UNC2452: Hacking without Consequences — Part One: Why SolarWinds Orion?

Why Orion?

… this feels like the perpetrator shouting from the rooftop that they are invincible, immune to repercussions, and indiscriminate in the destruction they’re willing to create.

  • Ubiquity — 33,000 potential victims is monumental and persistence is key for attackers. They often remain in networks for months to years after achieving their objectives. Only really “leaving” when they are discovered and kicked out. It may be easier for an attacker to maintain access to an environment rather than regain access, and if the target was useful once, they may be useful again. Furthermore, watering hole and supply chain attacks are like a box of chocolates, you never know what you’re gonna get. The attacker’s primary target may have been government organizations but I’ll be damned if the attackers aren’t thrilled with compromising a handful of high-profile technology companies in the process.
  • Commonality — Attackers spend a significant amount of time profiling their targets. During the “Initial Reconnaissance” phase of the attack lifecycle, operators perform external scans to see what a target has accessible to the internet, build profiles on specific employees based on their seniority, responsibilities, and expertise which are openly advertise on professional sites like LinkedIn, and scour press releases, financial disclosures, and company websites that openly tout business with new customers. This is just a small sampling of profiling techniques that may have strengthened the decision to compromise Orion. If, for example, an attacker is tasked with infiltrating the top aerospace engineering firms in the United States and all of those firms happen to use Orion then it would be negligent to ignore the potential of a 10 for 1 opportunity.
  • Chaos — I don’t think I need to spend much time explaining the complexity and absurdity of the geopolitical climate as we exit the 2010s and enter the 2020s. FireEye has yet to assign nation-state level attribution to UNC2452 whose name alone should illustrate the difficulty of attribution. Other organizations have been quick to point fingers at APT29 aka COZYBEAR, and other context clues do make Russia appear a bit suspicious. It would be a natural fit with Putin remaining at the helm of Russia, Trump leaving office while sowing doubt any place he deems fertile, and COVID-19 ravaging anywhere leaders chose not to enforce strict lockdowns. Compromising countless government entities, publicly traded companies, healthcare networks, and financial institutions is the cherry on top of 2020. Or maybe the plan was for the hack to be uncovered before the 2020 election, casting more doubt on its integrity and legitimacy. As the current administration remains silent on the matter, this feels like the perpetrator shouting from the rooftop that they are invincible, immune to repercussions, and indiscriminate in the destruction they’re willing to create. The chaos is all possible thanks to the ubiquity and commonalities of SolarWinds Orion.
  • Simplicity — Based on my experience in the field, I do not believe SolarWinds, or any organization is capable of formulating a defensible root cause and establishing the full extent of a breach of this magnitude for at least a month after the start of an investigation. It is still early days and one month would be a Herculean achievement so I advise everyone to get comfortable. It’s going to be a long and bumpy ride. | The public may never know the full extent of the breach. Heck, even SolarWinds will have unanswered questions at the end of all this. Even still, people are jumping to conclusions as if we know all of the facts! A misconfigured Office365 implementation and credentials in public git repositories are among the most popular scapegoats I’ve seen to date. | It is easy for outside observers to miss the forest for the trees and while these may seem like significant missteps I can assure you that every organization has similar problems that may never lead to such catastrophic events. While we’re not exactly nailing Jell-O to a tree, the majority of security professionals would have their work cut out for them if they had an objective similar to the weaponization of Orion. Little strokes fell great oaks and enough of those tiny missteps may have added up to the hack of the decade. It is within the realm of possibility that this was an easy hack, but I just don’t see it being true. | I can all but guarantee a thorough analysis of the SolarWinds breach would produce a report that is hundreds of pages long and we cannot be blaming a potential company ending event on rookie mistakes without more information. If I haven’t dropped enough hints, I believe this actor is highly skilled, extremely patient, and well funded. Stay tuned for “Part Two: A Hypothetical Attack Life Cycle” where we’ll explore what may have happened behind the scenes.

Why not something else? Why not everything else?




Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Things to Know About Cross-Site Request Forgery

PolyPunks Givaway Winners!

VPN 101: Here’s why you need it in 2020

Spear Phishing with Go phish Framework

{UPDATE} Scorer Agricola Plus Hack Free Resources Generator

Solution to restoring accounts in the case of lost password

{UPDATE} Ice Hockey Flipper Hack Free Resources Generator

Coinversation Protocol

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dan Hranj

Dan Hranj

More from Medium

Bypassing perimeter security with VHD files

Building an Active Directory lab

Basic Overview: Active Directory Hacking

Active Directory Penetration Testing & THM VulnNet: Roasted