February 1, 2021 • 49 mins
Cybersecurity reporter and hacker extraordinaire Shannon Morse joins the show to talk about what happened in the SolarWinds hack. How is it different from other attacks? What should we be on the lookout for next? And how long will it take to fix it?
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:04):
Welcome to tech Stuff, a production from I Heart Radio.
Pay there and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I'm an executive producer with I Heart Radio
and a love of all things tech, and today I've
got something special for you guys. I'm going to be
(00:24):
talking with Shannon Morse, my good friend, hacker extraordinaire, incredible
tech communicator, and she and I are going to break
down the solar winds hack, a hack that was dominating
the news for late December into January. It will likely
be a part of the news cycle in the tech
space for months and possibly years to come, as it
(00:48):
was a particularly effective and potentially devastating attack, one that
will take quite a long time to repair. And I
wanted to bring Shannon on to the show because while
I can do a lot of research into this stuff,
I come at this as the same as anyone else would, really,
anyone who's not in the the info sex space. I
(01:13):
would look at it as an outsider trying to learn
as best I can. But Shannon has been working in
the hacker sphere for many years and has a particularly
uh strong point of view when it comes to such
things and is able to see things that I just don't.
So I was very glad that she took the time
(01:35):
out of her schedule to jump on this episode. And
so now here is my conversation with Shannon Morris about
the solar winds hack. I hope you enjoy it. Shannon,
Welcome back to tech Stuff. It has been too long.
Thank you for joining me. Thank you for having me. Jonathan,
(01:55):
how are you. I'm well, It's always a pleasure to
have you on even and we have to talk about
terrifying existential threats, but this one is a fun one.
This one is interesting, fun for us to talk about. Yeah, well,
because it's it is different from a lot of of
malware threats and hacker threats that we typically hear about. So, Shannon,
(02:19):
you're the expert, you let me know if I'm way
off base. I'm going to give kind of my take
on what the typical hacker attack tends to be and
the way we tend to see, at least the ones
that we hear about. Um, if it's not something like
someone taking advantage of a security vulnerability in a system
or using social engineering to get access to someone's system,
(02:43):
what we usually hear about our malware attacks where there's
like an email attachment or someone has uploaded and infected
file through some sort of distribution point where it might
be a peer to peer network, it might be a database,
or it might be that you go to some website
that you've been directed to and you click on something
(03:04):
that then installs malware to your system. And in this
sort of attack, you've got hackers that are kind of
taking a shotgun approach, right. They don't know who's going
to end up getting this malware. It's more like, let's
try and spread it as far and wide as we
possibly can, taking a pretty brute force kind of tactic.
(03:24):
Is that more or less accurate for the general types
of stuff we hear about? Yeah, pretty much. I mean
usually you hear about the very consumer oriented hacks. You know,
an app gets installed from Google Play and it turns
out it has hundreds of thousands of downloads and everybody
all of a sudden has malware and they have to
get rid of it. Blah blah blah blah blah. So
you see a lot of targeted assaults happening towards consumers,
(03:48):
but in this case, with a supply chain attack, as
what it's called, uh you see a a attack that's
very targeted towards a specific type of brand or a
vendor that happens to work with a whole bunch of people.
So the attackers don't necessarily know of the whole bunch
of people these businesses, clients that this vendor works with.
(04:09):
They don't know who's actually going to install it in
order for them to be able to attack all these
different brands. They just know, we know this vendor works
with thousands of thousands of really important businesses, so let's
just attack this one brand and then see what happens. Yeah,
and in this case, the Solar Winds hack a lot
of people. I'm sure the average person had never heard
(04:31):
about solar Winds before the news broke about the actual hack.
Because this is a business to business sort of enterprise.
They create software packages for businesses, typically really big businesses
are really big organizations to use to do things like
just monitor their network system. So it's not the kind
(04:52):
of thing that the average person would ever have to
come in contact with unless you happen to be like
the I T. Person at a big company or a
government agency exactly. So I give an example of when
I used to work at a bank and forward facing.
When I was working at that bank, you know, I
was talking to customers all the time, and I had
my own little register where I had the money and everything,
(05:16):
and I had my own computer. But that computer was
running Windows, and it was running software on Windows. But
behind the scenes, for that entire branch and for all
the different branches and all the different cities for this
company that I worked at, they had servers that were
connected to all the different physical locations for this bank,
(05:37):
and on those servers is where you would see these
kind of platforms being used, these kind of operating systems.
So if you're just working at a very like consumer
facing or an office oriented job, then you don't necessarily
run into this, even if you're an employee. A lot
of times it's just happening on the back end for
like the network administrators, the I T security and from
(06:00):
Asian security, like those are the kind of people that
would be using this kind of uh networking product. Yeah. So,
so like if you're a company that does products that
are like software as a service, where you need to
keep a really close eye on things like network loads
because you might have to react uh nimbly and and
quickly to changing demands on your system. Solar Winds makes
(06:24):
the kind of software that allows you to have that
that top level look at what's going on with your networks.
So again not something that most of us would run into,
but it is really important software. And that's why nearly
every company that's on the Fortune five list is a
client of Solar Winds, and several high level government agencies,
(06:47):
particularly in the United States, like the Department of Justice,
the Department of Homeland Security, Department of the Treasury, the
Department of Energy, like big national security level organizations are
all client of Solar Winds, and in particular, they have
a product that's called Oriyan, and this is specifically to
monitor stuff like network traffic and network assets and where
(07:11):
you might need to make adjustments on the fly. And
that ends up being the bulls eye of the target
for the hackers who created the Solar Winds hack, which
is also sometimes called sunbursts, the particular malware that was used,
and um, this is where we get into that supply
chain attack. And I think an easy way for people
(07:35):
to understand it is that it's unfortunate that it's an
attack that that takes advantage of something that we typically
tell people to do, which is, when a patch comes
out for your software, you install it. Because typically patches
do things like they address previous vulnerabilities in software and
(07:55):
they close down an avenue of attack for hackers. But
if a hacker were able to target that that actual software,
whatever it might be, like, if they were able to
target Windows and insert the malicious code into the Windows
code so that when the patch notes go out, when
the patches go out, the malicious code hitchhikes along. And
(08:17):
then when you install your patch, as you do as
a good user, you have just installed the malware that
is the supply chain attack, and it's devastating. It's yeah,
it's very very scary because the it kind of focuses
on the inherent trust that a lot of clients have
with the vendors that they use for this distributed software
(08:42):
that they might use on their back end for for
their network or whatever it might be. So by having
that inherent trust, you are trusting as a business that
when you do these auto updates, when you physically go
in and you know, update your firmware or whatever it
might be, that you are going to be protecting yourself
because you're on top of it, you're downloading that stuff
(09:03):
every single time there's a new version that comes out.
But in this case, because the attackers were targeting the
vendor itself and not the specific clients, they were distributing
that malware, two thousands upon thousands of potential customers, and
it's the ones that were updating like they should be
that ended up being kind of caught in the crosshairs. Yeah,
(09:25):
this is one of those cases where you say, I
did everything right and you still screwed me. Uh yeah.
So oriyan Orian is a platform that's very popular. Around
thirty three thousand of solar Wind's clients have some version
of Orian running on their system. Out of that thirty
three thousand, solar Winds said, approximately eighteen thousand had the
(09:48):
versions that were specifically affected when the malicious code had
been inserted and those patches had been pushed out to
the clients and they had actually installed it. Out of
those eighteen thousand, however, we later learned that a very
very small number were followed up on because, as it
turns out, that sunburst attack was just stage one. It
(10:09):
was not it was not the end all. It wasn't like,
oh we snug some malicious code into a legitimate product.
High fives all around. That was just the beginning. Yeah,
So in this case, the attackers were like, let's just
get it out there and see who gets caught in
the crosshairs. And then they started following up and they
were like, Okay, well, who who matters the most to us?
(10:31):
Which ones might be financially motivated for us to hack?
Who might be the ones that have the biggest and
best data sets that we could potentially pilfer off and
sell to a third party. Like, we don't necessarily know
what their end goal is, but a lot of times
with hacks like this, especially if they are distributed towards
(10:52):
Fortune five hundreds and government and sectors like that, they
are state sponsored or they are very very financially motivated.
So that would be my general like hypothesis as far
as what their their motivations were behind it and why
they specifically target, you know, the government sector. The very
(11:12):
few that they actually did out of the eighteen thousand, Yeah,
I think the last report I read said that it
looked like it was around forty systems out of eighteen thousand.
That's less than that's less than less like point two
of all the different systems that they hit that they
followed up on, and it does say that there was
(11:33):
a very concentrated, focused effort to look at very specific systems.
Most of the ones that they targeted were out of
big tech and then government agencies and then some non
government offices outside of that, like think tanks and things
like that. UM I've seen speculation that, as you say,
it was very likely a state backed attack, and that
(11:54):
the evidence seems to point, but it does not necessarily
indicate proof positive that Russia was behind the attack. At least, yes,
there appears that that's what all the signs point to,
but then there's also always the possibility of what is
called a false flag operation exactly. So it's very interesting
(12:14):
when people start kind of laying blame on specific groups
of attackers or groups of hackers and saying like, hey,
because the code looks this way, we think that it's,
you know, backed by Russia or whoever, it might be
backed by China and North Korea. Those are usually the
ones that we see in the news. Uh. In this case,
they found samples of code that could be very very
(12:37):
closely linked to a previous attacker group from Russia. So
they made that tie and they were like, hey, we
think that this is the same group. But there is
always the potential that somebody could have copied previous malware
and used samples of that for new quote code for
solar winds for the sunburst. So it's entirely possible that
(13:00):
it's not the same group, but it's plausible, right. So
again you can't draw any firm conclusions. But when you
start thinking about this as a potential state backed attack
that largely gives hackers high level access to systems once
they deliver that second payload of malware, which specifically allows
(13:24):
them to move laterally across networks, not just hit a
specific server, but then to kind of infiltrate across an
entire system. A lot of the reports we've seen have
shown that the hackers were at least able to read
material to see what what material was around. They could
look at source code at Microsoft, for example, or they
(13:47):
can look at emails that had been both sent and
received through a particular system. A lot of this kind
of leads you down the path to thinking one potential
purpose for this attack could be espionage. That it literally
is another part of cyber espionage where you're spying on
(14:07):
UM an enemy or or adversary, and that fits the
narrative really well. Again, we can't draw that conclusion conclusively
to be redundant, but we can at least we can
at least say like that is a potential answer to
why this has happened. Yeah, So I like to lay
(14:30):
out a lot of caveats because it's it's very dangerous
to speak in absolutes when you come to something like this,
because it may turn out yes, ongoing. So we still
have a lot of questions. But I am glad that
we have companies like Microsoft, for example, with Office three
and the fact that they were able to see source code,
the attackers were able to see source code. I'm glad
(14:51):
they're coming forward these clients that were attacked and we're targeted,
because it's giving us a clear perspective of what was
actually targeted in this assault. And in Microsoft's case, it was,
or at least they believe that it was the source code,
because the attackers did get access to that information. Now,
were they also like collecting the source code? Were they
(15:14):
taking it from Microsoft and collecting it into their own
data set? Maybe? Probably, I mean, they did have access
to it, so it's entirely plausible as well. But again
it's that plausibility of like all these questions that we
currently have with an active attack where there's still being
discoveries happening. This is Jonathan outside the interview here. I'm
(15:37):
just interrupting so that we can take a quick break,
but we'll be right back. So we know that the
nature of the attack allowed for a lot of access
to things from a certain level, but in most cases
(15:57):
that we've heard about, the companies are saying no one
was able to actually make any changes to anything. They
might have seen it, they might have copied it, but
they could not modify anything. However, part of what I
would think would be useful if you're looking at source
code for products like Office three six five, which has
incredible distribution to millions of systems around the world, consumer level,
(16:19):
enterprise level, everything in between, that now that you have
that source code, you can start looking at ways to
exploit that. You essentially have a playground, a sandbox that
you can work in with the actual source code of
the product, at least from that particular era until Microsoft
makes changes to it, and then you have a way
(16:41):
of of practicing on that to try and develop malware
that could potentially be used out in other distributions using
perhaps totally different attack vectors. Is that something that could
actually be possible or my addled by Hollywood, That's entirely possible.
And that's one of the reasons why we have seen
(17:03):
supply chain attacks targeting very specific like firmware versions or
or the back ends for these really large clients like
Microsoft UH in order to be able to steal source
code and stuff like that, because oftentimes, even though new
versions might come out of an operating system or of
software or firmware UH, they will use previous generations of
(17:27):
that firmware in order to maintain like consistency across all
of the different platforms that their product might be installed onto.
So there might be a few changes for future versions
or future releases, but the source code might remain pretty
similar to previous installations, and it's so much work to
(17:49):
change things on a fundamental level that it's impractical. Right,
There's there's almost no possibility, especially for programs that typically
they typically grow larger. I don't know if you've noticed this, Shannon,
but I have, even from like a programming perspective, which
I am not a programmer. But I have done some
(18:10):
coding in the past, and I know that there is
a lot of turnover at companies, and oftentimes they will
forcibly not change a lot of the code in order
to make sure that it still works with new employees
if there is like a new codeer that comes in
or a new programmer. Uh and sometimes you won't find
(18:30):
notes in the in the code for future programmers, so
they just choose not to break anything by not changing anything,
so code will remain the same for years and years
and years before somebody actually goes in and bravely changes anything. Right, So,
if you if you are someone who's creating a uh
(18:51):
some malware and you want to target users of a
specific type of of software, whatever it may be, whether
it's an operating system or something entirely different, then being
able to make a change to like a fundamental part
of that code, one that is not likely to have
been altered because it's it's sort of a pillar of
(19:13):
the software, then that's a pretty decent bet that your malware,
if you're able to inject it into the actual real
software on whatever the vendor side is, that that will
then get rolled out through various patches and updates or
even just new installations of that that product as people
(19:34):
come on board, and the longer you can keep that
on the d L, the more systems you can infect
without anyone being the wiser. As it turns out with
with the solar winds hack, we now know that the
attacks started no later than October two thousand nineteen. It
may have been insane. Yeah, So that that was for
(19:56):
a full year plus a couple of months before we
were made aware of it. And it was another security
firm called fire Eye that noticed something hinky was going on.
Something hinky. Yeah, but it's kind of but it was hanky,
It's true. They were They were like, hey, what's this
(20:17):
wise our network being weird? I call it jankie. But
they just like, some odd is going on, Like we're
getting some red flags. And we didn't know at the
time that it was Sunburst, that we didn't know that
it was a solar winds hack or where it was
being distributed from. So fire I was just like, we
think we got hacked, and then a few days later
everybody was like, oh, actually this is connected to a
(20:40):
much bigger thing. It wasn't them, it was the vendor
that they were using. So all of a sudden, everybody
was just like, oh, we should probably check our systems too,
And then everybody started realizing, oh, this is actually a
really huge thing because it wasn't just us, it was
a vendor. That's scary. Well, and when it's a cybersecurity
(21:02):
firm that first says, oh, gosh, we were hacked, you
know it's bad because these are the people who are
paid to stop that from happening to other people. So
it's a great example when you look at it from
from that perspective of fire Eye as a cybersecurity company,
even they had inherent trust in Solar Winds to distribute
(21:26):
their firmware and their updates in a trusted way. And
even then they couldn't fully trust Solar Winds to do
that in a matter that would keep them protected, right right,
I mean, we there's this whole certification process, this digital
certification that proves that a piece of code is really
coming from the source that you think you're receiving it,
(21:49):
you know from, so that there's this approach that's very
well tested, very well proven by history that this is reliable.
And that's why this hack is so insidious because it said, cool,
we were not going to try and get around that.
We're gonna rely on that trust, on that that whole process,
(22:12):
because everyone knows it works. So if you can, if
you can get to the code before it goes through,
then you're golden. And that's exactly what happened. Uh. An
analogy I use is that the way we typically think
of hackers is and you should appreciate this because I
know you've played with them. We can think of someone
who's got lock picks and they're going through an apartment
(22:33):
building and they're just they're they're opening up locks just
for fun. But the Solar Winds hack is as if
the supervisor for the entire building with the master key
is the one who has decided to do all the snooping,
and they can just walk in when because they've been
trusted with that master key. So that's kind of the
analogy I give. It's it's totally different from the hacks
(22:54):
where you're like, that person looks us I'm not gonna
let them into the building. No, it's it's the supervisor.
Of course, the supervisor comes in, he's tolly fied. Yeah,
that's a great analogy. Actually, I don't I hope you
don't mind if I steal that? Please? Do I get
like two a year? So I'm just glad that I
was able to. I mean I peaked early. We're in January.
(23:14):
But but yeah, so the scope of this attack, even
though only only I say only, but like forty different
systems have been compromised then further infiltrated. Uh, you still
have around eighteen thousand that could potentially be infiltrated because
(23:34):
they do have the malicious code installed within their systems
that allows for that backdoor access. So they have to
they it is now incumbent upon them to make sure
they uh they they isolate those servers, they remediate them,
and that they bring everything up to a new version
that no longer has that backdoor access. Meanwhile, for all
(23:56):
the systems that we're compromised, for those forty, which again
includes like national security level government offices, they have the
unenviable task of figuring out how extensive the attack was
within their systems, what parts of their systems were specifically affected,
at what level of access did the hackers have, was
(24:18):
it like microsoftware they could just see it or could
they do more? And how do they fix it? Um?
And this is. I think I think the way we
could we could call it a ginormous challenge. Oh yeah,
So I'll give you an example from a very much
smaller scale. When I was working at Hack five in
an office, I learned how I could do network sniffing
(24:43):
on the entire office. So I was able to figure
out from my little Lennox laptop what machines were connected
all to the same network, even if they were Ethernet
or WiFi. I was able to figure out how to
you know, sniff WiFi as well, because we made a
product for that, uh, And I was able to see
that we had, like I think it was like twelve
(25:05):
different computers, we had two printers. So then from there
I was able to look up the versions of everybody's
operating systems and find out which ones were vulnerable. And
it turns out one of our printers was vulnerable. So
even though I was not necessarily connected to the printer,
like I didn't have it installed, the driver's installed, or
anything on my Lenox computer, I was able to send
(25:28):
that printer a piece of paper that said I got hacks,
and I was able to print it out on the computer.
And it was the funniest thing because like nobody it was.
It was Darren's printer, so like he was able to
look at it. My coworker, Darren Kitchen, and he was
and he looks at the piece of paper and he
was like, s did you just figure out how to
hack the printer? And I said, yeah, it was super funny.
(25:49):
But even from a much more broad perspective of when
you're looking at solar winds um, if somebody had access
to a net, the network of one of their clients,
they could see the actual desktop computers that many of
their office employees might have access to. They could see printers,
They might be able to see network connected security cameras. UH.
(26:12):
If they work at a bank, they might be able
to see network connected a t M s UH. They
have access to maybe like passwords or anything that's being
distributed across the network if it's not being protected correctly.
They could have access to network attached storage in server racks,
all sorts of things. So if you have hundreds and
(26:35):
hundreds of different connected devices and any of those have
not been like auto update, and then again we're putting
trust in vendors to auto update correctly. If these machines
have not been auto updated or patched correctly, and a
hacker has access over that network to see what version
these programs are running. There's plenty of information on Google
(26:59):
about what version of what software is still vulnerable to
what problems. There are these things called c v s
and you can look them up and see what kind
of vulnerabilities are currently out there and how they are
being fixed. And if a hacker knows and they look
at this version and then they find out there's a vulnerability,
they could use that to their advantage to get another
(27:19):
foothold within that network. Even if even if the network
admin found out that there was a vulnerability on their
network and they were able to cut that off, the
hacker might have already gotten another foothold. So it's entirely
possible that there's like plenty of other places that these
attackers are snooping on networks through. So yeah, it's a
(27:40):
huge issue, and it's no wonder like given that this
was just discovered a few weeks ago, maybe about a
month month in two weeks ago or six weeks, Uh,
it's no wonder that there's tons of network admins and
security professionals that are still having to work like over
time just to ensure that their networks are safe. And
(28:00):
and you pointed out a problem that I hadn't even
thought about, which just as like, hey, you know how
bad you thought this was. Guess what, It's worse than that,
because because like, if to go back to my analogy,
it would be almost like if you are you have
infiltrated a building, you were able to sneak in, and
you're snooping around and you're looking at all this sort
(28:22):
of stuff, and meanwhile you're also unlocking every window you
go by, so that if if your original entry point
has been shut off, you got like fifty others. Because example,
so if somebody was to change the lock on their door,
but you also had unlocked the windows so that you
could get access that way, they might not even think
(28:42):
about checking the window when they fixed the lock on
the door, right right, So, like you were saying, looking
at all the different versions of software that are running
on various computers and other systems, other devices running on
that network, if you identify all those potential vulnerabilities, really
you're just you're like you're saying, we should use this
time to start developing tools to take advantage of all
(29:05):
these different potential weak points, because we can make the
problem so big that it is almost impossible to think
of what the solution would be apart from new kit
from orbit. It's the only way to be sure. A
lot of it is risk assessment, and that's something that
a lot of a lot of large businesses do, and
it's even something that customers can do. Consumers like I
(29:28):
could do this from my home network risk assessment. What's
running on your network right now? What devices are vulnerable
or potentially vulnerable? Have you done a yearly audit to
make sure that there's nobody getting access there's no like
random email addresses tied or associated to your online accounts?
Have you changed your passwords in the past year to
(29:49):
comply with nests recommended framework for passwords, Like, there's a
bunch of different things that you can do to kind
of assess where your risks lay and then act on
those assessments before a hack actually happens, right, Yeah, And
as long as you don't have an issue like this
where a trusted vendors where because yeah, because that just
(30:12):
slips right in right, just like you were saying, like
these these companies could have been doing all the right
things it's not like they did something wrong. They did
the right thing. And you might wonder, well, how did
the hackers get access to the Orion software to start with?
Like how did that happen? And honestly, we don't fully know, you,
or at least the public doesn't fully know yet. Someone
(30:35):
might know, but I don't. But the working theory right
now is that another third party vendor called jet Brains
creates a tool called Team City. Jet Brains, by the way,
I'm sure completely coincidentally founded by a group of Russian
cybersecurity experts, but Team City. Team City is a software
(30:56):
testing environment. So it's the kind of thing where you've
got your little virtual say in box, so that you
can build software and try and break it and see
if it works before you deploy it in the real world. Right,
That's kind of the thing they make. And Solar Winds
is one of the customers who uses Team City, and
so the current thinking is that the hackers targeted Team City.
(31:18):
They specifically targeted a server that Solar Winds uses that
has Team City on it. They targeted that and then
they were able to get access to solar Winds software
through that link, which just shows you, like there could
be a lot of hops from between the hacker and
their ultimate goal. So this team City Server was one hop.
(31:41):
The solar winds system where they were able to inject
malware into Orion was a second hop. The customers were
the third hop, and then they could go in and
start adding a second payload. Because once they once they
were deployed to the customers, that was the in road,
that was the back door. There is no doubt in
(32:01):
my mind that their end goal what were the clients
that use solar winds, And chances are that these attackers
are very very advanced and that they probably are state
sponsored because the time that they're investing in order to
get the foothold within get these back doors within these
(32:23):
clients took them over a year. I mean, it took
them a very very long time. And if they started
even behind solar winds to jet brains, that's insane, Like
that is extremely advanced. And that's one of the reasons
why this is such a crucial attack and what why
it's It's going to go in like history books when
(32:43):
people talk about information security and learning about previous attacks,
this is going to be one of those historical examples
of a supply chain attack, because it's insane how how
advanced it is. We'll be right back with more with
Shannon Morse about the solar winds hack. After this quick message,
(33:10):
I've read some articles by cybersecurity experts who, you know,
hindsight is, now that it's happened, you can see where
the opportunities were earlier on, in the sense that if
you're thinking about the cybersecurity environment of say two eighteen
to present day, a lot of that attention was rightfully
(33:35):
devoted to things like how do we maintain a secure
election cycle here in the United States, So a lot
of resources we're looking in one direction, which meant that
not as many resources we're looking for potential supply chain threats.
So while there were a few analysts who had previously
(33:55):
said this is something we really need to be cognizant
of and have developed best practices so that we can
hopefully prevent it, but if not prevent it, certainly detected
and react to it. But because there were other pressing
matters that were very much tied to cybersecurity, that that
just didn't get as much attention as it might have otherwise,
(34:18):
and it ended up being the perfect opportunity. It actually
really does point to the incredible um UH inventiveness and
the the how how nimble the hackers were to be
able to recognize a time and and opportunity to really
develop and deploy that malware, because you couldn't have asked
(34:43):
for a better environment, right, It just was the perfect
time for for the neighborhood Watch to be looking the
other way. Oh yes, it's um And I feel like
the attackers got very lucky on their timing, even though
and this this is bringing up the pandemic in a sense,
even though the it's probable that this started in October
(35:05):
nineteen and that happened before the pandemic. What perfect timing
for these attackers because the entire time that they have
been silently getting intrusions into all these different clients and
into solar Winds as the vendor. There have been companies
out here that have been losing funds because of the pandemic.
They don't have as much manpower because everybody's working from home,
(35:26):
and they've had to lay off a lot of their
network administrators and their I T and consultants and everybody else,
and they don't have the money right now to fund
doing like third party audits of their systems and stuff
like that, So perfect timing for attackers to just come
in and silently attack and intrude on all of these
(35:46):
different networks because nobody, nobody has the manpower right now.
It's it's almost impossible for all these companies to be
able to fulfill all the projects they could have potentially
had for security and privacy of their networks. Yeah, uh,
it is. It's it's a remarkable set of circumstances that
all helped create almost a perfect storm. The only way,
(36:09):
this is the only way you could argue that this
would be obviously worse, is if that number of compromise
systems had an even larger number of ones that were
followed up upon, if that were if that number were
even bigger than we would be talking about. I mean,
it's I don't even know how to call it like
(36:29):
a catastrophe, because I think it's already a catastrophe. We're
already at catastrophic level because of the potential espionage that
could have been done in critical systems. We don't know
if they were ever able to really access like highly
classified information. Clearly that's something that the government likes to
keep on the down low. They're not they're not too
(36:51):
they're not too happy to say like, oh, by the way,
Russian spies were able to look at our top secret
classified information that even most of our government official never
get a chance to see. That would be bad. Uh,
we don't know if that's happened or not from based
on what we've seen at other places. Uh, it's hard
to say because it all depends upon what other security
practices these different departments were doing, whether or not they
(37:14):
had had sort of sequestered some of their most sensitive
information in systems that are not as easily accessible. There
are possible ways of doing that. Microsoft in fact, has
talked about how through their own security system that is
part of the reason why they were limited in their access.
They still got to see a ton of stuff. It's
(37:35):
not good, but but it was a low privileged user access.
They weren't able to get like full access to everything
on Microsoft systems because the attacker was only able to
get that lower end access. So here's hoping, and and
the cynic in me it feels like hope is a
(37:56):
strong word to use because I've also familiar with government
systems and they're not always laid out in the best way,
often because not to any fault of government officials, I
don't want to throw a lot of shade at them.
We also have to keep in mind that some of
those positions there's a lot of turnover just because government
changes a lot. So it's hard to keep a real
(38:18):
legacy of security in those systems because you don't necessarily
have the same personnel from one administration to the next.
Um and there can even be turnover within administrations, as
our most recent administration taught us nearly daily. So so yeah,
so this is this is a huge challenge. The process
(38:41):
of cleaning it up is going to take a really
long time. I tried to see if any analysts had
kind of an estimate, but the most specific answer I
could get was probably years to really assess the full extent.
That's the same thing that I saw, which was pretty
(39:01):
much the consensus even among like my hacker friends, was
it's probably going to take several years in order for
them to really figure out how deep this honestly goes.
That is a sobering fact. It's also, you know, a
good reminder that this is something that you know, it's
not necessarily going to be an isolated incident. The fact
(39:23):
that this was so successful sends out a message to
any state sponsored hacker group that if you can manage
something like this, then the the all the doors are
open to you. So it's now something that vendors are
really going to have to be cognizant of to make
(39:44):
certain that the the product they send out has not
been altered in any way. And this has made more
challenging because obviously hackers are clever. They figure out ways
to cover their footsteps, thank you, I mean, a good
caer is anyway, right, A good hacker doesn't just figure
out how to intrude on the system, they also figure
(40:05):
out how to cover up that intrusion so that it's
not immediately apparent. Yes, because a lot of companies have
like they have really good intrusion detection software which will
send them a red flag or notify several of the
administrators that are working on that network immediately as soon
(40:27):
as something is noticed, so that they can um assess
the situation and cut off the threat. Yeah. And just
to make this story even more scary, uh, there have
been four major cybersecurity companies that have reported being compromised
in some way or at least attacked by these hackers.
(40:48):
One of the four says that no harm was done,
and those would be fire Eye, which we mentioned before.
That was the first company that came forward that kind
of broke open the dam on on the discovery of this.
Mike Soft as another, uh, malware bites which we learned
about not too long before the recording of this. Yeah,
like really recently and worse than that, not related directly
(41:10):
to solar winds because they don't use solar winds products.
We'll get back to that. And then CrowdStrike, which is
the company that says, yeah, they tried, we didn't. Then
they didn't and they didn't do anything. So good on them.
But as for malware bites, they came forward and said, yes,
we also have detected the presence of these hackers in
(41:31):
our systems. But in our case it was because of
an Office three sixty five email protection app that was
dormant that they were able to target and get to
our systems through that. So they were able to read
some emails. So that tells us that potentially that could
have been something they learned by being able to look
(41:53):
at the source code over at Microsoft. We don't know
that but that's possibly how that happened, was that they
learned of a particular attack vector by scouring the source code,
and thus we're able to have a secondary attack through
a totally different approach and not have to depend upon
solar winds at all. And if that's the case, if
(42:14):
malware bites was targeted, then there's a really good chance
that others were too and we just don't know about
it yet. Yeah, that's an excellent example, and it kind
of takes us back, you know, back to the beginning
of the conversation, kind of explaining why the attackers were
targeting these companies in the first place, because they're getting
(42:36):
access to this crucial information that could potentially give them
access to other people or other brands and companies in
the future for completely different hacks that have nothing to
do with solar winds. So so while we're we might
be on the lookout for one type of attech, just
like we did with what I was talking about the
(42:57):
you know, election cycle, really taking a lot of cyber
security attention. If we're all looking for one specific type
of attack, that just means that there's opportunities for other attacks.
In fact, this is sort of just the the cracker
style of hacker, you know, the ones that specifically are
are looking at how to infiltrate systems. It really just
goes into their mindset, which is that all they care
(43:19):
about is at first anyway, figuring out how do I
infiltrate that system. That's that's their only focus. The problem
with people who build these systems, they also are burdened
with the weighty responsibility of making the system do whatever
it was supposed to do, plus make it invulnerable to intrusion.
(43:39):
But you have to make your system work first, right,
So you're like, hey, everything works, and like, oh, you
forgot about this way that a person could intrude to
and and get access to your system without authorization. You think, well, shoot,
I was just trying to make the thing go. Oh yeah,
like straight up, even if you're like working in an office.
I love giving those kind of examples because a lot
(43:59):
of people work in offices. Uh, let's say they have
to update the firmware on your printer and they have
to disconnect it to make it invulnerable from some kind
of attack. All of a sudden, they have to reauthorize
all of the PCs to connect to that one printer.
And that's a huge headache, and that creates even more work.
So you have like all these people that are just
(44:21):
trying to get their work done and you can't do
anything from from the perspective of an employee. And yeah,
and I'm definitely that guy who gets a little pop
up in Windows that says, hey, we've got some updates.
Do you want to reboot your system or do you
wanna you know, and you're like no, I'm like no,
twelve hours, tell me in twelve hours. And then after
like four days, like no, seriously, my heart is going
(44:43):
to come and take your computer if you don't update, Like, okay,
you know what, We've had some fun, I'll go ahead
and reboot. Uh. Yeah. So so this is this is
fascinating to me, and I'm so thankful for you to
join the show to help me kind of suss all
this out because I kind of had a handle on it,
but you really we opened up my eyes to other
opportunities that, honestly, I mean, I just didn't think about.
(45:05):
So that's exactly why I wanted you to to join
the show and why I'm so thankful that you you
said yes. After yeah, of course, after I bugged you
while you were on holiday. Well, I'm I'm glad I
was able to join you because there are so many
different ways that you can look at this attack. So
talking about all those different perspectives like I have been
(45:25):
is really important to really understand and get ingrained into,
like the motivations behind the solar winds attack, but also
understand it from a client perspective why this has been
so crucial and so important to so many people. And
it's it's great to be able to have that sort
of conversational approach. Where as I get my understanding, I
(45:48):
hope that my listeners have gotten a deeper understanding of
what's going on and why this is such a big
deal and why it dominated tech news for a couple
of weeks. Uh, you know, before we hear about Apple
interfering with you know, defibrillators and things like that. Um
So I'm sure we're going to hear a lot more
(46:09):
about this over the coming months and potentially years as
well as well. Inevitably we're going to hear about other
hacks that are going to be compared against this, because,
as you say, this is going to be a benchmark,
This is this is a historic hack event. And will
be one of those big ones we talked about for
(46:30):
years to come, you know. Um, But Shannon, if people
want to find your work and follow all the incredible
things that you do, where would they go? Check out
YouTube dot com slash Shannon Morse spelled just like my name.
That's where I've been doing a lot of security and
privacy as well as tech reviews too, and I do
(46:52):
answer a lot of questions about security and privacy for consumers. Yeah,
and if you hunt around, you can follow Shannon doing
all sorts of crazy things like traveling the world when
there's not a pandemic going on. And she takes really
good photos. Me too. Me two. And it doesn't help
(47:12):
that my wife will occasionally send me a picture of
a place I really want to be in but cannot
go to until it's very relatable. Yes, well, thank you again,
and I will certainly have you back on tech stuff
whenever you agree to do it. Well, thank you, Jonathan,
I appreciate it. Thank you so much for having me.
(47:34):
I hope you guys enjoyed the interview with Shannon Morrise
and once again I have to thank her for coming
onto the show. She is very generous with her time,
so I greatly appreciate it, and I hope that that
discussion gives you a deeper understanding and appreciation for the
large challenge ahead in dealing with this hack, as well
(47:57):
as just you know, something to think about for all
of you folks managing stuff out there about things to
look out for in the future. I mean, as Shannon
points out, the real issue here is that the attack
targeted something from a trusted source. So when you get
a message that is from a trusted partner, you don't
(48:20):
expect there to be malware in that. So this really
is a major wake up call, and unfortunately it's a
wake up call that's doing active damage right now. But
hopefully we'll have better news to bring about the Solar
Winds hack as time goes on and as people learn
how to remediate those servers. In the meantime, if you
(48:42):
guys have any suggestions for future topics I should cover
on tech stuff, whether it's a company technology, a trend,
something like the Solar Winds hack, or maybe there's somebody
you would love for me to have on the show
as a guest. Let me know. The best way to
get in touch with me is over on Twitter. The
handle for the show is text Stuff H s W
(49:04):
and I'll talk to you again really soon. Text Stuff
is an I heart Radio production. For more podcasts from
I heart Radio, visit the i heart Radio app, Apple Podcasts,
or wherever you listen to your favorite shows.
Welcome to tech Stuff, a production from I Heart Radio.
Pay there and welcome to tech Stuff. I'm your host,
Jonathan Strickland. I'm an executive producer with I Heart Radio
and a love of all things tech, and today I've
got something special for you guys. I'm going to be
(00:24):
talking with Shannon Morse, my good friend, hacker extraordinaire, incredible
tech communicator, and she and I are going to break
down the solar winds hack, a hack that was dominating
the news for late December into January. It will likely
be a part of the news cycle in the tech
space for months and possibly years to come, as it
(00:48):
was a particularly effective and potentially devastating attack, one that
will take quite a long time to repair. And I
wanted to bring Shannon on to the show because while
I can do a lot of research into this stuff,
I come at this as the same as anyone else would, really,
anyone who's not in the the info sex space. I
(01:13):
would look at it as an outsider trying to learn
as best I can. But Shannon has been working in
the hacker sphere for many years and has a particularly
uh strong point of view when it comes to such
things and is able to see things that I just don't.
So I was very glad that she took the time
(01:35):
out of her schedule to jump on this episode. And
so now here is my conversation with Shannon Morris about
the solar winds hack. I hope you enjoy it. Shannon,
Welcome back to tech Stuff. It has been too long.
Thank you for joining me. Thank you for having me. Jonathan,
(01:55):
how are you. I'm well, It's always a pleasure to
have you on even and we have to talk about
terrifying existential threats, but this one is a fun one.
This one is interesting, fun for us to talk about. Yeah, well,
because it's it is different from a lot of of
malware threats and hacker threats that we typically hear about. So, Shannon,
(02:19):
you're the expert, you let me know if I'm way
off base. I'm going to give kind of my take
on what the typical hacker attack tends to be and
the way we tend to see, at least the ones
that we hear about. Um, if it's not something like
someone taking advantage of a security vulnerability in a system
or using social engineering to get access to someone's system,
(02:43):
what we usually hear about our malware attacks where there's
like an email attachment or someone has uploaded and infected
file through some sort of distribution point where it might
be a peer to peer network, it might be a database,
or it might be that you go to some website
that you've been directed to and you click on something
(03:04):
that then installs malware to your system. And in this
sort of attack, you've got hackers that are kind of
taking a shotgun approach, right. They don't know who's going
to end up getting this malware. It's more like, let's
try and spread it as far and wide as we
possibly can, taking a pretty brute force kind of tactic.
(03:24):
Is that more or less accurate for the general types
of stuff we hear about? Yeah, pretty much. I mean
usually you hear about the very consumer oriented hacks. You know,
an app gets installed from Google Play and it turns
out it has hundreds of thousands of downloads and everybody
all of a sudden has malware and they have to
get rid of it. Blah blah blah blah blah. So
you see a lot of targeted assaults happening towards consumers,
(03:48):
but in this case, with a supply chain attack, as
what it's called, uh you see a a attack that's
very targeted towards a specific type of brand or a
vendor that happens to work with a whole bunch of people.
So the attackers don't necessarily know of the whole bunch
of people these businesses, clients that this vendor works with.
(04:09):
They don't know who's actually going to install it in
order for them to be able to attack all these
different brands. They just know, we know this vendor works
with thousands of thousands of really important businesses, so let's
just attack this one brand and then see what happens. Yeah,
and in this case, the Solar Winds hack a lot
of people. I'm sure the average person had never heard
(04:31):
about solar Winds before the news broke about the actual hack.
Because this is a business to business sort of enterprise.
They create software packages for businesses, typically really big businesses
are really big organizations to use to do things like
just monitor their network system. So it's not the kind
(04:52):
of thing that the average person would ever have to
come in contact with unless you happen to be like
the I T. Person at a big company or a
government agency exactly. So I give an example of when
I used to work at a bank and forward facing.
When I was working at that bank, you know, I
was talking to customers all the time, and I had
my own little register where I had the money and everything,
(05:16):
and I had my own computer. But that computer was
running Windows, and it was running software on Windows. But
behind the scenes, for that entire branch and for all
the different branches and all the different cities for this
company that I worked at, they had servers that were
connected to all the different physical locations for this bank,
(05:37):
and on those servers is where you would see these
kind of platforms being used, these kind of operating systems.
So if you're just working at a very like consumer
facing or an office oriented job, then you don't necessarily
run into this, even if you're an employee. A lot
of times it's just happening on the back end for
like the network administrators, the I T security and from
(06:00):
Asian security, like those are the kind of people that
would be using this kind of uh networking product. Yeah. So,
so like if you're a company that does products that
are like software as a service, where you need to
keep a really close eye on things like network loads
because you might have to react uh nimbly and and
quickly to changing demands on your system. Solar Winds makes
(06:24):
the kind of software that allows you to have that
that top level look at what's going on with your networks.
So again not something that most of us would run into,
but it is really important software. And that's why nearly
every company that's on the Fortune five list is a
client of Solar Winds, and several high level government agencies,
(06:47):
particularly in the United States, like the Department of Justice,
the Department of Homeland Security, Department of the Treasury, the
Department of Energy, like big national security level organizations are
all client of Solar Winds, and in particular, they have
a product that's called Oriyan, and this is specifically to
monitor stuff like network traffic and network assets and where
(07:11):
you might need to make adjustments on the fly. And
that ends up being the bulls eye of the target
for the hackers who created the Solar Winds hack, which
is also sometimes called sunbursts, the particular malware that was used,
and um, this is where we get into that supply
chain attack. And I think an easy way for people
(07:35):
to understand it is that it's unfortunate that it's an
attack that that takes advantage of something that we typically
tell people to do, which is, when a patch comes
out for your software, you install it. Because typically patches
do things like they address previous vulnerabilities in software and
(07:55):
they close down an avenue of attack for hackers. But
if a hacker were able to target that that actual software,
whatever it might be, like, if they were able to
target Windows and insert the malicious code into the Windows
code so that when the patch notes go out, when
the patches go out, the malicious code hitchhikes along. And
(08:17):
then when you install your patch, as you do as
a good user, you have just installed the malware that
is the supply chain attack, and it's devastating. It's yeah,
it's very very scary because the it kind of focuses
on the inherent trust that a lot of clients have
with the vendors that they use for this distributed software
(08:42):
that they might use on their back end for for
their network or whatever it might be. So by having
that inherent trust, you are trusting as a business that
when you do these auto updates, when you physically go
in and you know, update your firmware or whatever it
might be, that you are going to be protecting yourself
because you're on top of it, you're downloading that stuff
(09:03):
every single time there's a new version that comes out.
But in this case, because the attackers were targeting the
vendor itself and not the specific clients, they were distributing
that malware, two thousands upon thousands of potential customers, and
it's the ones that were updating like they should be
that ended up being kind of caught in the crosshairs. Yeah,
(09:25):
this is one of those cases where you say, I
did everything right and you still screwed me. Uh yeah.
So oriyan Orian is a platform that's very popular. Around
thirty three thousand of solar Wind's clients have some version
of Orian running on their system. Out of that thirty
three thousand, solar Winds said, approximately eighteen thousand had the
(09:48):
versions that were specifically affected when the malicious code had
been inserted and those patches had been pushed out to
the clients and they had actually installed it. Out of
those eighteen thousand, however, we later learned that a very
very small number were followed up on because, as it
turns out, that sunburst attack was just stage one. It
(10:09):
was not it was not the end all. It wasn't like,
oh we snug some malicious code into a legitimate product.
High fives all around. That was just the beginning. Yeah,
So in this case, the attackers were like, let's just
get it out there and see who gets caught in
the crosshairs. And then they started following up and they
were like, Okay, well, who who matters the most to us?
(10:31):
Which ones might be financially motivated for us to hack?
Who might be the ones that have the biggest and
best data sets that we could potentially pilfer off and
sell to a third party. Like, we don't necessarily know
what their end goal is, but a lot of times
with hacks like this, especially if they are distributed towards
(10:52):
Fortune five hundreds and government and sectors like that, they
are state sponsored or they are very very financially motivated.
So that would be my general like hypothesis as far
as what their their motivations were behind it and why
they specifically target, you know, the government sector. The very
(11:12):
few that they actually did out of the eighteen thousand, Yeah,
I think the last report I read said that it
looked like it was around forty systems out of eighteen thousand.
That's less than that's less than less like point two
of all the different systems that they hit that they
followed up on, and it does say that there was
(11:33):
a very concentrated, focused effort to look at very specific systems.
Most of the ones that they targeted were out of
big tech and then government agencies and then some non
government offices outside of that, like think tanks and things
like that. UM I've seen speculation that, as you say,
it was very likely a state backed attack, and that
(11:54):
the evidence seems to point, but it does not necessarily
indicate proof positive that Russia was behind the attack. At least, yes,
there appears that that's what all the signs point to,
but then there's also always the possibility of what is
called a false flag operation exactly. So it's very interesting
(12:14):
when people start kind of laying blame on specific groups
of attackers or groups of hackers and saying like, hey,
because the code looks this way, we think that it's,
you know, backed by Russia or whoever, it might be
backed by China and North Korea. Those are usually the
ones that we see in the news. Uh. In this case,
they found samples of code that could be very very
(12:37):
closely linked to a previous attacker group from Russia. So
they made that tie and they were like, hey, we
think that this is the same group. But there is
always the potential that somebody could have copied previous malware
and used samples of that for new quote code for
solar winds for the sunburst. So it's entirely possible that
(13:00):
it's not the same group, but it's plausible, right. So
again you can't draw any firm conclusions. But when you
start thinking about this as a potential state backed attack
that largely gives hackers high level access to systems once
they deliver that second payload of malware, which specifically allows
(13:24):
them to move laterally across networks, not just hit a
specific server, but then to kind of infiltrate across an
entire system. A lot of the reports we've seen have
shown that the hackers were at least able to read
material to see what what material was around. They could
look at source code at Microsoft, for example, or they
(13:47):
can look at emails that had been both sent and
received through a particular system. A lot of this kind
of leads you down the path to thinking one potential
purpose for this attack could be espionage. That it literally
is another part of cyber espionage where you're spying on
(14:07):
UM an enemy or or adversary, and that fits the
narrative really well. Again, we can't draw that conclusion conclusively
to be redundant, but we can at least we can
at least say like that is a potential answer to
why this has happened. Yeah, So I like to lay
(14:30):
out a lot of caveats because it's it's very dangerous
to speak in absolutes when you come to something like this,
because it may turn out yes, ongoing. So we still
have a lot of questions. But I am glad that
we have companies like Microsoft, for example, with Office three
and the fact that they were able to see source code,
the attackers were able to see source code. I'm glad
(14:51):
they're coming forward these clients that were attacked and we're targeted,
because it's giving us a clear perspective of what was
actually targeted in this assault. And in Microsoft's case, it was,
or at least they believe that it was the source code,
because the attackers did get access to that information. Now,
were they also like collecting the source code? Were they
(15:14):
taking it from Microsoft and collecting it into their own
data set? Maybe? Probably, I mean, they did have access
to it, so it's entirely plausible as well. But again
it's that plausibility of like all these questions that we
currently have with an active attack where there's still being
discoveries happening. This is Jonathan outside the interview here. I'm
(15:37):
just interrupting so that we can take a quick break,
but we'll be right back. So we know that the
nature of the attack allowed for a lot of access
to things from a certain level, but in most cases
(15:57):
that we've heard about, the companies are saying no one
was able to actually make any changes to anything. They
might have seen it, they might have copied it, but
they could not modify anything. However, part of what I
would think would be useful if you're looking at source
code for products like Office three six five, which has
incredible distribution to millions of systems around the world, consumer level,
(16:19):
enterprise level, everything in between, that now that you have
that source code, you can start looking at ways to
exploit that. You essentially have a playground, a sandbox that
you can work in with the actual source code of
the product, at least from that particular era until Microsoft
makes changes to it, and then you have a way
(16:41):
of of practicing on that to try and develop malware
that could potentially be used out in other distributions using
perhaps totally different attack vectors. Is that something that could
actually be possible or my addled by Hollywood, That's entirely possible.
And that's one of the reasons why we have seen
(17:03):
supply chain attacks targeting very specific like firmware versions or
or the back ends for these really large clients like
Microsoft UH in order to be able to steal source
code and stuff like that, because oftentimes, even though new
versions might come out of an operating system or of
software or firmware UH, they will use previous generations of
(17:27):
that firmware in order to maintain like consistency across all
of the different platforms that their product might be installed onto.
So there might be a few changes for future versions
or future releases, but the source code might remain pretty
similar to previous installations, and it's so much work to
(17:49):
change things on a fundamental level that it's impractical. Right,
There's there's almost no possibility, especially for programs that typically
they typically grow larger. I don't know if you've noticed this, Shannon,
but I have, even from like a programming perspective, which
I am not a programmer. But I have done some
(18:10):
coding in the past, and I know that there is
a lot of turnover at companies, and oftentimes they will
forcibly not change a lot of the code in order
to make sure that it still works with new employees
if there is like a new codeer that comes in
or a new programmer. Uh and sometimes you won't find
(18:30):
notes in the in the code for future programmers, so
they just choose not to break anything by not changing anything,
so code will remain the same for years and years
and years before somebody actually goes in and bravely changes anything. Right, So,
if you if you are someone who's creating a uh
(18:51):
some malware and you want to target users of a
specific type of of software, whatever it may be, whether
it's an operating system or something entirely different, then being
able to make a change to like a fundamental part
of that code, one that is not likely to have
been altered because it's it's sort of a pillar of
(19:13):
the software, then that's a pretty decent bet that your malware,
if you're able to inject it into the actual real
software on whatever the vendor side is, that that will
then get rolled out through various patches and updates or
even just new installations of that that product as people
(19:34):
come on board, and the longer you can keep that
on the d L, the more systems you can infect
without anyone being the wiser. As it turns out with
with the solar winds hack, we now know that the
attacks started no later than October two thousand nineteen. It
may have been insane. Yeah, So that that was for
(19:56):
a full year plus a couple of months before we
were made aware of it. And it was another security
firm called fire Eye that noticed something hinky was going on.
Something hinky. Yeah, but it's kind of but it was hanky,
It's true. They were They were like, hey, what's this
(20:17):
wise our network being weird? I call it jankie. But
they just like, some odd is going on, Like we're
getting some red flags. And we didn't know at the
time that it was Sunburst, that we didn't know that
it was a solar winds hack or where it was
being distributed from. So fire I was just like, we
think we got hacked, and then a few days later
everybody was like, oh, actually this is connected to a
(20:40):
much bigger thing. It wasn't them, it was the vendor
that they were using. So all of a sudden, everybody
was just like, oh, we should probably check our systems too,
And then everybody started realizing, oh, this is actually a
really huge thing because it wasn't just us, it was
a vendor. That's scary. Well, and when it's a cybersecurity
(21:02):
firm that first says, oh, gosh, we were hacked, you
know it's bad because these are the people who are
paid to stop that from happening to other people. So
it's a great example when you look at it from
from that perspective of fire Eye as a cybersecurity company,
even they had inherent trust in Solar Winds to distribute
(21:26):
their firmware and their updates in a trusted way. And
even then they couldn't fully trust Solar Winds to do
that in a matter that would keep them protected, right right,
I mean, we there's this whole certification process, this digital
certification that proves that a piece of code is really
coming from the source that you think you're receiving it,
(21:49):
you know from, so that there's this approach that's very
well tested, very well proven by history that this is reliable.
And that's why this hack is so insidious because it said, cool,
we were not going to try and get around that.
We're gonna rely on that trust, on that that whole process,
(22:12):
because everyone knows it works. So if you can, if
you can get to the code before it goes through,
then you're golden. And that's exactly what happened. Uh. An
analogy I use is that the way we typically think
of hackers is and you should appreciate this because I
know you've played with them. We can think of someone
who's got lock picks and they're going through an apartment
(22:33):
building and they're just they're they're opening up locks just
for fun. But the Solar Winds hack is as if
the supervisor for the entire building with the master key
is the one who has decided to do all the snooping,
and they can just walk in when because they've been
trusted with that master key. So that's kind of the
analogy I give. It's it's totally different from the hacks
(22:54):
where you're like, that person looks us I'm not gonna
let them into the building. No, it's it's the supervisor.
Of course, the supervisor comes in, he's tolly fied. Yeah,
that's a great analogy. Actually, I don't I hope you
don't mind if I steal that? Please? Do I get
like two a year? So I'm just glad that I
was able to. I mean I peaked early. We're in January.
(23:14):
But but yeah, so the scope of this attack, even
though only only I say only, but like forty different
systems have been compromised then further infiltrated. Uh, you still
have around eighteen thousand that could potentially be infiltrated because
(23:34):
they do have the malicious code installed within their systems
that allows for that backdoor access. So they have to
they it is now incumbent upon them to make sure
they uh they they isolate those servers, they remediate them,
and that they bring everything up to a new version
that no longer has that backdoor access. Meanwhile, for all
(23:56):
the systems that we're compromised, for those forty, which again
includes like national security level government offices, they have the
unenviable task of figuring out how extensive the attack was
within their systems, what parts of their systems were specifically affected,
at what level of access did the hackers have, was
(24:18):
it like microsoftware they could just see it or could
they do more? And how do they fix it? Um?
And this is. I think I think the way we
could we could call it a ginormous challenge. Oh yeah,
So I'll give you an example from a very much
smaller scale. When I was working at Hack five in
an office, I learned how I could do network sniffing
(24:43):
on the entire office. So I was able to figure
out from my little Lennox laptop what machines were connected
all to the same network, even if they were Ethernet
or WiFi. I was able to figure out how to
you know, sniff WiFi as well, because we made a
product for that, uh, And I was able to see
that we had, like I think it was like twelve
(25:05):
different computers, we had two printers. So then from there
I was able to look up the versions of everybody's
operating systems and find out which ones were vulnerable. And
it turns out one of our printers was vulnerable. So
even though I was not necessarily connected to the printer,
like I didn't have it installed, the driver's installed, or
anything on my Lenox computer, I was able to send
(25:28):
that printer a piece of paper that said I got hacks,
and I was able to print it out on the computer.
And it was the funniest thing because like nobody it was.
It was Darren's printer, so like he was able to
look at it. My coworker, Darren Kitchen, and he was
and he looks at the piece of paper and he
was like, s did you just figure out how to
hack the printer? And I said, yeah, it was super funny.
(25:49):
But even from a much more broad perspective of when
you're looking at solar winds um, if somebody had access
to a net, the network of one of their clients,
they could see the actual desktop computers that many of
their office employees might have access to. They could see printers,
They might be able to see network connected security cameras. UH.
(26:12):
If they work at a bank, they might be able
to see network connected a t M s UH. They
have access to maybe like passwords or anything that's being
distributed across the network if it's not being protected correctly.
They could have access to network attached storage in server racks,
all sorts of things. So if you have hundreds and
(26:35):
hundreds of different connected devices and any of those have
not been like auto update, and then again we're putting
trust in vendors to auto update correctly. If these machines
have not been auto updated or patched correctly, and a
hacker has access over that network to see what version
these programs are running. There's plenty of information on Google
(26:59):
about what version of what software is still vulnerable to
what problems. There are these things called c v s
and you can look them up and see what kind
of vulnerabilities are currently out there and how they are
being fixed. And if a hacker knows and they look
at this version and then they find out there's a vulnerability,
they could use that to their advantage to get another
(27:19):
foothold within that network. Even if even if the network
admin found out that there was a vulnerability on their
network and they were able to cut that off, the
hacker might have already gotten another foothold. So it's entirely
possible that there's like plenty of other places that these
attackers are snooping on networks through. So yeah, it's a
(27:40):
huge issue, and it's no wonder like given that this
was just discovered a few weeks ago, maybe about a
month month in two weeks ago or six weeks, Uh,
it's no wonder that there's tons of network admins and
security professionals that are still having to work like over
time just to ensure that their networks are safe. And
(28:00):
and you pointed out a problem that I hadn't even
thought about, which just as like, hey, you know how
bad you thought this was. Guess what, It's worse than that,
because because like, if to go back to my analogy,
it would be almost like if you are you have
infiltrated a building, you were able to sneak in, and
you're snooping around and you're looking at all this sort
(28:22):
of stuff, and meanwhile you're also unlocking every window you
go by, so that if if your original entry point
has been shut off, you got like fifty others. Because example,
so if somebody was to change the lock on their door,
but you also had unlocked the windows so that you
could get access that way, they might not even think
(28:42):
about checking the window when they fixed the lock on
the door, right right, So, like you were saying, looking
at all the different versions of software that are running
on various computers and other systems, other devices running on
that network, if you identify all those potential vulnerabilities, really
you're just you're like you're saying, we should use this
time to start developing tools to take advantage of all
(29:05):
these different potential weak points, because we can make the
problem so big that it is almost impossible to think
of what the solution would be apart from new kit
from orbit. It's the only way to be sure. A
lot of it is risk assessment, and that's something that
a lot of a lot of large businesses do, and
it's even something that customers can do. Consumers like I
(29:28):
could do this from my home network risk assessment. What's
running on your network right now? What devices are vulnerable
or potentially vulnerable? Have you done a yearly audit to
make sure that there's nobody getting access there's no like
random email addresses tied or associated to your online accounts?
Have you changed your passwords in the past year to
(29:49):
comply with nests recommended framework for passwords, Like, there's a
bunch of different things that you can do to kind
of assess where your risks lay and then act on
those assessments before a hack actually happens, right, Yeah, And
as long as you don't have an issue like this
where a trusted vendors where because yeah, because that just
(30:12):
slips right in right, just like you were saying, like
these these companies could have been doing all the right
things it's not like they did something wrong. They did
the right thing. And you might wonder, well, how did
the hackers get access to the Orion software to start with?
Like how did that happen? And honestly, we don't fully know, you,
or at least the public doesn't fully know yet. Someone
(30:35):
might know, but I don't. But the working theory right
now is that another third party vendor called jet Brains
creates a tool called Team City. Jet Brains, by the way,
I'm sure completely coincidentally founded by a group of Russian
cybersecurity experts, but Team City. Team City is a software
(30:56):
testing environment. So it's the kind of thing where you've
got your little virtual say in box, so that you
can build software and try and break it and see
if it works before you deploy it in the real world. Right,
That's kind of the thing they make. And Solar Winds
is one of the customers who uses Team City, and
so the current thinking is that the hackers targeted Team City.
(31:18):
They specifically targeted a server that Solar Winds uses that
has Team City on it. They targeted that and then
they were able to get access to solar Winds software
through that link, which just shows you, like there could
be a lot of hops from between the hacker and
their ultimate goal. So this team City Server was one hop.
(31:41):
The solar winds system where they were able to inject
malware into Orion was a second hop. The customers were
the third hop, and then they could go in and
start adding a second payload. Because once they once they
were deployed to the customers, that was the in road,
that was the back door. There is no doubt in
(32:01):
my mind that their end goal what were the clients
that use solar winds, And chances are that these attackers
are very very advanced and that they probably are state
sponsored because the time that they're investing in order to
get the foothold within get these back doors within these
(32:23):
clients took them over a year. I mean, it took
them a very very long time. And if they started
even behind solar winds to jet brains, that's insane, Like
that is extremely advanced. And that's one of the reasons
why this is such a crucial attack and what why
it's It's going to go in like history books when
(32:43):
people talk about information security and learning about previous attacks,
this is going to be one of those historical examples
of a supply chain attack, because it's insane how how
advanced it is. We'll be right back with more with
Shannon Morse about the solar winds hack. After this quick message,
(33:10):
I've read some articles by cybersecurity experts who, you know,
hindsight is, now that it's happened, you can see where
the opportunities were earlier on, in the sense that if
you're thinking about the cybersecurity environment of say two eighteen
to present day, a lot of that attention was rightfully
(33:35):
devoted to things like how do we maintain a secure
election cycle here in the United States, So a lot
of resources we're looking in one direction, which meant that
not as many resources we're looking for potential supply chain threats.
So while there were a few analysts who had previously
(33:55):
said this is something we really need to be cognizant
of and have developed best practices so that we can
hopefully prevent it, but if not prevent it, certainly detected
and react to it. But because there were other pressing
matters that were very much tied to cybersecurity, that that
just didn't get as much attention as it might have otherwise,
(34:18):
and it ended up being the perfect opportunity. It actually
really does point to the incredible um UH inventiveness and
the the how how nimble the hackers were to be
able to recognize a time and and opportunity to really
develop and deploy that malware, because you couldn't have asked
(34:43):
for a better environment, right, It just was the perfect
time for for the neighborhood Watch to be looking the
other way. Oh yes, it's um And I feel like
the attackers got very lucky on their timing, even though
and this this is bringing up the pandemic in a sense,
even though the it's probable that this started in October
(35:05):
nineteen and that happened before the pandemic. What perfect timing
for these attackers because the entire time that they have
been silently getting intrusions into all these different clients and
into solar Winds as the vendor. There have been companies
out here that have been losing funds because of the pandemic.
They don't have as much manpower because everybody's working from home,
(35:26):
and they've had to lay off a lot of their
network administrators and their I T and consultants and everybody else,
and they don't have the money right now to fund
doing like third party audits of their systems and stuff
like that, So perfect timing for attackers to just come
in and silently attack and intrude on all of these
(35:46):
different networks because nobody, nobody has the manpower right now.
It's it's almost impossible for all these companies to be
able to fulfill all the projects they could have potentially
had for security and privacy of their networks. Yeah, uh,
it is. It's it's a remarkable set of circumstances that
all helped create almost a perfect storm. The only way,
(36:09):
this is the only way you could argue that this
would be obviously worse, is if that number of compromise
systems had an even larger number of ones that were
followed up upon, if that were if that number were
even bigger than we would be talking about. I mean,
it's I don't even know how to call it like
(36:29):
a catastrophe, because I think it's already a catastrophe. We're
already at catastrophic level because of the potential espionage that
could have been done in critical systems. We don't know
if they were ever able to really access like highly
classified information. Clearly that's something that the government likes to
keep on the down low. They're not they're not too
(36:51):
they're not too happy to say like, oh, by the way,
Russian spies were able to look at our top secret
classified information that even most of our government official never
get a chance to see. That would be bad. Uh,
we don't know if that's happened or not from based
on what we've seen at other places. Uh, it's hard
to say because it all depends upon what other security
practices these different departments were doing, whether or not they
(37:14):
had had sort of sequestered some of their most sensitive
information in systems that are not as easily accessible. There
are possible ways of doing that. Microsoft in fact, has
talked about how through their own security system that is
part of the reason why they were limited in their access.
They still got to see a ton of stuff. It's
(37:35):
not good, but but it was a low privileged user access.
They weren't able to get like full access to everything
on Microsoft systems because the attacker was only able to
get that lower end access. So here's hoping, and and
the cynic in me it feels like hope is a
(37:56):
strong word to use because I've also familiar with government
systems and they're not always laid out in the best way,
often because not to any fault of government officials, I
don't want to throw a lot of shade at them.
We also have to keep in mind that some of
those positions there's a lot of turnover just because government
changes a lot. So it's hard to keep a real
(38:18):
legacy of security in those systems because you don't necessarily
have the same personnel from one administration to the next.
Um and there can even be turnover within administrations, as
our most recent administration taught us nearly daily. So so yeah,
so this is this is a huge challenge. The process
(38:41):
of cleaning it up is going to take a really
long time. I tried to see if any analysts had
kind of an estimate, but the most specific answer I
could get was probably years to really assess the full extent.
That's the same thing that I saw, which was pretty
(39:01):
much the consensus even among like my hacker friends, was
it's probably going to take several years in order for
them to really figure out how deep this honestly goes.
That is a sobering fact. It's also, you know, a
good reminder that this is something that you know, it's
not necessarily going to be an isolated incident. The fact
(39:23):
that this was so successful sends out a message to
any state sponsored hacker group that if you can manage
something like this, then the the all the doors are
open to you. So it's now something that vendors are
really going to have to be cognizant of to make
(39:44):
certain that the the product they send out has not
been altered in any way. And this has made more
challenging because obviously hackers are clever. They figure out ways
to cover their footsteps, thank you, I mean, a good
caer is anyway, right, A good hacker doesn't just figure
out how to intrude on the system, they also figure
(40:05):
out how to cover up that intrusion so that it's
not immediately apparent. Yes, because a lot of companies have
like they have really good intrusion detection software which will
send them a red flag or notify several of the
administrators that are working on that network immediately as soon
(40:27):
as something is noticed, so that they can um assess
the situation and cut off the threat. Yeah. And just
to make this story even more scary, uh, there have
been four major cybersecurity companies that have reported being compromised
in some way or at least attacked by these hackers.
(40:48):
One of the four says that no harm was done,
and those would be fire Eye, which we mentioned before.
That was the first company that came forward that kind
of broke open the dam on on the discovery of this.
Mike Soft as another, uh, malware bites which we learned
about not too long before the recording of this. Yeah,
like really recently and worse than that, not related directly
(41:10):
to solar winds because they don't use solar winds products.
We'll get back to that. And then CrowdStrike, which is
the company that says, yeah, they tried, we didn't. Then
they didn't and they didn't do anything. So good on them.
But as for malware bites, they came forward and said, yes,
we also have detected the presence of these hackers in
(41:31):
our systems. But in our case it was because of
an Office three sixty five email protection app that was
dormant that they were able to target and get to
our systems through that. So they were able to read
some emails. So that tells us that potentially that could
have been something they learned by being able to look
(41:53):
at the source code over at Microsoft. We don't know
that but that's possibly how that happened, was that they
learned of a particular attack vector by scouring the source code,
and thus we're able to have a secondary attack through
a totally different approach and not have to depend upon
solar winds at all. And if that's the case, if
(42:14):
malware bites was targeted, then there's a really good chance
that others were too and we just don't know about
it yet. Yeah, that's an excellent example, and it kind
of takes us back, you know, back to the beginning
of the conversation, kind of explaining why the attackers were
targeting these companies in the first place, because they're getting
(42:36):
access to this crucial information that could potentially give them
access to other people or other brands and companies in
the future for completely different hacks that have nothing to
do with solar winds. So so while we're we might
be on the lookout for one type of attech, just
like we did with what I was talking about the
(42:57):
you know, election cycle, really taking a lot of cyber
security attention. If we're all looking for one specific type
of attack, that just means that there's opportunities for other attacks.
In fact, this is sort of just the the cracker
style of hacker, you know, the ones that specifically are
are looking at how to infiltrate systems. It really just
goes into their mindset, which is that all they care
(43:19):
about is at first anyway, figuring out how do I
infiltrate that system. That's that's their only focus. The problem
with people who build these systems, they also are burdened
with the weighty responsibility of making the system do whatever
it was supposed to do, plus make it invulnerable to intrusion.
(43:39):
But you have to make your system work first, right,
So you're like, hey, everything works, and like, oh, you
forgot about this way that a person could intrude to
and and get access to your system without authorization. You think, well, shoot,
I was just trying to make the thing go. Oh yeah,
like straight up, even if you're like working in an office.
I love giving those kind of examples because a lot
(43:59):
of people work in offices. Uh, let's say they have
to update the firmware on your printer and they have
to disconnect it to make it invulnerable from some kind
of attack. All of a sudden, they have to reauthorize
all of the PCs to connect to that one printer.
And that's a huge headache, and that creates even more work.
So you have like all these people that are just
(44:21):
trying to get their work done and you can't do
anything from from the perspective of an employee. And yeah,
and I'm definitely that guy who gets a little pop
up in Windows that says, hey, we've got some updates.
Do you want to reboot your system or do you
wanna you know, and you're like no, I'm like no,
twelve hours, tell me in twelve hours. And then after
like four days, like no, seriously, my heart is going
(44:43):
to come and take your computer if you don't update, Like, okay,
you know what, We've had some fun, I'll go ahead
and reboot. Uh. Yeah. So so this is this is
fascinating to me, and I'm so thankful for you to
join the show to help me kind of suss all
this out because I kind of had a handle on it,
but you really we opened up my eyes to other
opportunities that, honestly, I mean, I just didn't think about.
(45:05):
So that's exactly why I wanted you to to join
the show and why I'm so thankful that you you
said yes. After yeah, of course, after I bugged you
while you were on holiday. Well, I'm I'm glad I
was able to join you because there are so many
different ways that you can look at this attack. So
talking about all those different perspectives like I have been
(45:25):
is really important to really understand and get ingrained into,
like the motivations behind the solar winds attack, but also
understand it from a client perspective why this has been
so crucial and so important to so many people. And
it's it's great to be able to have that sort
of conversational approach. Where as I get my understanding, I
(45:48):
hope that my listeners have gotten a deeper understanding of
what's going on and why this is such a big
deal and why it dominated tech news for a couple
of weeks. Uh, you know, before we hear about Apple
interfering with you know, defibrillators and things like that. Um
So I'm sure we're going to hear a lot more
(46:09):
about this over the coming months and potentially years as
well as well. Inevitably we're going to hear about other
hacks that are going to be compared against this, because,
as you say, this is going to be a benchmark,
This is this is a historic hack event. And will
be one of those big ones we talked about for
(46:30):
years to come, you know. Um, But Shannon, if people
want to find your work and follow all the incredible
things that you do, where would they go? Check out
YouTube dot com slash Shannon Morse spelled just like my name.
That's where I've been doing a lot of security and
privacy as well as tech reviews too, and I do
(46:52):
answer a lot of questions about security and privacy for consumers. Yeah,
and if you hunt around, you can follow Shannon doing
all sorts of crazy things like traveling the world when
there's not a pandemic going on. And she takes really
good photos. Me too. Me two. And it doesn't help
(47:12):
that my wife will occasionally send me a picture of
a place I really want to be in but cannot
go to until it's very relatable. Yes, well, thank you again,
and I will certainly have you back on tech stuff
whenever you agree to do it. Well, thank you, Jonathan,
I appreciate it. Thank you so much for having me.
(47:34):
I hope you guys enjoyed the interview with Shannon Morrise
and once again I have to thank her for coming
onto the show. She is very generous with her time,
so I greatly appreciate it, and I hope that that
discussion gives you a deeper understanding and appreciation for the
large challenge ahead in dealing with this hack, as well
(47:57):
as just you know, something to think about for all
of you folks managing stuff out there about things to
look out for in the future. I mean, as Shannon
points out, the real issue here is that the attack
targeted something from a trusted source. So when you get
a message that is from a trusted partner, you don't
(48:20):
expect there to be malware in that. So this really
is a major wake up call, and unfortunately it's a
wake up call that's doing active damage right now. But
hopefully we'll have better news to bring about the Solar
Winds hack as time goes on and as people learn
how to remediate those servers. In the meantime, if you
(48:42):
guys have any suggestions for future topics I should cover
on tech stuff, whether it's a company technology, a trend,
something like the Solar Winds hack, or maybe there's somebody
you would love for me to have on the show
as a guest. Let me know. The best way to
get in touch with me is over on Twitter. The
handle for the show is text Stuff H s W
(49:04):
and I'll talk to you again really soon. Text Stuff
is an I heart Radio production. For more podcasts from
I heart Radio, visit the i heart Radio app, Apple Podcasts,
or wherever you listen to your favorite shows.
TechStuff News
Hosts And Creators
Oz Woloshyn
Karah Preiss
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
24/7 News: The Latest
The latest news in 4 minutes updated every hour, every day.