Low profile Accellion hack hit dozens of high profile targets including Kroger, CSX, Harvard
BOSTON – The SolarWinds hacking campaign blamed on Russian spies and the “serious threat” it poses to US national security are well known. A very different – and no less alarming – coordinated series of intrusions also detected in December attracted considerably less public attention.
Nimble and highly skilled criminal hackers, believed to operate from Eastern Europe, hacked into dozens of businesses and government agencies on at least four continents by breaking into a single product they all used.
Among the victims are New Zealand’s central bank, Harvard Business School, the Australian securities regulator, powerful US law firm Jones Day – whose clients include former President Donald Trump – the company rail freight CSX CSX,
and the Kroger KR,
chain of supermarkets and pharmacies. The Washington state auditor’s office has also been affected, where the personal data of up to 1.3 million people collected for an unemployment fraud investigation has potentially been exposed.
Two-step mega-hack in December and January of a popular file transfer program from Silicon Valley company Accellion highlights a threat security experts fear is getting out of hand: intrusions by high-level criminals and state-sponsored hackers in third-party software supply chains and services.
Operating system companies such as Microsoft MSFT,
have long been on target – with thousands of installations of its Exchange mail server having been violated around the world in recent weeks, mainly after the company released a fix and revealed that Chinese state hackers had entered the program.
Meanwhile, Accellion’s victims have kept piling up, many being extorted by the Russian-speaking cybercriminal gang Clop, who researchers say may have bought stolen data from hackers. Their threat: Pay or we disclose your sensitive data online, whether it’s proprietary documents from Canadian aircraft manufacturer Bombardier or attorney-client communications from Jones Day.
The hacking of up to 100 Accellion customers, who were easily identified by hackers through online analysis, highlights a central mission in the digital age that governments and the private sector have failed to achieve.
“Attackers are finding it increasingly difficult to gain access through traditional methods, as vendors like Microsoft and Apple have dramatically increased the security of operating systems in recent years. Thus, attackers find easier ways to enter. This often means going through the supply chain. And as we’ve seen, it works, ”said Mikko Hypponen, director of research at cybersecurity firm F-Secure.
Members of Congress are already dismayed by the hack into the supply chain of Texas network management software company SolarWinds, which allowed suspected state-backed Russian hackers to go unnoticed – apparently only in the Intent to collect intelligence – for over six months through networks of at least nine government agencies and over 100 companies and think tanks. It was not until December that the SolarWinds SWI,
hacking campaign discovered, by the cybersecurity firm FireEye FEYE,
France suffered a similar hack, blamed by its cybersecurity agency on Russian military agents, which also played into the supply chain. They slipped malware into a network management software update from a company called Centreon, quietly leaving it to take root in the networks of victims from 2017 to 2020.
Both of these hacks introduced malware into the software updates. The Accellion hack was different on one key point: its file transfer program resided on the victims’ networks, either as a stand-alone appliance or as a cloud-based application. Its job is to safely move files that are too large to attach to an email.
Mike Hamilton, former head of information security in Seattle now at CI Security, said the trend to exploit third-party service providers shows no signs of slowing down as it is giving criminals the best return on their investment. they “want to compromise a large swath of businesses or government agencies.”
The impact of the Accellion breach could have been blunted if the company had alerted customers more quickly, some are complaining.
New Zealand central bank governor Adrian Orr said Accellion did not warn him after learning in mid-December that the application of the nearly 20-year-old FTA – using a technology obsolete and planned for retirement – had been violated.
Although a fix was available on December 20, Accellion did not notify the bank in time to prevent its device from being breached five days later, the bank said.
“If we had been informed at the appropriate time, we could have corrected the system and avoided the breach,” Orr said in a statement posted on the bank’s website. Among the information stolen were files containing personal emails, dates of birth and credit information, the bank said.
Likewise, the Washington state auditor’s office has no record of being notified of the breach until January 12, the same day Accellion publicly announced it, the door said. – spoken by Kathleen Cooper. Accellion then said it released a fix for the less than 50 affected customers within 72 hours of discovering the breach.
Accellion now tells a different story. He says he alerted the 320 potentially affected customers with multiple emails from December 22 – and followed by emails and phone calls. Company spokesman Rob Dougherty is reportedly not responding directly to complaints from New Zealand’s central bank and Washington state auditor. Accellion says less than 25 customers appear to have experienced significant data theft.
A timeline published on March 1 by cybersecurity firm Mandiant, which Accellion hired to investigate the incident, says the company was made aware of the breach on December 16. The Washington state auditor said his hack took place over Christmas.
The problem of the notification delay is serious. Washington state has already been the subject of a lawsuit and several have been filed against Accellion in a class action lawsuit. Other organizations could also face legal or other consequences.
Last month, officials at Harvard Business School emailed affected students telling them that certain social security numbers had been compromised along with other personal information. Another victim, Singapore-based telecommunications company Singtel, said the personal data of around 129,000 customers had been compromised.
Too often, software companies with hundreds of programmers only have one or two security guards, said Katie Moussouris, CEO of Luta Security.
“We wish we could say that organizations invest uniformly in security. But we actually see them dealing with violations and committing to do better in the future. And that was sort of the business model.
Dougherty, spokesman for Accellion, said the attacks “had nothing to do with personnel,” but he did not say how many people directly assigned to security the company employed in the midst. December.
Cyber security threat analysts hope the snowball effect of supply chain hacks will prompt the software industry to prioritize security. Otherwise, vendors risk the fate that befell SolarWinds.
In a filing last week with the Securities and Exchange Commission, the company offered grim prospects.
He said that as supply chain hacks “continue to evolve at a rapid rate,” they “may be unable to identify current attacks, anticipate future attacks, or implement adequate security measures “.
The ultimate and painful result, the document adds:
“Customers have and may in the future defer the purchase or choose to cancel or not renew their agreements or subscriptions with us.”