![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
I am really quite disconcerted by the major "hack" and what seems to be insufficient reporting about the whole mess. I am happy to answer questions.
* SolarWinds - a company that sells software that installed on corporate and governmental networks so that the company can more easily monitor how the network is being used (and databases, and, and, and.)
* Orion is the name of the program that was "trojaned"
* "Trojan" is using the metaphor of the trojan horse: the application looks like one thing, but has a hidden threat. In this case, the threat was a "back door," access into the monitored network that would be hard to observe. Generically i will call this the Solarwinds exploit: ie, the thing that was exploited by the bad actor.
* SolarWinds, at my last reading, had identified that the exploit was added in the "build process." That means it wasn't in the software that was written by their developers, but it was -- to oversimplify -- added to the list of parts of code written by SolarWinds and all the other "off the shelf" parts used to make the application called Orion.
* While the access to SolarWinds network that they accidentally leaked to the open web -- the password "solarwinds123" -- wasn't what was used to insert the exploit, it doesn't inspire confidence.
* 18000 companies downloaded and may have installed the software with the exploit, and when they did, the exploit "phoned home" and notified the bad actor that another instance of the exploit was available for exploration.
To refer to this as an "attack on the US" is inaccurate. From the attacks Microsoft can observe (presumably because the customers are using Microsoft's cloud services) Microsoft sees that "Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates." However, if a SolarWinds customer uses a different system for identity management, say Okta, Microsoft can't know anything about them.
My private notes on the ( 2020 Massive Hack (UNC2452, Dark Halo) )
* SolarWinds - a company that sells software that installed on corporate and governmental networks so that the company can more easily monitor how the network is being used (and databases, and, and, and.)
* Orion is the name of the program that was "trojaned"
* "Trojan" is using the metaphor of the trojan horse: the application looks like one thing, but has a hidden threat. In this case, the threat was a "back door," access into the monitored network that would be hard to observe. Generically i will call this the Solarwinds exploit: ie, the thing that was exploited by the bad actor.
* SolarWinds, at my last reading, had identified that the exploit was added in the "build process." That means it wasn't in the software that was written by their developers, but it was -- to oversimplify -- added to the list of parts of code written by SolarWinds and all the other "off the shelf" parts used to make the application called Orion.
* While the access to SolarWinds network that they accidentally leaked to the open web -- the password "solarwinds123" -- wasn't what was used to insert the exploit, it doesn't inspire confidence.
* 18000 companies downloaded and may have installed the software with the exploit, and when they did, the exploit "phoned home" and notified the bad actor that another instance of the exploit was available for exploration.
To refer to this as an "attack on the US" is inaccurate. From the attacks Microsoft can observe (presumably because the customers are using Microsoft's cloud services) Microsoft sees that "Of the victims, 80% are located in the U.S. while the others are in seven other countries: Canada, Mexico, the U.K., Belgium, Spain, Israel and the United Arab Emirates." However, if a SolarWinds customer uses a different system for identity management, say Okta, Microsoft can't know anything about them.
My private notes on the ( 2020 Massive Hack (UNC2452, Dark Halo) )
Tags: