On December 13, 2020, the US Cybersecurity & Infrastructure Security Agency issued a warning It states that computer network surveillance products from the Texan company SolarWinds are “exploited by malicious actors” and “pose an unacceptable risk to US government agencies.”
December 16 Reuters reported The hackers are said to work for the Russian government and have been monitoring the internal e-mail traffic of the US finance and trade departments for months.
CONNECTED: Wisconsin Republicans are proposing a $ 3.4 billion tax cut in the state budget
CONNECTED: Evers pitched for capital investments in the University of Wisconsin system
The story goes that attackers did this by hijacking an automated update process used by SolarWinds that was sent to tens of thousands of customers. This included federal, state, local, and tribal governments, as well as corporations and universities.
On the same day of the Reuters report, UW System Associate Vice President of Information Security Katherine Mayer sent an email to administrative staff with the subject “Information Security Incident – Solar Winch” as indicated in documents WPR obtained through a government disclosure request.
“It is estimated that this incident was likely the result of a sophisticated, targeted, and manual attack on the supply chain by an external nation-state,” Mayer wrote. “This campaign could have started as early as spring 2020 and is currently ongoing. The most dangerous effects of this campaign are lateral movements within infiltrated networks and the exfiltration of data from the compromised networks.”
In the days that followed, Mayer and other IT executives worked within the UW system to figure out which computer servers from 26 locations, headquarters, UW Shared Services, and Extended Campus SolarWinds products might have been using.
On December 18, UW System Director of Information Security Governance, Risk and Compliance Nicholas Davis by email Asked Mayer if head office procurement staff could look through recent purchases of SolarWinds products on campus.
“I’m just not comfortable hearing, ‘We didn’t have it’ without evidence or even knowing how they came to that decision,” said Davis.
Procurement documents showed that UW-Eau Claire, UW-Green Bay, UW-Oshkosh, UW-Stout and UW-Stevens Point made purchases from SolarWinds in the past year. But that didn’t tell the whole story as the company has multiple products and only its Orion software was considered compromised.
The first warning from the U.S. Cybersecurity and Infrastructure Security Agency included a list of instructions for Orion users. They were instructed to disconnect every computer system running the software from the Internet, forensically map image stores and operating systems for a list of file names, and analyze records of network traffic. A subsequently attentive said the SolarWinds attackers have been observed bypassing the DUO multi-factor authentication program to gain access to Microsoft Outlook emails.
Campus officials were given instructions on how to check their Microsoft email systems for signs of suspicious activity, while the email to the regents contained a summary of the SolarWinds hack.
This email revealed that three UW institutions were using the affected version of SolarWinds but found no malicious code. Further steps were taken to disconnect the servers while IT staff uploaded a security patch provided by SolarWinds.
Much of the December 21 email to the regents was related to two of the 15 UW institutions and included multiple lines of text and six bullet points that were blacked out, apart from mentioning that the “estimated number of people affected / disclosed.” Records “was indefinite and that an investigation was ongoing.
In an interview with WPR, UW System interim president Tommy Thompson said he could not comment on whether the two institutions named in the email were campuses or how the system was affected. However, he said that hackers from around the world are constantly trying to break into UW computer systems and the SolarWinds incident is no different. Thompson compared the ongoing threat to a cybersecurity war.
“A good number of the hackers are actually employed by foreign governments and it’s like a full-time job for them where they come to work in the morning and get a computer that they can use to hack all over America,” Thompson said.
Thompson said part of the challenge in protecting the underground system from hackers is its large digital footprint.
“And when you have 26 campuses and 13 universities and thousands of servers, you can imagine that we could be an easy target,” Thompson said.
To reduce the number of ways a potential hacker can infiltrate the UW system’s computer networks, Thompson wants to consolidate them and move data to a cloud-based system he calls “IT as a Service”.
“And consolidating all of the servers and centralizing IT is a big job,” said Thompson. “So it narrows the breadth of what can be hacked and how the hackers can get into our system.”
Other Thompson initiatives include centralizing university purchasing and administrative functions through the Procure-to-Pay Automation Initiative and the Administrative Transformation Program.
Thompson said the UW System has made good progress and that he hopes to advance IT as a Service to the point where the next UW System president can easily complete it.
“But it’s going to be expensive,” said Thompson. “And the resources that are needed for this are so great that I am not sure whether the legislature will be satisfied with us.”
Universities seemed “collateral damage”
Von Welch is the vice president of information security at Indiana University and executive director of a university IT professional collaboration called OmniSOC.
He said the scale of the SolarWinds attack was huge, but the attackers appeared to be focused on federal agencies. Welch said other clients, like universities, appeared to be more of “collateral damage.”
Information security staff usually watch out for hackers trying to break in from outside, Welch said, but this time they had been in the house for months when the alert went off.
“To be honest,” Welch said, “I don’t know of any organization that is mature enough to look at their major updates so closely to find something like this. This is incredibly difficult. Suddenly you basically have your attacker with access to you from within. And then you play, you know, to catch up. “
Welch said the attack reinforced the notion that any time new software or updates are brought onto a secure computer network, there is a chance that malicious code could hitchhike.
“It just emphasizes the importance of segmenting our networks and trying to isolate different parts of our systems from each other,” Welch said. “So if any part of our infrastructure is compromised by supply chain attacks like this, or a phishing scheme or whatever, it’s consistently not a major problem.”
Scott White is the Cybersecurity Program Director at George Washington University in Washington, DC. He told WPR that the U.S. Cybersecurity and Infrastructure Security Agency has provided SolarWinds customers with a tool to look for signs that attackers have compromised their networks, and it appears to be working fine. However, he said IT pros are still finding other vulnerabilities related to the attack.
“There were other malware that they thought came through the same back door,” White said. “So that’s the problem, isn’t it? It’s not just the first attack. That back door was open, and what other malware products have been distributed?”
White said he anticipates future revelations related to the SolarWinds hack “for quite a while”.
Editor’s Note: Wisconsin Public Radio is a service provided by the University of Wisconsin-Madison and the Wisconsin Educational Communications Board.
Wisconsin Public Radio can be heard locally on 91.3 KUWS-FM and on wpr.org.
Wisconsin Public Radio, © Copyright 2021, Board of Regents of the University of Wisconsin System and Wisconsin Educational Communications Board.