Russian hackers allegedly breached many US computer networks and may have had access to significant amounts of secure data for several months, based on news reports.
In many ways, because of the reliance of federal agencies on these networks, the attack may have put the security of the United States at risk, writes one of President Donald Trump’s Homeland Security advisers.
“Last week, the cybersecurity firm FireEye said it had been hacked and that its clients, which include the United States government, had been placed at risk,” writes Thomas P Bossert, Mr Trump’s former Homeland Security Adviser who is now the president of Trinity Cyber, in The New York Times. “This week, we learned that SolarWinds, a publicly traded company that provides software to tens of thousands of government and corporate customers, was also hacked.”
The servers we use at Voxitatis have also been under attack by hackers based in Russia trying to invade our network through a hole in software from SolarWinds that we might not have patched. An examination of our log files reveals the following attempt:
22.214.171.124 - - [13/Dec/2020:03:53:04 -0500] "POST /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 248 "-" 126.96.36.199 - - [13/Dec/2020:03:53:04 -0500] "POST /api/jsonws/invoke HTTP/1.1" 404 215 "-" 188.8.131.52 - - [13/Dec/2020:03:53:04 -0500] "GET /index.php?s=/Index/\\think\\app/invokefunction&function=call_user_func_array&vars=md5&vars=HelloThinkPHP21 HTTP/1.1" 404 207 "-" 184.108.40.206 - - [13/Dec/2020:03:53:05 -0500] "GET /solr/admin/info/system?wt=json HTTP/1.1" 404 220 "-" 220.127.116.11 - - [13/Dec/2020:03:53:07 -0500] "GET /?XDEBUG_SESSION_START=phpstorm HTTP/1.1" 200 234 "-" 18.104.22.168 - - [13/Dec/2020:03:53:07 -0500] "GET /?a=fetch&content=
die(@md5(HelloThinkCMF))HTTP/1.1" 200 234 "-" 22.214.171.124 - - [13/Dec/2020:03:53:08 -0500] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 248 "-" 126.96.36.199 - - [13/Dec/2020:03:53:08 -0500] "GET /wp-content/plugins/wp-file-manager/readme.txt HTTP/1.1" 404 243 "-" 188.8.131.52 - - [13/Dec/2020:03:53:08 -0500] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 404 227 "-" 184.108.40.206 - - [13/Dec/2020:03:53:08 -0500] "GET /console/ HTTP/1.1" 404 206 "-"
The IP address at the beginning of each line represents the user’s browser (or a robot that looks like a browser), but the IP address can be forged pretty easily. We checked where it came from and found it in the Russian Federation:
organisation: ORG-RBL8-RIPE org-name: Red Bytes LLC org-type: OTHER address: ul. Novoaleksandrovskaya (ter. Shuvalovo), 64A, pom. 1N, of. 3 address: 197375 Saint Petersburg address: Russian Federation abuse-c: RBL9-RIPE created: 2019-12-06T13:57:16Z last-modified: 2019-12-16T14:38:55Z
This appears to be an Internet Service Provider in Russia, but it doesn’t tell us who the customer is using that network. A hacking attempt originated from this network, so shortly after we noticed this malicious attempt to invade our network by looking for vulnerable SolarWinds software in a “typical” file where we might have installed it, we blocked the IP address range associated with this ISP.
Hackers, unfortunately, set up whole farms of servers to do their bidding. An attack of this magnitude takes considerable planning and may have started when President Donald Trump signed an executive order in May 2018 to eliminate the position of “cybersecurity czar.”
Putin & I discussed forming an impenetrable Cyber Security unit so that election hacking, & many other negative things, will be guarded..
— Donald J. Trump (@realDonaldTrump) July 9, 2017
The line colored red in the log shows an attempt to access any installation on our system of SolarWinds software. We did try to install a secure FTP server from SolarWinds earlier this year but determined the product did not meet our needs for secure FTP. Thank goodness.
Not that Russians would find anything interesting on our servers, since we basically report news that is already available to the public. We certainly don’t have any files with information on our servers that aren’t available to the public via a publicly-available website, so the need for SolarWinds software to monitor our network traffic is far beyond the needs we have as an organization.
In short, the data we have on our servers isn’t likely to be useful to hackers, since it won’t get them any money and it doesn’t really include sensitive information. The attack against networks operated by the US government is a completely different beast, but the attempts by hackers are just as brazen and relentless. Who knows how much sensitive information these Russian hackers may have gained access to?
Schools and school districts, however, are ripe for invasion by hackers. One form of hacking involves ransomware, but that is a situation, as happened recently in Baltimore County, Maryland, where hackers just want money.
It reflects a broader understanding that schools during the pandemic, when many schools and districts are dependent on online tools to even conduct the business of education, continue to suffer at the hands of cybercriminals.
Just a few days before the SolarWinds attack news was made public, CNN reported that a joint cybersecurity bulletin issued last week by the FBI, the Department of Homeland Security, and a consortium that monitors nationwide online threats noted that hackers are “targeting kindergarten through twelfth grade (K-12) educational institutions, leading to ransomware attacks, the theft of data, and the disruption of distance learning services.”
The threat has increased during the pandemic, the bulletin noted: 57 percent of ransomware incidents in August and September involved K-12 students, while only 28 percent of ransomware attacks between January and July did.
It may be useful to ask why the federal government is trusting its networks to private firms such as SolarWinds. It’s a good company with excellent products, but it has an interest in profit, which does not serve the public good as well as other options. The federal government must have better options for network management.
We have long questioned the privatization of public schools and the role of for-profit charter schools and universities. The vulnerabilities introduced by profit motives leave open our precious data and other secure information, just as the reliance of the federal government on private firms like SolarWinds did here. The security of the US involves more people than a Russian posting discipline reports about US students because the school district wouldn’t pay a ransom, but the actions are just as illegal and speak to the drawback of profit.