Silicon Shecky

Infosec Practitioner

Connect

Solarwinds Sunburst: Haven’t We Been Here Before?

By Leave a Comment

Timing is not everything, it is the only thing. I really believe that and have for a good portion of my life. A little bit off, a little bit early or late and things do not happen, things can be missed, and who knows what the result would have been. How this relates to the title of this post is simple, the past tends to repeat itself and I currently am seeing that through a book that I am reading.

The book is called Sandworm by Andy Greenberg. It covers a Russian hacking group that has been attributed to NotPetya amongst other attacks on the Ukraine. We all know about NotPetya, remember how it crippled a shipping company called Maersk. All this happened a month after Wannacry hit. There are many similarities I am noticing as I watch those who are unravelling the Solarwinds Sunburst attack, and what has been revealed about how the Sandworm group operates, namely leading into the NotPetya attack. Surprisingly, I have not seen mention of this on twitter, or in any news reports/blog posts on the Sunburst attack.

Mr. Greenberg, in his book Sandworm had interview Amit Serper of CyberReason about his reverse engineering of NotPetya and subsequent investigation of the malware and attack. The short version is that it was a supply chain attack that used M.E. Doc’s own update server to install a compromised update. The NotPetya attack happened in June of 2017, but Mr. Serper found a webshell on those update servers going back to November 2015. So they were on the network for at least a year and a half before the attack.

Let us take a look at what has been revealed about Sunburst. It is a supply chain attack that used Solarwind’s own update servers to install a compromised update. Currently the information security world sees October 2019 (just over a year) as the latest that Solarwinds was compromised (while that timeframe is accepted right now, since the investigation is still going on I do not want to say that it is definitive). Now go back a paragraph and re-read what I learned about NotPetya. Sounds similar, doesn’t it?

I have not yet finished reading Sandworm, but other interesting tidbits that I read included Robert M. Lee of Dragos(among others) wanting to warn the ICS world about this type of attack due to the Ukraine blackout attacks which were also attributed to the Sandworm hacking group. It also revealed how little the U.S. Government did to warn about these types of attacks or this hacking group since it was the Ukraine that was targeted.

The timing of me reading this book is really what has brought the similarities up to me(I do recommend the book). I am not attributing the Solarwinds situation to the Sandworm group. I do not have the expertise to do that. I am saying that it looks like history might be repeating itself. I do not know if anyone else has noticed these similarities, but I assume someone else has. The question remains though, will we actually learn from this, or will this become yet another case of all this has happened before and it will happen again?