Cybersecurity news headlines for December 2020
In the last edition of cybersecurity news headlines for 2020, we report on the SolarWinds hack which could have potentially dire long-term consequences, a cyber attack on EU’s regulatory body responsible for approving COVID-19 vaccines in Europe, and Norway claiming Russian hackers are responsible for the Parliament cyberattack in August 2020.
Without further ado, here’s what made the biggest headlines in December 2020.
Massive cyber attack on SolarWinds could have allowed attackers to spy on US government entities
It was recently uncovered that SolarWinds, a major software company that provides services to the US government and various other important entities, has suffered a cyber attack on a massive scale. According to Reuters, who were one of the first to report the incident, the attack also spread to the company’s clients, including cybersecurity firm FireEye, US’s Department of Homeland Security, and the Treasury Department. While Russia has denied being involved, state sponsored Russian hackers are believed to be behind the attack.
The attack was first noticed by the cybersecurity giant FireEye who released its initial findings on December 8, 2020, and then on December 13, 2020.
“We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” FireEye’s CEO Kevin Mandia said in a statement.
The attack reportedly was carried out in early 2020 and involved the hackers adding malicious code into Orion, SolarWind’s software that is used by 33,000 companies and entities to manage IT resources. Updates (versions 2019.4 through 2020.21) released between March and June 2020 reportedly contained the malicious code, putting all customers in potential danger of being spied on. The code in the software essentially created a backdoor that could be used by the attackers to perform malicious activities on affected systems.
According to SolarWinds, up to 18,000 customers installed the updates containing the malicious codes. Considering who SolarWind’s customers are, the attack could have incredibly severe consequences. Among the affected entities are the Department of Homeland Security, the Department of Energy, the National Nuclear Security Administration, and the Treasury. Private companies like tech giant Microsoft, Cisco, and Intel were also among those potentially targeted in the attack.
In a statement released by Microsoft on December 31, 2020, the tech giant said while it detected malicious SolarWinds applications in its systems, there is no evidence to indicate that production services or customer data were accessed, or that its systems were used to attack other entities. The attacker, who Microsoft has called a “sophisticated nation-state actor”, was able to use an internal account to view source code in a number of source code repositories.
“We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated,” the tech giant said in an update on their investigation.
The attack itself and its massive scale are worrying enough, what’s worse is that it went undetected for months. Furthermore, some companies/organizations may not know for certain whether they were affected. The attack was also initially detected by a private cybersecurity company FireEye and not by US government agencies responsible for protecting cyberspace.
EU’s regulatory body responsible for approving COVID-19 vaccines reportedly suffers a cyber attack
In early December 2020, The European Medicines Agency (EMA), the agency in charge of approving the COVID-19 vaccines in Europe, reported a cyber attack. In a very brief statement released on December 9, 2020, the agency reported that the EMA has been the subject of a cyber attack and has launched a full investigation in cooperation with law enforcement. The initial statement did not provide any additional information, explaining that the investigation was still ongoing. The EMA released three following statements, revealing that data has been breached during the attack.
“An initial review revealed that a limited number of documents belonging to third parties were unlawfully accessed. The concerned companies are being informed,” one of the statements reads. The update further revealed that the agency was able to remain fully functional and that COVID-19 vaccine approval was not affected.
It was later revealed that a limited number of third-party documents were accessed without authorization. Upon further investigation, it became clear that the data breach was limited to one IT application. The primary target appears to have been data related to COVID-19 medication and vaccines. The third parties whose data was illegally accessed have been contacted.
BioNTech, a developer of one of the COVID-19 vaccines, released their own statement in which the company revealed that “documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed”. The company also stressed that no BioNTech or Pfizer systems were breached during the attack on EMA, nor have any study participants been identified via the data that was accessed.
Norway says Russian hackers are to blame for the Parliament hack in August 2020
Back in September 2020, a hack on the Norwegian Parliament (Stortinget) was disclosed to the public. According to Marianne Andreassen, the current director of Stortinget, hackers breached email accounts for elected representatives and employees, allowing them to steal information. The initial reveal of the attack did not disclose much information, including who was responsible, but a follow-up in October by Eriksen Soreide, Norway’s Minister of Foreign Affairs, pointed to Russian hackers as the culprits. As can be expected, the accusations were immediately denied by Moscow, with Russian Foreign Ministry spokesperson Maria Zakharova calling them unfounded.
However, Norway’s cyber-security agency upheld the initial findings that Russian hackers are responsible. Based on the analysis, the Norwegian police secret service (PST) said that the operation was likely carried out by a cyber actor known as APT28 and Fancy Bear. The actor is linked to Russia’s military intelligence service GRU, specifically their 85th Special Services Center (GTsSS). According to PST officials, the malicious actor was successful in breaching Stortinget email accounts but was unable to get into the Parliament’s internal networks.
The investigators also blamed Stortinget itself, as employees were not using adequate protection measures, had weak passwords for emails, and failed to enable two-factor authentication for accounts.
Despite the fact that PST was able to link the attacks to tactics used by APT28, a formal indictment cannot be filed as there is not enough evidence to support the claims.
References
- Dustin Volz. U.S. Agencies Hacked in Foreign Cyber Espionage Campaign Linked to Russia. The Wall Street Journal.
- Ellen Nakashima and Craig Timberg. Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce. The Washington Post.
- Christopher Bing. Suspected Russian hackers spied on U.S. Treasury emails – sources. Reuters.
- Catalin Cimpanu. FireEye, one of the world’s largest security firms, discloses security breach. ZDNet.
- EMA. Cyberattack on the European Medicines Agency. Update 1. Update 2. Update 3.
- Catalin Cimpanu. Norway says Russian hacking group APT28 is behind August 2020 Parliament hack. ZDNet.
Site Disclaimer
WiperSoft.com is not sponsored, affiliated, linked to or owned by malware developers or distributors that are referred to in this article. The article does NOT endorse or promote malicious programs. The intention behind it is to present useful information that will help users to detect and eliminate malware from their computer by using WiperSoft and/or the manual removal guide.
The article should only be used for educational purposes. If you follow the instructions provided in the article, you agree to be bound by this disclaimer. We do not guarantee that the article will aid you in completely removing the malware from your PC. Malicious programs are constantly developing, which is why it is not always easy or possible to clean the computer by using only the manual removal guide.