{"id":42723,"date":"2020-12-20T14:06:36","date_gmt":"2020-12-20T18:06:36","guid":{"rendered":"http:\/\/stateofthenation.co\/?p=42723"},"modified":"2020-12-20T14:06:36","modified_gmt":"2020-12-20T18:06:36","slug":"why-is-the-carolina-research-triangle-connected-to-this-epic-hack-of-the-us-government-agencies","status":"publish","type":"post","link":"http:\/\/stateofthenation.co\/?p=42723","title":{"rendered":"Why is the Carolina Research Triangle connected to this epic hack of the US government agencies?"},"content":{"rendered":"<h1>Huge hack of government agencies has a Triangle connection<\/h1>\n<p><!--more-->by Wire, staff reports<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-42724\" src=\"http:\/\/stateofthenation.co\/wp-content\/uploads\/2020\/12\/hack-hacker-data-security-cybercrime-960x640-1.jpg\" alt=\"\" width=\"960\" height=\"640\" srcset=\"http:\/\/stateofthenation.co\/wp-content\/uploads\/2020\/12\/hack-hacker-data-security-cybercrime-960x640-1.jpg 960w, http:\/\/stateofthenation.co\/wp-content\/uploads\/2020\/12\/hack-hacker-data-security-cybercrime-960x640-1-300x200.jpg 300w, http:\/\/stateofthenation.co\/wp-content\/uploads\/2020\/12\/hack-hacker-data-security-cybercrime-960x640-1-768x512.jpg 768w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\" \/><\/p>\n<p><strong>RESEARCH TRIANGLE PARK \u2013<\/strong>\u00a0U.S. government agencies were ordered to scour their networks for malware and disconnect potentially compromised servers on Monday after authorities learned that the Treasury and Commerce departments were hacked in a global cyber-espionage campaign tied to a foreign government.<\/p>\n<p>And there\u2019s a Triangle connection.<\/p>\n<p>The apparent conduit for the Treasury and Commerce Department hacks \u2014 and a compromise of security firm\u00a0 \u2014 is a hugely popular piece of server software called SolarWinds. It is used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies, which will now be scrambling to patch up their networks, said\u00a0 cybersecurity expert Dmitri Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.<\/p>\n<p>In April 2019 SolarWinds acquired Cary-based Samanage for some $350 million. SolarWinds maintains an operation in Cary.<\/p>\n<p>Over seven years,\u00a0Samanage\u00a0had built a product guided by a customer-centricity that aligns well with SolarWinds\u2019 mission\u00a0of serving\u00a0the technology professional community. The company launched in 2007 and had some 150 employees at the time of the acquisition.<\/p>\n<p>In a rare emergency directive issued late Sunday, the Department of Homeland Security\u2019s cybersecurity arm warned of an \u201cunacceptable risk\u201d to the executive branch from a feared large-scale penetration of U.S. government agencies that could date back to mid-year or earlier.<\/p>\n<p>\u201cThis can turn into one of the most impactful espionage campaigns on record,\u201d said Alperovitch.<\/p>\n<p>The campaign was first discovered when a prominent cybersecurity firm, FireEye, learned it had been breached. FireEye would not say who it suspected \u2014 many experts believe the operation is Russian given the careful tradecraft \u2014 and noted that foreign governments and major corporations were also compromised.<\/p>\n<p><iframe loading=\"lazy\" class=\"wp-embedded-content\" title=\"\u201cCary IT services firm Samanage becomes part of SalesForce-ServiceNow battle following $350M deal\u201d \u2014 WRAL TechWire\" src=\"https:\/\/www.wraltechwire.com\/2019\/04\/22\/cary-it-services-firm-samanage-becomes-part-of-salesforce-servicenow-battle-following-350m-deal\/embed\/#?secret=xEpU2ONxa1\" width=\"600\" height=\"334\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" sandbox=\"allow-scripts\" data-secret=\"xEpU2ONxa1\" data-mce-fragment=\"1\"><\/iframe><\/p>\n<p>News that federal agencies were hacked, first reported by Reuters, came less than a week after FireEye disclosed that nation-state hackers had broken into its network and stolen the company\u2019s own hacking tools.<\/p>\n<p>The DHS directive \u2014 only the fifth since they were created in 2015 \u2014 said U.S. agencies should immediately disconnect or power down any machines running the impacted SolarWinds software.<\/p>\n<p>FireEye, without naming any specific targets, said in a blog post that its investigation into the hack of its own network had identified \u201ca global campaign\u201d targeting governments and the private sector that, beginning in the spring, had slipped malware into a SolarWinds software update. Neither the company nor the U.S. government publicly identified Russian state-backed hackers as responsible.<\/p>\n<p>The malware gave the hackers remote access to victims\u2019 networks, and Alperovitch said SolarWinds grants \u201cGod-mode\u201d access to a network, making everything visible.<\/p>\n<p>SolarWinds sent a message urging about 33,000 potentially affected customers to quickly update a software product known as Orion. The attack, it said Monday, was \u201clikely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.\u201d<\/p>\n<p>SolarWinds said in a financial filing that it believed that a smaller number of those customers \u2014 fewer than 18,000 \u2014 had actually installed the compromised product update earlier this year. SolarWinds has said its customers include all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice and the White House, along with the top U.S. telecommunications and financial firms, though it hasn\u2019t identified which of its customers were using the compromised product.<\/p>\n<p>\u201cWe anticipate this will be a very large event when all the information comes to light,\u201d said John Hultquist, director of threat analysis at FireEye. \u201cThe actor is operating stealthily, but we are certainly still finding targets that they manage to operate in.\u201d<\/p>\n<p>Microsoft cybersecurity researchers on Monday tied the hacks to \u201cnation-state activity at significant scale, aimed at both the government and private sector.\u201d<\/p>\n<p>FireEye said it had confirmed infections in North America, Europe, Asia and the Middle East, including in the health care and oil and gas industry \u2014 and had been informing affected customers around the world in the past few days. Its customers include federal, state and local governments and top global corporations.<\/p>\n<p>It said that malware that rode the SolarWinds update did not seed self-propagating malware \u2014 like the NotPetya malware blamed on Russia that caused more than $10 billion in damage globally \u2014 and that any actual infiltration of an infected organization required \u201cmeticulous planning and manual interaction.\u201d<\/p>\n<p>That means it\u2019s a good bet only a subset of infected organizations were being spied on by the hackers. Nation-states have their cyber-espionage priorities, which include COVID-19 vaccine development.<\/p>\n<p>Kremlin spokesman Dmitry Peskov said Monday that Russia had \u201cnothing to do with\u201d the hacking.<\/p>\n<p>\u201cOnce again, I can reject these accusations,\u201d Peskov told reporters. \u201cIf for many months the Americans couldn\u2019t do anything about it, then, probably, one shouldn\u2019t unfoundedly blame the Russians for everything.\u201d<\/p>\n<p>The Treasury Department referred requests for comment to the National Security Council, whose spokesman, John Ullyot, said Monday the NSC was working with the Cybersecurity and Infrastructure Security Agency, U.S. intelligence agencies, the FBI and government departments that were affected to coordinate a response to the \u201crecent compromise.\u201d<\/p>\n<p>CISA said it was working with other agencies to help \u201cidentify and mitigate any potential compromises.\u201d The FBI said it was engaged in a response but declined to comment further.<\/p>\n<p>President Donald Trump last month fired the director of CISA, Chris Krebs, after Krebs vouched for the integrity of the presidential election and disputed Trump\u2019s claims of widespread electoral fraud.<\/p>\n<p>In a tweet Sunday, Krebs said \u201chacks of this type take exceptional tradecraft and time,\u201d adding that he believed that its impact was only beginning to be understood.<\/p>\n<p>Federal agencies have long been attractive targets for foreign hackers looking to gain insight into American government personnel and policymaking.<\/p>\n<p>Hackers linked to Russia, for instance, were able to break into the State Department\u2019s email system in 2014, infecting it so thoroughly that it had to be cut off from the internet while experts worked to eliminate the infestation. A year later, a hack at the U.S. government\u2019s personnel office blamed on China compromised the personal information of some 22 million current, former and prospective federal employees, including highly sensitive data such as background investigations.<\/p>\n<p>The intrusions disclosed Sunday included the Commerce Department\u2019s agency responsible for internet and telecommunications policy. A spokesperson confirmed a \u201cbreach in one of our bureaus\u201d and said \u201cwe have asked CISA and the FBI to investigate.\u201d<\/p>\n<p>FireEye announced on Dec. 8 that it had been hacked, saying foreign state hackers with \u201cworld-class capabilities\u201d broke into its network and stole tools it uses to probe the defenses of its thousands of customers. The hackers \u201cprimarily sought information related to certain government customers,\u201d FireEye CEO Kevin Mandia said in a statement, without naming them.<\/p>\n<p>Former NSA hacker Jake Williams, the president of the cybersecurity firm Rendition Infosec, said FireEye surely told the FBI and other federal partners how it had been hacked and they determined that Treasury had been similarly compromised.<\/p>\n<p>\u201cI suspect that there\u2019s a number of other (federal) agencies we\u2019re going to hear from this week that have also been hit,\u201d Williams added.<\/p>\n<p>FireEye responded to the Sony and Equifax data breaches and helped Saudi Arabia thwart an oil industry cyberattack \u2014 and has played a key role in identifying Russia as the protagonist in numerous aggressions in the burgeoning netherworld of global digital conflict.<\/p>\n<p>___<br \/>\n<a href=\"https:\/\/www.wraltechwire.com\/2020\/12\/14\/huge-hack-of-government-agencies-has-a-triangle-connection\/\">https:\/\/www.wraltechwire.com\/2020\/12\/14\/huge-hack-of-government-agencies-has-a-triangle-connection\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Huge hack of government agencies has a Triangle connection<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-42723","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"http:\/\/stateofthenation.co\/index.php?rest_route=\/wp\/v2\/posts\/42723","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/stateofthenation.co\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/stateofthenation.co\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/stateofthenation.co\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/stateofthenation.co\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=42723"}],"version-history":[{"count":0,"href":"http:\/\/stateofthenation.co\/index.php?rest_route=\/wp\/v2\/posts\/42723\/revisions"}],"wp:attachment":[{"href":"http:\/\/stateofthenation.co\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=42723"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/stateofthenation.co\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=42723"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/stateofthenation.co\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=42723"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}