. So they called up that employee. And the gentleman said, no, I did not register that phone. So who did? This was bad. It felt like it was time to brace for impact. This was going to be a breach we had to worry about.
Starting point is 00:01:22 The FireEye security team started scouring their servers looking for the intruder. And what they found led them to a software update from a company called SolarWinds. Hackers breached SolarWinds to infect at least seven U.S. government agencies. Authorities say the Russians targeted some of America's most sensitive and important computer systems. Thousands of businesses and government agencies were caught off guard by an unprecedented attack in a routine software update. Consider this. The SolarWinds hack was one of the most audacious cyber espionage operations ever. In exclusive interviews with NPR, key insiders reveal how this breach happened, how they discovered it, and how to stop it from happening again.
Starting point is 00:02:17 From NPR, I'm Adi Cornish. It's Friday, April 23rd. This message comes from WISE, the app for doing things in other currencies. It's Friday, April 23rd. I'm Yo-Ai Shaw. I'm Kia Miyakunatis. We're the hosts of the NPR podcast, Invisibilia. You can think of Invisibilia kind of like a sonic blacklight. When you switch us on, you will hear surprising and intimate stories. Stories that help you notice things in your world that maybe you didn't see before. Listen to the Invisibilia podcast from NPR. It's Consider This from NPR. The attack started with a software update.
Starting point is 00:03:10 You know, one that says something like, this version includes bug fixes and increased stability. That sort of thing. It was an update from a Texas company called SolarWinds. They make a piece of software that tons of companies and government institutions rely on. So when Russian hackers slipped a bit of malicious code into that software update, it let them into some of the country's most sensitive computer networks, which allowed them to take aim not just at the economy, but at U.S. national security.
Starting point is 00:03:45 It's one of the most impressive and effective cyber espionage campaigns of all time. Alex Stamos is the director of the Internet Observatory at Stanford University and former head of security at Facebook. They were able to get access to some very sensitive companies and government organizations without getting caught for quite a while. When he says quite a while, he means almost a year. And for all that time, the hackers roamed around the networks of companies like Microsoft, Intel and Cisco, and government agencies, the Treasury, the Department of Energy and the Pentagon. Our objective here is not to escalate. Our objective here is to impose costs. Just last week, the Biden administration announced new sanctions against Russia as part of what it characterized as the, quote, seen and unseen response to the SolarWinds breach.
Starting point is 00:04:40 The fact that anyone, including the government, even discovered the infiltration is thanks to FireEye and Kevin Mandia, who you heard at the top. You know, we're pretty good at doing investigations. It's what we do all the time. So it's something that, you know, finding the needle in the haystack, we have to do it every day. After FireEye noticed an intruder on their servers, they eventually traced the problem back to that SolarWinds software update. And they wrote a report and sent it to the head of cybersecurity at SolarWinds, Tim Brown. And the report was detailed. The report said, we've decompiled your code. We see this malicious code here. We see proof that, yes, we had shipped things that had malicious content inside of it.
Starting point is 00:05:27 And what was going through your head? You know, it's kind of a nightmare idea for any security person. You know, we deal with little tiny incidents often, but this had the potential to affect thousands of customers, right? This had the potential to do a great deal of damage. Now, that other voice you just heard was NPR investigative correspondent Dina Temple Raston. She interviewed all the people in this episode and pieced together this comprehensive account of the attack. And she'll take the story from here, the moment that Tim Brown at SolarWinds learned his company's software had been compromised. Brown went home, packed a bag,
Starting point is 00:06:06 and was prepared to stay at the office for the rest of the week. I would say Sunday, Monday, we knew that the attack itself and the code that was inserted itself was pretty purposeful. So we quickly understood that the attacker was on a mission. This wasn't just a hacker in a hoodie. This looked like a nation state. So they brought in someone who knew how to deal with these kinds of attacks. Hi, Adam Myers, and I run Intel at CrowdStrike. CrowdStrike is a cyber investigation company, and Myers has helped them unwind some famous hacks.
Starting point is 00:06:40 Sony in 2015, the Democratic National Committee a year later. So he knew a nation state attack when he saw one. And this looked like one of those. I started rolling up my sleeves and started actually looking at the code. And the back door itself was 3,500 lines. A back door is a little portal into the software. And, you know, there was quite a bit of things that it did. And the tradecraft of this threat actor was phenomenal.
Starting point is 00:07:06 That little blob of code was the tiny beating heart of the attack, buried deep inside the SolarWinds software. We're hoping it's going to have, you know, variable names or maybe some comments in Cyrillic or Mandarin. Give us some clue that who wrote this thing. But as the CrowdStrike program kept chewing its way through the code, Myers' heart began to sink. The crime scene was a bust. They washed the code. They cleaned it of any human artifact or tool mark. And that was kind of mind-blowing that the threat actor had the wherewithal to just hide anything that a human might have inadvertently left behind as a clue. Experts like Myers can often find gossamer connections inside the code. Some hackers have little ticks.
Starting point is 00:07:50 Others copy and paste from previous hacks. It's like a nerdy calling card. And nation states typically have teams whose whole job is to try to break into other countries' systems. This happens so much, there's actually a convention to name them. So if I say it's bear, it's Russia. If I say it's panda, it's China. North Korea is Chalima. You know, we always kind of use the official state animal. And I think when we looked, that was the official state animal of North Korea, which was just what we were hoping for, an imaginary flying horse.
Starting point is 00:08:19 To Myers, SolarWinds felt like a bear operation. But he wasn't sure. He started looking for hints in the hack itself, which it turns out started earlier than anyone thought, all the way back to September 2019. That's when the hackers tried to insert a little snippet of code into the SolarWinds update to see if it would end up in finished software. It worked. They modified the product. And so at this point, they know that they can pull off a supply chain attack. They know that they have that capability. After that initial success, the hackers did something they never do. They disappeared for five months. They returned in February 2020, armed with code that allowed them to build their own
Starting point is 00:09:02 SolarWinds update. But their version had a little addition, code that gave them that backdoor, that secret portal, into SolarWinds customer networks. Then came the trick. At the last second, they swapped their version in. When I was growing up, you used to have to check your Halloween candy because somebody might have put a razor blade in your Reese's Peanut Butter cup, right? But imagine those Reese's Peanut Butter Cups going into the package,
Starting point is 00:09:27 and just before the machine comes down and seals the package, some other thing comes in and slides a razor blade into your Reese's Peanut Butter Cup. The package gets sealed, it's put in a box and goes out to the store, and into plastic pumpkins everywhere. It wasn't complicated, so much as crafty. Here's what really worried Myers, though. This bait and switch could have worked on anyone. It could have been reconfigured for any number of software products.
Starting point is 00:09:51 We realized that this could be elsewhere. To this day, no one knows where the hackers have been or exactly what they have done. Except, of course, for the hackers themselves. SolarWinds is still investigating. Typically, no one talks about a hack, but the CEO of SolarWinds, a man named Sudhakar Ramakrishna, thought he needed to. Why have you been so open about all of this?
Starting point is 00:10:14 It's very unusual for a company to be this open. You forget about competition and competitors in that context. The right thing to do is to report. The right thing to do is to give them the ability to fix those issues and protect their customers, right? And we can compete on value, we can compete on price, we can compete on other factors, but you don't compete on that. Ramakrishna wasn't running SolarWinds when the hack happened. He was hired just before the breach was discovered and stepped into the top job just as the full extent of the attack became clear. So when he published a blog post laying out an
Starting point is 00:10:51 11-point security plan, it was seen in two ways. One interpretation of that could be we learned a valuable lesson from what the hack was. The other interpretation could be is that there were at least 11 material deficiencies in the actual security we had. I see the 11 point plan, it's actually an admission that things were not good in the security house. Ian Thornton Trump used to work at SolarWinds. He was on the company's security team until 2017. He says he left because SolarWinds refused to spend enough money on its own security. Now he's chief of cybersecurity at a threat intelligence company, CyJazz. And he says he wished he'd done more to convince people at SolarWinds that a big hack was coming. There's an emotional component of me that is just super sad about this. Something bad was going to happen. And, you know, we always say in cybersecurity,
Starting point is 00:11:46 it's when, not if, right? It's when you're going to get data breached, not if you're going to get data breached. And this was a whopper. But you have to wonder, of all the software companies to target with this huge, complicated attack, why did the hackers choose SolarWinds?
Starting point is 00:12:03 I've thought about this quite a bit as to why us? Why not somebody else? And Ramakrishna has come to the conclusion that the hackers chose SolarWinds because they thought they would be able to cast a wide net and possibly hack 18,000 customers with just one sophisticated attack. This wasn't just a hack, though. This was really about espionage. The White House thinks Russia was behind this, and specifically that it was a group linked to Russian intelligence, APT-29, known as Cozy Bear. Alex Stamos of Stanford says this was a high-end job.
Starting point is 00:12:36 The hackers did their homework. They spent a lot of time studying the adversary. They demonstrated not just technical acumen, but the way they did this demonstrated that they understand how tech companies operate, how software companies operate. And that's the other thing that makes this hack different. The attack on SolarWinds was a bit of a bank shot. A nation state wanted intelligence about the U.S. and hacked a private company to get it. FireEye's Kevin Mandia says that's what's new. We would have landed at this day
Starting point is 00:13:05 sooner or later. But to see it happen, that's where, you know, you have a little bit of shock and surprise. OK, it's here now. And since it is here, new ideas may be required. For example, some people are suggesting there be a more formal way to investigate big cyber attacks. Stanford Stelmos likes the idea of starting something like the National Transportation Safety Board, but for cyber instead. He thinks we should be looking at cyber attacks as carefully as we look at plane crashes. When the Boeing 737 Maxis started crashing, there was a government agency whose entire job it was to gather up the facts of all of those different crashes, and then to come up with a theory of what needed to be fixed,
Starting point is 00:13:45 and then oversaw the fixes that went into that. And Adam Myers, the man who found that little blob of code inside the SolarWinds software, he's busy as ever, fending off other attacks. This was an intelligence collection operation meant to steal information. And it's not the last time that's going to happen, right? This is going to happen every day. And, you know, I can't tell you how many investigations I've worked on since. It gives you a sense that this is continuing to happen,
Starting point is 00:14:11 and I think there's a lot that we all need to do to work together to stop this from happening. And that reporting from Dina Temple Raston and her team at NPR's investigative unit. You're listening to Consider This from NPR. I'm Adi Cornish.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.