THE TIBERIUM BLOG - recent events, threats, and all things cyber

The Swords of a Thousand Men

…and women, possibly children too, if you believe the papers.

Even if you had spent the last 2 months trekking across the Mongolian Steppe avoiding what is left of the Horde you will surely have heard about the sublime breach of Government departments, large software companies, and possibly some big Internationals via a supply chain infection, namely the deployment of a backdoor in SolarWinds network management software, which after being automatically deployed to SolarWinds customers enabled a quite beautiful, almost perfectly executed large scale compromise exercise.

As more information of the full attack cycle and scale emerges, together with the usual ‘wasn’t us’, ‘look over there’ shizzle, the plot thickens and becomes increasingly confusing.

This week we saw some pretty outrageous press headlines, many of which claimed that Microsoft (who were themselves breached, in some way, maybe, see below) “analysis of the SolarWinds hack suggests the code behind the crack was the work of a thousand or more developers.

What does that even mean? Well, let us have a think.

Clearly, the Nation State team executing the breach was not made up of 1000 developers. The personal experience of some of us at Tiberium is that this activity is typically executed by at least three small teams, very carefully managed. Perhaps an infiltration team (including at least some of the reconnaissance), an exploit team who use the initial infiltration and lateral infection to exfiltrate identified assets of the mark, and a cleanup team, who, you know, clean up.

Offensive procedures like this are used by security services the world over for not just cyber. Many probably go unnoticed. Being noticed is either a failure, a warning, or not giving a single foxtrot after the job is done. The Mossad assassination of Mahmoud al-Mabhouh, a senior Hamas commander in a Dubai Hotel room (using muscle relaxants and a pillow) by an assassination team of eleven is a case in point, being caught on camera, in this case, will be either not giving one or a warning, and it is even on YouTube.

Right, back to the subject. What Microsoft was probably trying to say is that at least a thousand developers were involved in not just the exploit, but in all the associated tooling, zero days, nifty little exploits (how we would like to see the library!), etc. And they are probably right.

What they also may be saying is that the Nation responsible for this has those resources. Step forward China with just the 100,000 personnel. Regular readers of this Blog (and others similar) will recall that we have always had a side bet on Chinese involvement from the outset, having seen the horde in action and trying to stop them in a David and Goliath scenario.

No surprise then, that this week  Microsoft admitted that source code for some Azure components, Exchange and Intune were pilfered. No biggy! Seems much more reasonable if you know that over a thousand developers were behind it, doesn’t it, mwahahaha?

In the joint wash-up press conference of Microsoft and FireEye, Kevin Mandia revealed how his firm spotted the attack when an attempt at two-factor authentication raised suspicion:

“A FireEye employee was logging in, but the difference was our security staff looked at the login, and we noticed that individual had two phones registered to their name,” he said. “So our security employee called that person up, and we asked, ‘Hey, did you actually register a second device on our network?’ And our employee said, ‘No. It wasn’t, it wasn’t me.'”

Now, we really do not like to teach our grandmother to suck eggs or anything else for that matter, but in the very first SIEM/SOC deployment, which a number of us at Tiberium were responsible for way back in the day, the heady days of 2009ish, when you could still buy a pint, omelette and chips for a fiver in The North Pole (the now closed pub not the place) had a use case for exactly this.

Out of disaster comes opportunity in the security industry. It thrives on pain. Microsoft are already making Zero Trust overtures join by SASE vendors and blaggers we can all expect to be marching to this drum later in the year. More on this in future blogs.

As we gloated about above (sorry but it is true), Tiberium’s team has a wealth of real world experience. We have seen it, have the hoodies, the scars, and a slightly nervous disposition when it comes to Nation State activity.

Tiberium’s managed security service platform not only has a distillation of this experience, but it is also build to automatically react, not just give you the bad news after the horse has bolted. We would love to show it to you

Just in case you were paying attention. What did the assailants do wrong? Decided to infect one of the world’s finest security forensics and investigation outfits, Mandiant, sorry FireEye. It would be fair to say that it doesn’t look like the collar matches the cuffs, does it now?

In the words of the song

When you hear our drums, hear them sound

We’re gonna fight until we have won this town

Hooray, hooray, hooray, yeah

Share on: