Another Mega Group Spy Scandal? Samanage, Sabotage, and the SolarWinds Hack

The devastating hack on SolarWinds was quickly pinned on Russia by US intelligence. A more likely culprit, Samanage, a company whose software was integrated into SolarWinds’ software just as the “back door” was inserted, is deeply tied to Israeli intelligence and intelligence-linked families such as the Maxwells.

In mid-December of 2020, a massive hack compromised the networks of numerous US federal agencies, major corporations, the top five accounting firms in the country, and the military, among others. Despite most US media attention now focusing on election-related chaos, the fallout from the hack continues to make headlines day after day.

The hack, which affected Texas-based software provider SolarWinds, was blamed on Russia on January 5 by the US government’s Cyber Unified Coordination Group. Their statement asserted that the attackers were “likely Russian in origin,” but they failed to provide evidence to back up that claim.

Since then, numerous developments in the official investigation have been reported, but no actual evidence pointing to Russia has yet to be released. Rather, mainstream media outlets began reporting the intelligence community’s “likely” conclusion as fact right away, with the New York Times subsequently reporting that US investigators were examining a product used by SolarWinds that was sold by a Czech Republic–based company, as the possible entry point for the “Russian hackers.” Interest in that company, however, comes from the fact that the attackers most likely had access to the systems of a contractor or subsidiary of SolarWinds. This, combined with the evidence-free report from US intelligence on “likely” Russian involvement, is said to be the reason investigators are focusing on the Czech company, though any of SolarWinds’ contractors/subsidiaries could have been the entry point.

Such narratives clearly echo those that became prominent in the wake of the 2016 election, when now-debunked claims were made that Russian hackers were responsible for leaked emails published by WikiLeaks. Parallels are obvious when one considers that SolarWinds quickly brought on the discredited firm CrowdStrike to aid them in securing their networks and investigating the hack. CrowdStrike had also been brought on by the DNC after the 2016 WikiLeaks publication, and subsequently it was central in developing the false declarations regarding the involvement of “Russian hackers” in that event.

There are also other parallels. As Russiagate played out, it became apparent that there was collusion between the Trump campaign and a foreign power, but the nation was Israel, not Russia. Indeed, many of the reports that came out of Russiagate revealed collusion with Israel, yet those instances received little coverage and generated little media outrage. This has led some to suggest that Russiagate may have been a cover for what was in fact Israelgate.

Similarly, in the case of the SolarWinds hack, there is the odd case and timing of SolarWinds’ acquisition of a company called Samanage in 2019. As this report will explore, Samanage’s deep ties to Israeli intelligence, venture-capital firms connected to both intelligence and Isabel Maxwell, as well as Samange’s integration with the Orion software at the time of the back door’s insertion warrant investigation every bit as much as SolarWinds’ Czech-based contractor. 

Orion’s Fall

In the month since the hack, evidence has emerged detailing the extent of the damage, with the Justice Department quietly announcing, the same day as the Capitol riots (January 6), that their email system had been breached in the hack—a “major incident” according to the department. This terminology means that the attack “is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” per NextGov.

The Justice Department was the fourth US government agency to publicly acknowledge a breach in connection to the hack, with the others being the Departments of Commerce and Energy and the Treasury. Yet, while only four agencies have publicly acknowledged fallout from the hack, SolarWinds software is also used by the Department of Defense, the State Department, NASA, the NSA, and the Executive Office. Given that the Cyber Unified Coordination Group stated that “fewer than ten” US government agencies had been affected, it’s likely that some of these agencies were compromised, and some press reports have asserted that the State Department and Pentagon were affected.

In addition to government agencies, SolarWinds Orion software was in use by the top ten US telecommunications corporations, the top five US accounting firms, the New York Power Authority, and numerous US government contractors such as Booz Allen Hamilton, General Dynamics, and the Federal Reserve. Other notable SolarWinds clients include the Bill & Melinda Gates Foundation, Microsoft, Credit Suisse, and several mainstream news outlets including the Economist and the New York Times. 

Based on what is officially known so far, the hackers appeared to have been highly sophisticated, with FireEye, the cybersecurity company that first discovered the implanted code used to conduct the hack, stating that the hackers “routinely removed their tools, including the backdoors, once legitimate remote access was achieved—implying a high degree of technical sophistication and attention to operational security.” In addition, top security experts have noted that the hack was “very very carefully orchestrated,” leading to a consensus that the hack was state sponsored.

FireEye stated that they first identified the compromise of SolarWinds after the version of the Orion software they were using contained a back door that was used to gain access to its “red team” suite of hacking tools. Not long after the disclosure of the SolarWinds hack, on December 31, the hackers were able to partially access Microsoft’s source code, raising concerns that the act was preparation for future and equally devastating attacks. 

FireEye’s account can be taken with a grain of salt, however, as the CIA is one of FireEye’s clients, and FireEye was launched with funding from the CIA’s venture capital arm In-Q-tel. It is also worth being skeptical of the “free tool” FireEye has made available in the hack’s aftermath for “spotting and keeping suspected Russians out of systems.” 

In addition, Microsoft, another key source in the SolarWinds story, is a military contractor with close ties to Israel’s intelligence apparatus, especially Unit 8200, and their reports of events also deserve scrutiny. Notably, it was Unit 8200 alumnus and executive at Israeli cybersecurity firm Cycode, Ronen Slavin, who told Reuters in a widely quoted article that he “was worried by the possibility that the SolarWinds hackers were poring over Microsoft’s source code as prelude to a much more ambitious offensive.” “To me the biggest question is, ‘Was this recon for the next big operation?’” Slavin stated.

Also odd about the actors involved in the response to the hack is the decision to bring on not only the discredited firm CrowdStrike but also the new consultancy firm of Chris Krebs and Alex Stamos, former chief information security officer of Facebook and Yahoo, to investigate the hack. Chris Krebs is the former head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and was previously a top Microsoft executive. Krebs was fired by Donald Trump after repeatedly and publicly challenging Trump on the issue of election fraud in the 2020 election. 

As head of CISA, Krebs gave access to networks of critical infrastructure throughout the US, with a focus on the health-care industry, to the CTI League, a suspicious outfit of anonymous volunteers working “for free” and led by a former Unit 8200 officer. “We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company,” a SolarWinds spokesperson said in an email cited by Reuters.

It is also worth noting that the SolarWinds hack did benefit a few actors aside from the attackers themselves. For instance, Israeli cybersecurity firms CheckPoint and CyberArk, which have close ties to Israeli intelligence Unit 8200, have seen their stocks soar in the weeks since the SolarWinds compromise was announced. Notably, in 2017, CyberArk was the company that “discovered” one of the main tactics used in an attack, a form of SAML token manipulation called GoldenSAML. CyberArk does not specify how they discovered this method of attack and, at the time they announced the tactic’s existence, released a free tool to identify systems vulnerable to GoldenSAML manipulation. 

In addition, the other main mode of attack, a back door program nicknamed Sunburst, was found by Kaspersky researchers to be similar to a piece of malware called Kazuar that was also first discovered by another Unit 8200-linked company, Palo Alto Networks, also in 2017. The similarities only suggest that those who developed the Sunburst backdoor may have been inspired by Kazuar and “they may have common members between them or a shared software developer building their malware.” Kaspersky stressed that Sunburst and Kazuar are not likely to be one and the same. It is worth noting, as an aside, that Unit 8200 is known to have previously hacked Kaspersky and attempted to insert a back door into their products, per Kaspersky employees.

Crowdstrike claimed that this finding confirmed “the attribution at least to Russian intelligence,” only because an allegedly Russian hacking group is believed to have used Kazuar before. No technical evidence linking Russia to the SolarWinds hacking has yet been presented.

Read the Whole Article

The post Another Mega Group Spy Scandal? Samanage, Sabotage, and the SolarWinds Hack appeared first on LewRockwell.

Share DeepPol