cyberattacks - Insurance

Russians are believed to have used Microsoft resellers in cyberattacks

As the United States tackles a large-scale Russian cyberattack on federal agencies, private businesses and the country’s infrastructure, new evidence has emerged that hackers have hunted their victims through multiple channels.

The most significant intrusions discovered so far have relied on software from SolarWinds, the Austin-based company whose updates have been compromised by the Russians. But new evidence from security firm CrowdStrike suggests that companies selling software on Microsoft’s behalf have also been used to penetrate customers of Microsoft’s Office 365 software.

Because resellers are often responsible for configuring and maintaining customer software, they – like SolarWinds – have been an ideal front for Russian hackers and a nightmare for Microsoft’s cloud customers, who always value how badly hackers are. Russians have explored their systems.

“They couldn’t get directly into Microsoft 365, so they targeted the weakest point in the supply chain: resellers,” said Glenn Chisholm, founder of Obsidian, a cybersecurity company.

CrowdStrike confirmed on Wednesday that it was also the target of the attack. In the case of CrowdStrike, the Russians did not use SolarWinds but a Microsoft reseller and the attack failed. CrowdStrike spokeswoman Ilina Dimitrova declined to expand beyond a corporate blog post describing the attempted attack.

The approach is no different from the 2013 attack on Target in which hackers entered through the retailer’s heating and air conditioning supplier.

The latest Russian attacks, believed to have started last spring, have revealed a substantial blind spot in the software supply chain. Businesses can track phishing and malware attacks as much as they want, but as long as they blindly trust vendors and cloud services like Microsoft, Salesforce’s G-Suite, Google, Zoom, Slack, SolarWinds and others, and give them broad access to employee and corporate email. networks – they’ll never be secure, say cybersecurity experts.

“These cloud services create a network of interconnections and opportunities for the attacker,” Mr. Chisholm said. “What we’re seeing right now is a new wave of modern attacks on these modern cloud platforms, and we need 2021 defenses.”

Some reports have confused the latest development with a breach by Microsoft itself. But the company said it stands by its statement from last week that it had not been hacked or used to attack customers.

But the CrowdStrike discovery shows how Russian hackers used its resellers to indirectly target its customers. CrowdStrike said in a blog post on Wednesday that hackers attempted to read the company’s emails from a reseller account, but were unable to access its data or systems.

U.S. officials only detected the attack in recent weeks, and it wasn’t until a private cybersecurity firm, FireEye, alerted U.S. intelligence services that hackers had evaded layers of defense.

It was evident that the Treasury and Commerce Departments, the first agencies reported to have been breached, were only part of a much larger operation whose sophistication stunned even experts who followed a quarter of a century of Russian hacks on the Pentagon and US civilian agencies.

The National Security Agency – the first U.S. intelligence organization to both hack foreign networks and defend national security agencies against attacks – apparently did not know about the breach of network monitoring software created by SolarWinds until ‘it was notified last week by FireEye. The National Security Agency itself uses the SolarWinds software.

Two of the most embarrassing breaches have occurred at the Pentagon and the Department of Homeland Security, whose Cybersecurity and Infrastructure Security Agency oversaw the successful defense of the US electoral system last month.

Russian hackers behind the attack broke into the messaging system used by senior Treasury Department officials in July.

The computers of at least two dozen organizations – including Cisco, Intel, Nvidia, Deloitte and California State Department hospitals – appear to have been hacked, the Wall Street Journal reported. Some groups, such as Intel and Deloitte, said the attack did not affect their most delicate systems.

US issues sanctions on Russian center implicated in potentially deadly cyberattacks

The United States on Friday imposed economic sanctions on a Russian government research body responsible for a potentially fatal cyberattack on a Saudi petrochemical facility in 2017.

The sanctions did not name the target, but his description of the attack matched a hack that year of Petro Rabigh, the Saudi oil giant, which shut down security systems used to prevent an explosion. Attackers may have been successful if an error in their code did not inadvertently shut down the plant.

Private cybersecurity researchers have called the group that succeeded in the attacks “the most dangerous threat activity known publicly.”

According to the sanctions, the Russian state research center of the Russian Institute of Chemistry and Mechanics built the custom tools used in a series of 2017 attacks on oil facilities in the Middle East, as well as attempts to hack at least 20 electrical installations in the United States. . The tools, officials said, had the “ability to cause significant physical damage and loss of life.”

The Russian Embassy did not immediately respond to a request for comment.

The first attack on Petro Rabigh, in August 2017, compromised industrial controllers made by Schneider Electric, which keep equipment operating safely by regulating voltage, pressure and temperature. Russian hackers used their access to close the security locks of these controllers, leading investigators to believe the attack was most likely intended to cause an explosion that would have killed people.

The episode sparked an investigation by the National Security Agency, FBI, Department of Homeland Security, and the Pentagon’s Defense Advanced Research Projects Agency, as well as investigators from Schneider, the security company’s Mandiant security team. FireEye and Dragos, a specialized security company. in industrial control security.

“It’s very important to explicitly speak out against attacks on industrial control systems,” said Nathan Brubaker, senior analyst at Mandiant, who first connected the attacks to the Russian research lab in 2018. “The more you let go. this activity, the better. becomes, which is really dangerous when you talk about systems that are at the heart of human life.

Schneider controllers are used in more than 18,000 factories around the world, including nuclear and water treatment facilities, oil and gas refineries and chemical plants.

“These systems provide for the safe emergency shutdown of industrial processes in critical infrastructure to protect human life,” Treasury Department officials said in their statement announcing the sanctions on Friday.

After the cyberattack on Petro Rabigh, private investigators caught up with the same group targeting northern European energy companies and conducting digital tours of more than a dozen electricity companies in the United States, looking for ways to ” access their systems.

“They are not only sophisticated, but they are the only actor who has tried to cross the line by killing people,” said Robert M. Lee, Managing Director of Dragos. “Not only did they demonstrate their ability but also their intention to hurt people, which no other actor had done.”

They came days after the Justice Ministry exposed charges against six Russian military intelligence officers accused of aggressive cyberattacks on the 2017 French elections, the 2018 Winter Olympics and power grids in Ukraine, as well. than another 2017 attack that hit companies like Merck, Mondelez, FedEx and Pfizer and caused billions of dollars in damage.

On Thursday, the FBI and the Cybersecurity and Infrastructure Security Agency accused the same Russian hackers who made forays into the U.S. electricity grid of hacking into state and local systems, including some election support systems.

Federal prosecutors have publicly downplayed the timing of indictments and sanctions, but some officials have said privately they intend to send a clear message that U.S. officials are closely monitoring the war systems of the Russia’s information ahead of the November 3 presidential election, whether they are about to hack electoral systems, amplify American political cracks, or enter the minds of voters.

The sanctions did not name the Russian hackers behind the attacks. As a result of Friday’s actions, the Russian research center connected to the government and people linked to it will see any assets or property they hold in the United States frozen.

The sanctions also expose anyone who does business or does research with the center to similar sanctions. “No one at the international level is going to touch them now,” Mr. Lee said.