Microsoft Tactically Nukes SolarWinds Hackers That Infiltrated U.S. Government Agencies
On Monday, news broke that Russian hackers breached SolarWinds in an effort to compromise numerous organizations. While private companies are affected, the most significant targets seemed to be part of the U.S government. Now, Microsoft has swooped in to try and kill the SolarWinds breach with several steps that have rolled out over the past several days.
When you have a breach as widespread as SolarWinds, which is rumored to be backed by hacker group APT29, or Cozy Bear, you must have an extreme response. Cozy Bear is likely to be a part of Russian intelligence and has been behind past DNC attacks and, more recently, COVID-19 research attacks. To stop Cozy Bear in its tracks with the “Sunburst” attack, GeekWire reports that Microsoft has done the following things over the past four days:
- December 13, 2020 – Microsoft stripped the certificates that allowed the malicious parts of the SolarWinds package to operate on Windows machines. As Budd explained, “In this single act, Microsoft literally overnight told all Windows systems to stop trusting those compromised files which could stop them from being used.”
- December 13, 2020 – Microsoft updates Microsoft Window Defender to detect the malicious files in SolarWinds and alert users.
- December 15, 2020 – Microsoft and other companies “sinkholed” on the domains the malware used for command and control. Sinkholing is a method by which companies can take over a domain in court if it is found that the domain is malicious. This cuts off the snake's head, but Microsoft can still use the domain to alert devices that have been infected and are trying to phone back to the domain.
- December 16, 2020 – Today, Microsoft changed Microsoft Windows Defender from “alert” set on December 13th to “Quarantine.” Though this may break some software, it forces actions to be taken, so people have to update SolarWinds and eliminate the threat from their systems.