top of page


Justin Corleone
Justin Corleone

The Network €?Hack” That Wasn’t To Be

There are several ways you can do this using Azure networking, VNET peering between Azure VNETs, Site-to-Site (S2S) VPNs, and even ExpressRoute. ExpressRoute was off the table for this proof of concept, and since the remote sites were not Azure VNETs, that left Site-to-Site VPN.

The Network “Hack” that Wasn’t To Be

The we switched over to the VNET Peering configuration. It was simple enough to create multiple peering agreements from the main VNET to the proxy ones. However, the basic setup does not account for wanting to have traffic actually pass through the proxy network to the remote networks beyond. There are a couple notable configuration options that are worth understanding and are not enabled by default.

The second one, allow gateway transit, allows the peer VNET to use the attached VNET gateway. We enabled this on the first proxy network agreement to allow the main VNET to direct traffic to that remote subnet beyond the proxy network.

Hackers gained access through software that many agencies use. Seattle City Light also uses that software, called Orion. The software was developed by SolarWinds and is used to manage IT infrastructure and networks relied upon by government agencies and large companies.

A spokesperson for the Seattle Mayor's Office said the city "is not impacted by these breaches," despite various departments using the software. Not all departments downloaded the update that was tainted with hackers' code. Seattle City Light did download the software that's been breached, however.

Microsoft President Brad Smith recently spoke with NPR and said: "I think this is one of the most serious cyberattacks we've seen in the past decade. This actor put malware into legitimate software that was then distributed to roughly 18,000 customers around the world - governments, companies and the like. Already we've identified more than 40 organizations, 80% of them in the United States, where they followed up, penetrated the networks, took additional steps."

Seattle City Light had deployed the newest release, however, the City Light SolarWinds system is on a secured network and does not have the internet connectivity that would enable this attack to function. As information regarding the SolarWinds compromise emerged on Sunday, City Light promptly followed the DHS-CISA guidance to disconnect SolarWinds systems, and has followed all guidance to evaluate their systems and historical logs for the associated indicators of compromise. SCL has found no indications of targeting or compromise of City Light systems related to this threat (past or present), and has applied appropriate mitigations to all systems and cyber security tools.

By design, the hack appeared to work only under very specific circumstances. Its victims had to download the tainted update and then actually deploy it. That was the first condition. The second was that their compromised networks needed to be connected to the Internet, so the hackers could communicate with their servers.

The concern is that the same access that gives the Russians the ability to steal data could also allow them to alter or destroy it. "The speed with which an actor can move from espionage to degrading or disrupting a network is at the blink of an eye," one senior administration said during a background briefing from the White House on Thursday. "And a defender cannot move at that speed. And given the history of Russia's malicious activity in cyberspace and their reckless behavior in cyberspace, that was a key concern."

When cybersecurity experts talk about harm, they're thinking about something like what happened in 2017, when the Russian military launched a ransomware attack known as NotPetya. It, too, began with tainted software, but in that case the hackers were bent on destruction. They planted ransomware that paralyzed multinational companies and permanently locked people around the world out of tens of thousands of computers. Even this much later, it is considered the most destructive and costly cyberattack in history.

Intelligence officials worry that SolarWinds might presage something on that scale. Certainly, the hackers had time to do damage. They roamed around American computer networks for nine months, and it is unclear whether they were just reading emails and doing the things spies typically do, or whether they were planting something more destructive for use in the future.

The SolarWinds attackers ran a master class in novel hacking techniques. They modified sealed software code, created a system that used domain names to select targets and mimicked the Orion software communication protocols so they could hide in plain sight. And then, they did what any good operative would do: They cleaned the crime scene so thoroughly investigators can't prove definitively who was behind it. The White House has said unequivocally that Russian intelligence was behind the hack. Russia, for its part, has denied any involvement.

After that initial success, the hackers disappeared for five months. When they returned in February 2020, Meyers said, they came armed with an amazing new implant that delivered a backdoor that went into the software itself before it was published.

To understand why that was remarkable, you need to know that finished software code has a kind of digital factory seal. If you break that seal, someone can see it and know that the code might have been tampered with. Meyers said the hackers essentially found a way to get under that factory seal.

Under normal circumstances, developers take the code out of the repository, make changes and then check it back in. Once they finish tinkering, they initiate something called the build process, which essentially translates the code a human can read to the code a computer does. At that point, the code is clean and tested. What the hackers did after that was the trick.

They would create a temporary update file with the malicious code inside while the SolarWinds code was compiling. The hackers' malicious code told the machine to swap in their temporary file instead of the SolarWinds version. "I think a lot of people probably assume that it is the source code that's been modified," Meyers said, but instead the hackers used a kind of bait-and-switch.

But this, Meyers said, was interesting, too. The hackers understood that companies such as SolarWinds typically audit code before they start building an update, just to make sure everything is as it should be. So they made sure that the switch to the temporary file happened at the last possible second, when the updates went from source code (readable by people) to executable code (which the computer reads) to the software that goes out to customers.

The technique reminded Meyers of old fears around trick-or-treating. For decades, there had been an urban myth that kids couldn't eat any Halloween candy before checking the wrapper seal because bad people might have put razor blades inside. What the hackers did with the code, Meyers said, was a little like that.

But there was something else about that code that bothered Meyers: It wasn't just for SolarWinds. "When we looked at [it], it could have been reconfigured for any number of software products," Meyers said. In other words, any number of other software developers using the same compiler may also be on the receiving end of a cyberattack, he said, and they just don't know it yet.

Meyers said it's hard not to admire just how much thought the hackers put into this operation. Consider the way they identified targets. The downside of breaking into so many customer networks all at once is that it is hard to decide what to exploit first. So the hackers created a passive domain name server system that sent little messages with not just an IP address, which is just a series of numbers, but also with a thumbnail profile of a potential target.

The hackers also reverse-engineered the way Orion communicated with servers and built their own coding instructions mimicking Orion's syntax and formats. What that did is allow the hackers to look like they were "speaking" Orion, so their message traffic looked like a natural extension of the software.

None of the tripwires put in place by private companies or the government seems to have seen the attack coming. Christopher Krebs, who had been in charge of the office that protected government networks at DHS during the Trump administration, told NPR that DHS' current system, something known (without irony) as Einstein, only catches known threats. The SolarWinds breach, he said, was just "too novel."

Christopher Krebs, who was in charge of protecting government networks during the Trump administration, said the SolarWinds breach used techniques that were "too novel" for the current system to catch. Drew Angerer/Getty Images hide caption

And there is something else that Einstein doesn't do: It doesn't scan software updates. So even if the hackers had used code that Einstein would have recognized as bad, the system might not have seen it because it was delivered in one of those routine software updates.

The National Security Agency and the military's U.S. Cyber Command were also caught flat-footed. Broadly speaking, their cyber operators sit in foreign networks looking for signs of cyberattacks before they happen. They can see suspicious activity in much the same way a satellite might see troops amassing on the border. Critics said they should have seen the hackers from the Russian intelligence service, the SVR, preparing this attack.

"The SVR has a pretty good understanding that the NSA is looking out," Krebs said. "What the SVR was able to do was make the transition from wherever they were operating from into the U.S. networks. They move like ghosts. They are very hard to track."

In that case, according to SolarWinds' Ramakrishna, the security teams at SolarWinds and Palo Alto worked together for three months to try to pick up the thread of the problem and walk it back. "None of us could pinpoint a supply chain attack at that point," Ramakrishna told NPR. "The ticket got closed as a result of that. If we had the benefit of hindsight, we could have traced it back" to the hack. 350c69d7ab


bottom of page