美国政府机构遭黑客攻击,背后是这家神秘的软件企业
说起最近波及范围最广的网络攻击事件,我们不禁想到了德州奥斯丁一家成立了20年、名为SolarWinds的软件制造商。这家公司在科技界以外鲜有人知,但其客户清单则涵盖美国军方各个部门以及《财富》美国500强五分之四的企业。
很多客户发现自己也被卷入了攻击,因为涉嫌此次攻击的俄罗斯黑客在SolarWinds一款备受欢迎的软件产品中植入了一个漏洞。该软件旨在让用户一目了然地查看让其业务正常运行的各类应用。
SolarWinds在周一向美国证券交易委员会提交的文件中称,公司认为其监控产品可能让其多达1.8万名客户的服务器受到了攻击。这些客户包括全球政府机构以及全球一些最大的公司。
文件称:“公司被告知遭到网络攻击,黑客在公司旗下Orion监控产品中植入了一个漏洞。在出现和激活之后,该漏洞可能会允许攻击者渗透运行Orion产品的服务器。SolarWinds获悉,这次事件可能源于美国之外的国家所发起的高度复杂、目标明确的手动供应链攻击。”
SolarWinds的股价在周一下跌了17%,是其2018年10月上市以来的最高跌幅,后又于周二早间下跌了6%。SolarWinds称,自己已告知相关客户规避举措,并将于12月15日提供额外的“热修复”升级。
与俄罗斯政府关联的黑客组织APT 29是此次攻击的怀疑对象。路透社称,美国商务部受到了攻击,国土安全部和财政部亦未能幸免。
这次全球性的黑客运动还包括12月8日对网络安全公司FireEye的网络攻击。
俄罗斯大使馆否认与此次黑客攻击有任何关系,称俄罗斯“并未在网络领域开展任何侵犯行动。”
政府和企业如今正试图弄清楚:这个安全灾难是如何产生的?此外,这家由兄弟两人于上个世纪90年代创建的不知名公司如今似乎成为了疑似俄罗斯首要情报部门的重点关注对象,原因何在?
从SolarWinds的网站上可以看到该公司拥有30多万名客户。在美国之外,SolarWinds的客户还包括英国国家医疗服务体系(NHS)、欧洲议会和北约组织。
SolarWinds官网在1月发布的一篇文章显示,大卫和唐纳德·杨斯兄弟二人于20多年前在塔尔萨创建了这家公司,他们此前曾听朋友“抱怨说在管理其基础设施时存在诸多具体问题。这些问题都是科技领域老生常谈的一部分罢了。‘为什么没有人开发一款能够解决所有问题的工具?!’不同之处在于,这两兄弟决定着手解决这个问题。”
SolarWinds为政府机构和私人领域的公司提供网络监控服务,并在领英页面将自己标榜为“所有人的信息技术”。SolarWinds已经删除了自家列举其美国政府和私营客户名单的网页。
其Orion产品是一款强大、重要的监控工具,能够让计算机系统管理员通过一览表的形式查看公司或机构网络的状况。因为Orion能够提供有关整个网络的信息,它还拥有访问网络敏感部分的权限。
Obsidian Security的首席技术官本•约翰逊说:“它能够提供整个网络的可视度,并允许人们在发现服务器或路由器出现问题时迅速做出响应。然而,如果你尝试对系统和交通进行跨国监控,就得拥有高度信任的访问权限。”
Gartner Inc.的数据显示,SolarWinds并非是什么知名企业,但它是排名前三的IT运营软件开发商,仅次于 Splunk Inc.和IBM。SolarWinds的其他主要竞争对手是思科和微软。
FireEye和微软发布的博客称,黑客突破了Orion的升级系统,在其中植入了伪装成正当Orion升级程序的恶意代码。SolarWind称,这个恶意漏洞存在于3月-6月的升级程序中。根据FireEye的说法,植入恶意代码的升级程序甚至会将偷窃的数据储存在Orion软件中。结果就是,黑客可以以看似正当的身份窥探公司的网络。
马里兰州网络安全公司Prevailion Inc.创始人兼首席执行官卡里姆•希加兹称,截至周一中午,这个恶意升级程序依然可以从SolarWinds的网站下载。希加兹表示,他的团队对比了网站发布的下载与显示更新程序已遭篡改的安全警告,二者完全匹配。
当日早些时候,SolarWinds曾发表声明,称6月以后下载的产品并不含有这一漏洞,但这一声明似乎与Prevailion的发现相左。当被问及恶意文件依然存在这一问题时, SolarWinds对此予以否认,并建议彭博记者查看公司向美国证券交易委员会提交的声明。Prevailion公司称,在邮件往来之后,SolarWinds删除了此前存放恶意软件更新的网页。当前的状况是,“该网页无法显示”。
随着各大公司和政府梳理其计算机系统,寻找黑客的蛛丝马迹,受害者的数量可能会增加。
FireEye称:“受害者包括政府、咨询公司、科技公司、电信公司以及北美、欧洲、亚洲和中东的开采公司。我们预计,其他国家和垂直行业亦存在受害者。”
这场黑客攻击的受损范围依然未能得到确定。俄罗斯黑客很有可能优先获取的是最宝贵的情报目标,这意味着它们还没来得及渗透SolarWinds的每一家客户。约翰逊说:“一旦发现遭到攻击,你就会开始调动一切资源来应对,这一周时间将够你受的。”(财富中文网)
译者:冯丰
审校:夏林
说起最近波及范围最广的网络攻击事件,我们不禁想到了德州奥斯丁一家成立了20年、名为SolarWinds的软件制造商。这家公司在科技界以外鲜有人知,但其客户清单则涵盖美国军方各个部门以及《财富》美国500强五分之四的企业。
很多客户发现自己也被卷入了攻击,因为涉嫌此次攻击的俄罗斯黑客在SolarWinds一款备受欢迎的软件产品中植入了一个漏洞。该软件旨在让用户一目了然地查看让其业务正常运行的各类应用。
SolarWinds在周一向美国证券交易委员会提交的文件中称,公司认为其监控产品可能让其多达1.8万名客户的服务器受到了攻击。这些客户包括全球政府机构以及全球一些最大的公司。
文件称:“公司被告知遭到网络攻击,黑客在公司旗下Orion监控产品中植入了一个漏洞。在出现和激活之后,该漏洞可能会允许攻击者渗透运行Orion产品的服务器。SolarWinds获悉,这次事件可能源于美国之外的国家所发起的高度复杂、目标明确的手动供应链攻击。”
SolarWinds的股价在周一下跌了17%,是其2018年10月上市以来的最高跌幅,后又于周二早间下跌了6%。SolarWinds称,自己已告知相关客户规避举措,并将于12月15日提供额外的“热修复”升级。
与俄罗斯政府关联的黑客组织APT 29是此次攻击的怀疑对象。路透社称,美国商务部受到了攻击,国土安全部和财政部亦未能幸免。
这次全球性的黑客运动还包括12月8日对网络安全公司FireEye的网络攻击。
俄罗斯大使馆否认与此次黑客攻击有任何关系,称俄罗斯“并未在网络领域开展任何侵犯行动。”
政府和企业如今正试图弄清楚:这个安全灾难是如何产生的?此外,这家由兄弟两人于上个世纪90年代创建的不知名公司如今似乎成为了疑似俄罗斯首要情报部门的重点关注对象,原因何在?
从SolarWinds的网站上可以看到该公司拥有30多万名客户。在美国之外,SolarWinds的客户还包括英国国家医疗服务体系(NHS)、欧洲议会和北约组织。
SolarWinds官网在1月发布的一篇文章显示,大卫和唐纳德·杨斯兄弟二人于20多年前在塔尔萨创建了这家公司,他们此前曾听朋友“抱怨说在管理其基础设施时存在诸多具体问题。这些问题都是科技领域老生常谈的一部分罢了。‘为什么没有人开发一款能够解决所有问题的工具?!’不同之处在于,这两兄弟决定着手解决这个问题。”
SolarWinds为政府机构和私人领域的公司提供网络监控服务,并在领英页面将自己标榜为“所有人的信息技术”。SolarWinds已经删除了自家列举其美国政府和私营客户名单的网页。
其Orion产品是一款强大、重要的监控工具,能够让计算机系统管理员通过一览表的形式查看公司或机构网络的状况。因为Orion能够提供有关整个网络的信息,它还拥有访问网络敏感部分的权限。
Obsidian Security的首席技术官本•约翰逊说:“它能够提供整个网络的可视度,并允许人们在发现服务器或路由器出现问题时迅速做出响应。然而,如果你尝试对系统和交通进行跨国监控,就得拥有高度信任的访问权限。”
Gartner Inc.的数据显示,SolarWinds并非是什么知名企业,但它是排名前三的IT运营软件开发商,仅次于 Splunk Inc.和IBM。SolarWinds的其他主要竞争对手是思科和微软。
FireEye和微软发布的博客称,黑客突破了Orion的升级系统,在其中植入了伪装成正当Orion升级程序的恶意代码。SolarWind称,这个恶意漏洞存在于3月-6月的升级程序中。根据FireEye的说法,植入恶意代码的升级程序甚至会将偷窃的数据储存在Orion软件中。结果就是,黑客可以以看似正当的身份窥探公司的网络。
马里兰州网络安全公司Prevailion Inc.创始人兼首席执行官卡里姆•希加兹称,截至周一中午,这个恶意升级程序依然可以从SolarWinds的网站下载。希加兹表示,他的团队对比了网站发布的下载与显示更新程序已遭篡改的安全警告,二者完全匹配。
当日早些时候,SolarWinds曾发表声明,称6月以后下载的产品并不含有这一漏洞,但这一声明似乎与Prevailion的发现相左。当被问及恶意文件依然存在这一问题时, SolarWinds对此予以否认,并建议彭博记者查看公司向美国证券交易委员会提交的声明。Prevailion公司称,在邮件往来之后,SolarWinds删除了此前存放恶意软件更新的网页。当前的状况是,“该网页无法显示”。
随着各大公司和政府梳理其计算机系统,寻找黑客的蛛丝马迹,受害者的数量可能会增加。
FireEye称:“受害者包括政府、咨询公司、科技公司、电信公司以及北美、欧洲、亚洲和中东的开采公司。我们预计,其他国家和垂直行业亦存在受害者。”
这场黑客攻击的受损范围依然未能得到确定。俄罗斯黑客很有可能优先获取的是最宝贵的情报目标,这意味着它们还没来得及渗透SolarWinds的每一家客户。约翰逊说:“一旦发现遭到攻击,你就会开始调动一切资源来应对,这一周时间将够你受的。”(财富中文网)
译者:冯丰
审校:夏林
At the epicenter of the most sprawling cyber-attack in recent memory is a two-decade-old, Austin, Tex.-based software maker called SolarWinds. Little known outside of tech circles, its customer list boasts of every branch of the U.S. military and four-fifths of the Fortune 500.
Many of those customers found themselves ensnared in the attack because suspected Russian hackers inserted a vulnerability into a popular SolarWinds’ software product, designed to give users a bird’s eye view of the varied web of applications that keep their operations humming.
In a filing to the U.S. Securities and Exchange Commission on Monday, SolarWinds said it believed its monitoring products could have been used to compromise the servers of as many as 18,000 of its customers. Those clients include government agencies around the globe and some of the world’s largest corporations.
The company “has been made aware of a cyber-attack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run,” according to the filing. “SolarWinds has been advised that this incident was likely the result of a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”
SolarWinds fell 6% in early trading Tuesday. The company fell 17% on Monday, the worst drop since it went public in October 2018. The company said it has sent mitigation steps to relevant customers and is providing an additional “hotfix” update Dec. 15.
APT 29, a hacking group linked to the Russian government, is suspected of being behind the breach. The Department of Commerce was breached, as were the departments of Homeland Security and Treasury, Reuters reported.
The global hacking campaign also included the Dec. 8 cyber-attack on the cybersecurity firm FireEye.
The Russian Embassy has denied any involvement in the hack, saying that Russia “does not conduct offensive operations in the cyber domain.”
Governments and companies are now racing to determine how such a security disaster materialized, and how it is that an obscure company founded by two brothers in the 1990s now appears to be at the heart of a potentially major Russian intelligence coup.
According to its website, SolarWinds has more than 300,000 customers. Outside the U.S., SolarWinds has picked up contracts for the U.K. National Health Service, European Parliament and NATO, according to its website.
The company was founded in Tulsa more than two decades ago by brothers David Yonce and Donald Yonce after they heard friends “griping about a long, specific list of frustrations managing their infrastructures,” according to an article from January on the company’s website. “They were part of the same perennial discussion we all share in tech. ‘Why can’t somebody just make a tool that X?!’ The difference was they decided to do something about it.”
SolarWinds provides network monitoring needs for government agencies and private sector companies, marketing itself on its LinkedIn page as “Everybody’s IT.” SolarWinds has taken down its webpage that details its U.S. government and private-sector clients.
Its Orion product is a powerful and important monitoring tool, allowing computer systems administrators to see the status of a company or organization’s network at a glance. Because Orion provides information on the entire network, it also has privileged access to sensitive parts of the network.
“It gives you visibility across our entire network and allows you to quickly respond when a server or router goes down,” said Ben Johnson, chief technology officer of Obsidian Security. “But if you’re trying to do global monitoring of systems and traffic, that has very trusted access.”
Hardly a household name, SolarWinds is the number three maker of IT operations software, behind Splunk Inc. and International Business Machines Corp., according to data provided by Gartner Inc. SolarWinds’ other main competitors are Cisco Systems Inc. and Microsoft.
Hackers penetrated Orion’s update system, introducing malicious code disguised as legitimate Orion updates, according to blog posts by FireEye and Microsoft Corp. The malicious vulnerability existed in updates between March and June, the company said. The hacking tool embedded within the update even stored stolen data within the Orion software as to evade detection, according to FireEye. The result was that hackers could snoop on a company’s network all while appearing as legitimate traffic.
As of mid-day Monday, the malicious update was still available for download on SolarWind’s website, according to Karim Hijazi, founder and chief executive of Prevailion Inc., a Maryland-based cybersecurity firm. Hijazi said his team compared the available download with security alerts identifying the tampered update, and it’s an exact match.
That appears to contradict a statement the company made earlier in the day that Orion products downloaded after June didn’t contain the vulnerability. When asked about continued access to the malicious file, SolarWinds denied the claim and referred a Bloomberg reporter back to the company’s statement to the SEC. Following the email exchange, the web page that previously hosted the malicious software update was taken down, Prevailion said. It now reads, “Not found.”
The number of victims is likely to climb as companies and governments comb their computer systems for traces of the hackers.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” according to FireEye. “We anticipate there are additional victims in other countries and verticals.”
The breadth of the damage caused by the hacking campaign is still unknown. The Russian hackers most likely prioritized the most valuable intelligence targets first, meaning it wouldn’t have had time to penetrate every SolarWinds customer. “Once you’re discovered, that’s when you start to pull everything you can,” Johnson said. “It’s going to be a crazy week.”
