WASHINGTON (Reuters) – Texas-based SolarWinds Corp said the sprawling breach stemming from the compromise of its flagship software product has cost the company at least $18 million in the first three months of 2021.
In preliminary results made public on Tuesday, the company said it spent between $18 million and $19 million in the first quarter of 2021 to investigate and remediate what it described as “the Cyber Incident.”
SolarWinds has been working since December to deal with the fallout of a series of intrusions blamed on Russian hackers across the U.S. government and scores of private companies. In many cases, the hackers compromised their targets by piggybacking on a subverted version of SolarWinds Orion, a widely used network management tool.
SolarWinds has hired cybersecurity company CrowdStrike Holdings Inc and professional services firm KPMG to help it investigate the intrusions. The company said its costs were likely to grow.
“We expect to incur significant legal and other professional services expenses associated with the Cyber Incident in future periods,” it said in a note.
Solarwinds shares gained 2.1% in Tuesday trading on the New York Stock Exchange.
Reporting by Raphael Satter; Editing by Dan Grebler
Critics said the government should be covering more of the cost.
Experts from the UK’s National Cyber Security Centre (NCSC) had to be drafted in to help restore appointment bookings, planning documents, social care advice and council housing complaints systems that had been knocked offline in February last year.
‘Conned’ over settlement
The council said the money to be provided by the government would help replenish its reserves, which had been used to restore its online systems.
It declined to say whether any services would be affected as a result of covering the remainder of the bill.
Council leader Mary Lanigan, who heads a coalition of independents and Liberal Democrats, said: “We are pleased that the government recognised the unique circumstances under which we requested support, and awarded grant funding, rightly distinguishing the criminal ransomware attack suffered by the council from the financial rescue packages of some other local authorities where permission to borrow has been granted.
“No money was handed over to these criminals and we continue to hope that they will eventually be brought to justice.”
Middlesbrough South and East Cleveland MP Simon Clarke, a Conservative, described the settlement as “exceptionally generous”.
Fellow Tory Jacob Young, MP for Redcar, said it would “go some way to restoring the hit on the council’s finances”.
However, former council leader Sue Jeffrey, of Labour, said residents were being “conned into thinking they have got a good deal” having only been awarded “a tiny proportion of the support they were promised by the government and local Conservative MPs”.
Ireland’s Data Protection Commission (DPC) said it is looking into a data dump of personal information from hundreds of millions of Facebook users.
The database is believed to contain a mix of Facebook profile names, phone numbers, locations and other facts about more than 530 million people.
Facebook says the data is “old”, from a previously-reported leak in 2019.
But the Irish DPC said it will work with Facebook, to make sure that is the case.
Ireland’s regulator is critical to such investigations, as Facebook’s European headquarters is in Dublin, making it an important regulator for the EU.
The most recent data dump appears to contain the entire compromised database from the previous leak, which Facebook said it found and fixed more than a year and a half ago.
But the dataset has now been published for free in a hacking forum, making it much more widely available.
It covers 533 million people in 106 countries, according to researchers who have viewed the data. That includes 11 million Facebook users in the UK and more than 30 million Americans.
Not every piece of data is available for every user, but the large scale of the leak has prompted concern from cyber-security experts.
The DPC’s deputy commissioner Graham Doyle said the recent data dump “appears to be” from the previous leak – and that the data-scraping behind it had happened before the EU’s GDPR privacy legislation was in effect.
“However, following this weekend’s media reporting we are examining the matter to establish whether the dataset referred to is indeed the same as that reported in 2019,” he added.
Despite the claims of the data being “old”, some security researchers remain concerned due to the unchanging nature of the data involved.
Phone numbers, for example, are unlikely to have changed for many people in the past two to three years, and other information – such as a date of birth or hometown – never change.
Alon Gal, a well-known personality in cyber-security circles who tweets as @UnderTheBreach, wrote that the phone number database first appeared in January, where hackers could look up the phone database for a small fee.
But the widespread leak of the database “means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” he tweeted.
“I have yet to see Facebook acknowledging this absolute negligence of your data,” he added.
He also suggested that the leaked dataset could be very useful “for a targeted attack where you know someone’s name and country” – though it would be much harder to use for a blanket mass cyber-attack.
“But for spam based on using phone number alone, it’s gold,” he added.
“Not just SMS, there are heaps of services that just require a phone number these days and now there’s hundreds of millions of them conveniently categorised by country with nice mail merge fields like name and gender.”
The files were released on the internet when Sepa refused to pay a ransom.
The public body has warned it could be next year before its systems have fully recovered from the attack.
Figures released to BBC Scotland under freedom of information laws show a total of £790,000 has been spent on Sepa’s response and recovery actions so far.
This includes £458,000 on stabilising the watchdog’s business IT platform.
Sepa has restored the majority of its key services, such as flooding forecasting, but it is expected a full recovery from the attack will take up the remainder of 2021-22.
Terry A’Hearn, Sepa’s chief executive, said: “Whilst we initially lost access to our data and systems, what we didn’t lose was the expertise of our 1,200 staff.
“Since Christmas Eve, teams across the agency have been working flat-out to support our people, partners and customers and to restore our systems services as quickly as possible.
“Our clear recovery strategy is gradually seeing systems being restored. By Easter, over 70% of staff will be back online and we’re engaging data recovery specialists and are confident that we will recover the most important data.”
Sepa rejected a ransom demand for the attack, which was claimed by the international Conti ransomware group.
Contracts, strategy documents and databases were among the 4,000 files released.
The data has been put on the dark web – a part of the internet associated with criminality and only accessible through specialised software.
Some of the information stolen was already publicly available but other files, including data about staff and suppliers, was not.
Sepa told BBC Scotland a total of 54 people had been in touch to ask if their data was among the files stolen. This includes 27 current and former staff members.
Police Scotland is investigating the crime and has previously indicated the likely involvement of international serious and organised crime.
Det Insp Michael McCullagh said: “Police Scotland is continuing to work closely with Sepa to investigate and provide support in response to this incident.
“The actions of the criminals behind this crime show a blatant disregard for public safety, evident in this sickening attack on an organisation like Sepa. This type of crime and its impacts can be significant.
“I would urge caution in the viewing and downloading of any data published by cyber criminals. The likelihood of those files being infected and making you their next victim is high.”
Cyber-security companies are warning about the rise of so-called ‘extortionware’ where hackers embarrass victims into paying a ransom.
Experts say the trend towards ransoming sensitive private information could affect companies not just operationally but through reputation damage.
It comes as hackers bragged after discovering an IT Director’s secret porn collection.
The targeted US firm has not publicly acknowledged that it was hacked.
In its darknet blog post about the hack last month, the cyber-criminal gang named the IT director whose work computer allegedly contained the files.
It also posted a screen grab of the computer’s file library which included more than a dozen folders catalogued under the names of porn stars and porn websites.
The infamous hacker group wrote: “Thanks God for [named IT Director]. While he was [masturbating] we downloaded several hundred gigabytes of private information about his company’s customers. God bless his hairy palms, Amen!”
The blog post has been deleted in the last couple of weeks, which experts say usually implies that the extortion attempt worked and the hackers have been paid to restore data, and not publish any more details.
The company did not respond to requests for comment.
The same hacker group is also currently trying to pressure another US utility company into paying a ransom, by posting an employee’s username and password for a members-only porn website.
‘The new norm’
Another ransomware group which also has a darknet website shows the use of similar tactics.
The relatively new gang has published private emails and pictures, and is calling directly for the mayor of a hacked municipality in the US to negotiate its ransom.
In another case, hackers claim to have found an email trail showing evidence of insurance fraud at a Canadian agriculture company.
Brett Callow, a threat analyst at cyber-security company Emsisoft, says the trend points to an evolution of ransomware hacking.
“This is the new norm. Hackers are now actually searching the data for information that can be weaponised. If they find anything that is incriminating or embarrassing, they’ll use it to leverage a larger pay-out. These incidents are no longer simply cyber-attacks about data, they are full-out extortion attempts.”
Another example of this was seen in December 2020, when the cosmetic surgery chain The Hospital Group was held to ransom with the threat of publication of ‘before and after’ images of patients.
Ransomware is evolving
Ransomware has evolved considerably since it first appeared decades ago.
Criminals used to operate alone, or in small teams, targeting individual internet users at random by booby-trapping websites and emails.
In the last few years, they’ve become more sophisticated, organised and ambitious.
Criminal gangs are estimated to be making tens of millions of dollars a year, by spending time and resources targeting and attacking large companies or public bodies for huge pay-outs, sometimes totalling millions of dollars.
Brett Callow has been following ransomware tactics for years, and says he saw another shift in methods in late 2019.
“It used to be the case that the data was just encrypted to disrupt a company, but then we started seeing it downloaded by the hackers themselves.
“It meant they could charge victims even more because the threat of selling the data on to others was strong.”
Tough to defend against
This latest trend of threatening to publicly damage an organisation or individual has particularly concerned experts because it is hard to defend against.
Keeping good backups of company data helps businesses to recover from crippling ransomware attacks, but that is not enough when the hackers use extortionware tactics.
Cyber-security consultant Lisa Ventura said: “Employees should not be storing anything that could harm a firm reputationally on company servers. Training around this should be provided by organisations to all their staff.
“It’s a troubling shift in angle for the hackers because ransomware attacks are not only getting more frequent, they are also getting more sophisticated.
“By identifying factors such as reputational damage, it offers far more leverage to extort money from victims.”
A lack of victim reporting and a culture of cover-up makes estimating the overall financial cost of ransomware difficult.
Experts at Emsisoft estimate that ransomware incidents in 2020 cost as much as $170bn (£123bn) in ransom payments, downtime and disruption.
Harris Federation schools break up for Easter later this week.
Its statement did not detail what information or data has been compromised, and it has not yet responded to the BBC’s request for comment.
The trust is working with “a specialised firm of cyber-technology consultants”, the National Crime Agency and the NCSC to resolve the issues.
The NCSC said it has “recently alerted the education sector to the significant threat posed by ransomware attacks” and urged schools and colleges to follow its advice to protect themselves online.
It used to be the case that ransomware groups concentrated their efforts on large multinational companies.
Big corporate budgets and potential business interruption mean large ransom payouts.
Publicly funded schools and colleges are therefore an odd and particularly cruel target.
One hacker group recently posted part of their negotiation conversation with another unnamed institution on the dark net.
It made for grim reading, and once again showed me how ruthless they are.
At one stage, when the hackers demanded $15m, the school wrote: “Sir, please, this is NOT a business with profits. We operate much like a charity operates. This is a state-funded school, our salaries are paid for by taxing the people that live in the state. We have no idea how you think we can afford this.”
This wave of attacks in the US and UK show the hackers have no regard for where the money comes from or who is affected.
A cyber attack has disrupted live broadcasts on Australia’s Channel Nine TV network, prompting concerns about the country’s vulnerability to hackers.
The broadcaster said it was unable to air several shows on Sunday, including Weekend Today.
Nine said it was investigating whether the hack was “criminal sabotage or the work of a foreign nation”.
Australia’s Parliament was also investigating a possible cyber attack in Canberra on Sunday.
Assistant Defence Minister Andrew Hastie said access to IT and emails at Parliament House had been cut as a precaution. He said this was done in response to issues affecting an “external provider”, without elaborating.
Broadcaster ABC News said Australian government sources believed China was behind the attacks. Relations between Australia and China have grown increasingly acrimonious amid disputes about trade and the coronavirus.
What did Channel Nine say about the cyber attack?
At first, Nine said it was “responding to technical issues” affecting its live broadcasting.
Weekend Today, which runs from 07:00 to 13:00 local time (21:00 to 03:00 GMT) from Sydney, did not air.
Its online news site, 9news.com.au, was also affected.
On Sunday night, Nine confirmed there had been a “cyber attack on our systems”.
“Our IT teams are working around the clock to fully restore our systems which have primarily affected our broadcast and corporate business units. Publishing and radio systems continue to be operational,” the company said in a statement.
A later report by Mark Burrows, a senior journalist for the network, said the company was “under attack by hackers”. He said emails and editing systems had gone down.
“I’m not surprised,” Mr Hastie, the assistant defence minister, told Nine. “Last year alone we had 60,000 reports to Australian cyber security of cyber crime. That’s one every 10 minutes.”
Nine has told all its staff to work at home until further notice. It hopes to air all shows as normal on Monday.
Pupils’ coursework has been destroyed in a “significant” cyber-attack on a school.
Redborne Upper School and Community College in Bedfordshire said the attack took place on Wednesday.
Although no data was taken, the school’s servers were left unreadable resulting in “the loss of a significant amount of data”, it added.
The school said it was working “to ensure that no students will be disadvantaged”.
In a letter sent to parents on Friday, the school, based in Flitwick Road, Ampthill, said it had rebuilt its servers.
It said: “This process has resulted in the loss of a significant amount of data including student user areas.”
The school said no data had left its servers “and no unauthorised persons have access to any information”.
Exam board discussions
Students’ personal data including academic records was kept on a different server, said the school.
The letter said: “It is this data that will form the basis of the grades we will be supplying to exam boards this summer in most cases.”
However, it added coursework, which would play “a significant role” in some subjects, had been lost.
“To mitigate this we have already contacted the exam boards and are in the process of putting in place arrangements to ensure that no students will be disadvantaged by the impact of this,” the letter said.
The school added it still has “sufficient data” to “award accurate grades this summer”.
The National Cyber Security Centre said since late February an increased number of ransomware attacks had affected education establishments.
Speaking on the Today programme on Friday, its chief executive Lindy Cameron said the coronavirus pandemic has “highlighted both the scale of our dependence on the digital world and the challenges we face”.
But she added the UK is “one of the safest places to live and work online”.
At a time when U.S. agencies and thousands of companies are fighting off major hacking campaigns originating in Russia and China, a different kind of cyber threat is re-emerging: activist hackers looking to make a political point.
Three major hacks show the power of this new wave of “hacktivism” – the exposure of AI-driven video surveillance being conducted by the startup Verkada, a collection of Jan. 6 riot videos from the right-wing social network Parler, and disclosure of the Myanmar military junta’s high-tech surveillance apparatus.
And the U.S. government’s response shows that officials regard the return of hacktivism with alarm. An indictment last week accused 21-year-old Tillie Hottmann, a Swiss hacker who took credit for the Verkada breach, of a broad conspiracy.
“Wrapping oneself in an allegedly altruistic motive does not remove the criminal stench from such intrusion, theft and fraud,” Seattle-based Acting U.S. Attorney Tessa Gorman said.
According to a U.S. counter-intelligence strategy released a year ago, “ideologically motivated entities such as hacktivists, leaktivists, and public disclosure organizations,” are now viewed as “significant threats,” alongside five countries, three terrorist groups, and “transnational criminal organizations.”
Earlier waves of hacktivism, notably by the amorphous collective known as Anonymous in the early 2010s, largely faded away under law enforcement pressure. But now a new generation of youthful hackers, many angry about how the cybersecurity world operates and upset about the role of tech companies in spreading propaganda, are joining the fray.
And some former Anonymous members are returning to the field, including Aubrey Cottle, who helped revive the group’s Twitter presence last year in support of the Black Lives Matter protests.
Anonymous followers drew attention for disrupting an app that the Dallas police department was using to field complaints about protesters by flooding it with nonsense traffic. They also wrested control of Twitter hashtags promoted by police supporters.
“What’s interesting about the current wave of the Parler archive and Gab hack and leak is that the hacktivism is supporting antiracist politics or antifascism politics,” said Gabriella Coleman, an anthropologist at McGill University, Montreal, who wrote a book on Anonymous.
Gab, a social network favored by white nationalists and other right-wing extremists, has also been hurt by the hacktivist campaign and had to shut down for brief periods after breaches.
Most recently, Cottle has been focused on QAnon and hate groups.
“QAnon trying to adopt Anonymous and merge itself into Anonymous proper, that was the straw that broke the camel’s back,” said Cottle, who has held a number of web development and engineering jobs, including a stint at Ericsson.
He found email data showing that people in charge of the 8kun image board, where the persona known as Q posted, were in steady contact with major promoters of QAnon conspiracies here.
The new-wave hacktivists also have a preferred place for putting materials they want to make public – Distributed Denial of Secrets, a transparency site that took up the mantle of WikiLeaks with less geopolitical bias. The site’s collective is led by Emma Best, an American known for filing prolific freedom of information requests.
Best’s two-year-old site coordinating access by researchers and media to a hoard of posts taken from Gab by unidentified hackers. In an essay this week, Best praised Hottmann and said leaks would keep coming, not just from hacktivists but insiders and the ransomware operators who publish files when companies don’t pay them off.
“Indictments like Tillie’s show just how scared the government is, and just how many corporations consider embarrassment a greater threat than insecurity,” Best wrote here.
The events covered by the Hottmann indictment here took place from November 2019 through January 2021. The core allegation is that the Lucerne software developer and associates broke into a number of companies, removed computer code and published it. The indictment also said Hottmann spoke to the media about poor security practices by the victims and stood to profit, if only by selling shirts saying things like “venture anticapitalist” and “catgirl hacker.”
But it was only after Hottmann publicly took credit for breaching Verkada and posted alarming videos from inside big companies, medical facilities and a jail that Swiss authorities raided their home at the behest of the U.S. government. Hottmann uses non-binary pronouns.
“This move by the U.S. government is clearly not only an attempt to disrupt the freedom of information, but also primarily to intimidate and silence this newly emerging wave of hacktivists and leaktivists,” Hottmann said in an interview with Reuters.
Hottmann and their lawyer declined to discuss the U.S. charges of wire fraud for some of Hottmann’s online statements, aggravated identity theft for using employee credentials, and conspiracy, which together are enough for a lengthy prison sentence.
The FBI declined an interview request. If it seeks extradition, the Swiss would determine whether Hottmann’s purported actions would have violated that country’s laws.
Hottmann was open about their disdain for the law and corporate powers-that-be. “Like many people, I’ve always been opposed to intellectual property as a concept and specifically how it’s used to limit our understanding of the systems that run our daily lives,” Hottmann said.
A European friend of Hottmann’s known as “donk_enby,” a reference to being non-binary in gender, is another major figure in the hacktivism revival. Donk grew angry about conspiracy theories spread by QAnon followers on the social media app Parler that drove protests against COVID-19 health measures.
Following a Cottle post about a leak from Parler in November, Donk dissected the iOS version of Parler’s app and found a poor design choice. Each post bore an assigned number, and she could use a program to keep adding 1 to that number and download every single post in sequence.
After the Jan. 6 U.S. Capitol riots, Donk shared links to the web addresses of a million Parler video posts and asked her Twitter followers to download them before rioters who recorded themselves inside the building deleted the evidence. The trove included not just footage but exact locations and timestamps, allowing members of Congress to catalogue the violence and the FBI to identify more suspects.
Popular with far-right figures, Parler has struggled to stay online after being dropped by Google and Amazon. Donk’s actions alarmed users who thought some videos would remain private, hindering the its attempt at a comeback.
In the meantime, protesters in Myanmar asked Donk for help, leading to file dumps that prompted Google to pull its blogging platform and email accounts here from leaders of the Feb. 1 coup. Donk’s identification of numerous other military contractors helped fuel sanctions that continue to pile up.
One big change from the earlier era of hacktivisim is that hackers can now make money legally by reporting the security weaknesses they find to the companies involved, or taking jobs with cybersecurity firms.
But some view so-called bug bounty programs, and the hiring of hackers to break into systems to find weaknesses, as mechanisms for protecting companies who should be exposed.
“We’re not going to hack and help secure anyone we think is doing something extremely unethical,” said John Jackson, an American researcher who works with Cottle on above-ground projects. “We’re not going to hack surveillance companies and help them secure their infrastructure.”