Stuxnet and the scary similarity of Sunburst
Olympic Games was the code name given to the worlds first use of malicious code used for offensive purposes. It was hidden in two stolen Microsoft digital certificates to cleverly disguise its presence, but also in a vain attempt to hide its origin. Olympic Games disrupted the Iranian Nuclear Power efforts, marginally, however the knock on effects to the rest of the world is being felt many times over to this day ten years on and no one is doing a thing about it. Seemingly the entire world is suffering from scotoma… Once the US and Israel were identified as the perpetrators, Iran launched their own cyberattack against the US Banking and FS sector with dire consequences. Iran focussed on building their own cyber warfare capabilities, as did Russia and China. The gauntlet had clearly been thrown down, and there was no going back.
Just a few years later, the US Government Office of Personnel Management (OPM) that looks after security cleared operatives was breached with the theft of 22 million personnel records including all PII data. This breach used hijacked domains and digital certificates, portraying security. Rather embarrassingly, this breach went on for nearly a year.
In Dec 2020 the Solarwinds breach occurred effecting over 18,000 clients, including governments. This attack, known as SUNBURST, combined lessons learned from both Stuxnet and the OPM breach in as much that it too stood up a domain, www.avsvmcloud(.)com by identifying and hijacking a non-managed Solarwinds domain (a choice of over a dozen were possible as our report shows). By infiltrating the Solarwinds enterprise via a Solarwinds domain, digital trust was achieved and totally unnoticed. From this point on, anything was possible including access to Solarwinds digital certificates. The same certificates were then Laced with malware before being distributed to Solarwinds clients, including governments who, never questioned their validity or content and downloaded the Malware. This breach may lead to the first $trillion breach, possibly considerably more.
Stuxnet was first learned about in 2010 and Sunburst Dec 2020. A full decade has passed and although leadership, Presidents and Boards may have changed, it would seem the vast majority of people have learnt next to nothing. That is of course apart from our Adversaries.
In conclusion, whilst the US, delighted in their offensive digital capability, it is clear that their defensive capability was neglected. From 2010 onwards, organisations have systemically been caught out by incompetence and negligence of basic security. The very same internet facing and PKI vulnerabilities used by the Agencies to infiltrate and gain unencrypted access to digitally eavesdrop (not to mention OMNISEC and CRYPTO AG) were actively encouraged along with dissuading the general population of their importance. The Agencies insatiable appetite to gain such easy access, under programmes such as PRISM, XKEYSCORE and many others, manipulated the vulnerabilities and access presented by insecure internet facing security and PKI.
The challenge everyone faces today, is these actions have literally left the US, and the rest of the world, totally vulnerable and exposed to being targeted and breached. That includes the very governments that the Agencies were supposed to report to, and work for.
Today, the US continues taking the brunt of cyberattacks, and therefore the losses, and much of this is ultimately self-inflicted. At the time of writing this article, 267,372 domains in the US are totally insecure, making them massive targets. From Missile manufactures to misconfigured government root certificates, from Technical giants to Senators, hundreds of thousands are insecure, targeted, easily breached and access gained to much, much more.
To pose the question once again, what have we learnt since Stuxnet in 2010? Not very much at all…
Andrew.jenkinson@cybersecip.com
Whitethorn and Whitethorn Shield, visibility and security for internet facing and PKI across your enterprise.