WEBVTT - The SolarWinds Hack 0:00:04.400 --> 0:00:07.800 Welcome to tech Stuff, a production from I Heart Radio. 0:00:12.480 --> 0:00:15.320 Pay there and welcome to tech Stuff. I'm your host, 0:00:15.440 --> 0:00:18.640 Jonathan Strickland. I'm an executive producer with I Heart Radio 0:00:18.680 --> 0:00:21.599 and a love of all things tech, and today I've 0:00:21.600 --> 0:00:24.520 got something special for you guys. I'm going to be 0:00:24.640 --> 0:00:30.200 talking with Shannon Morse, my good friend, hacker extraordinaire, incredible 0:00:30.240 --> 0:00:32.640 tech communicator, and she and I are going to break 0:00:32.680 --> 0:00:37.400 down the solar winds hack, a hack that was dominating 0:00:37.440 --> 0:00:41.560 the news for late December into January. It will likely 0:00:41.600 --> 0:00:43.640 be a part of the news cycle in the tech 0:00:43.720 --> 0:00:48.800 space for months and possibly years to come, as it 0:00:48.960 --> 0:00:54.200 was a particularly effective and potentially devastating attack, one that 0:00:54.320 --> 0:00:58.600 will take quite a long time to repair. And I 0:00:58.680 --> 0:01:01.480 wanted to bring Shannon on to the show because while 0:01:01.520 --> 0:01:03.720 I can do a lot of research into this stuff, 0:01:04.560 --> 0:01:08.920 I come at this as the same as anyone else would, really, 0:01:08.959 --> 0:01:13.440 anyone who's not in the the info sex space. I 0:01:13.480 --> 0:01:16.080 would look at it as an outsider trying to learn 0:01:16.080 --> 0:01:19.520 as best I can. But Shannon has been working in 0:01:19.560 --> 0:01:24.720 the hacker sphere for many years and has a particularly 0:01:25.480 --> 0:01:29.080 uh strong point of view when it comes to such 0:01:29.160 --> 0:01:31.960 things and is able to see things that I just don't. 0:01:32.280 --> 0:01:35.160 So I was very glad that she took the time 0:01:35.280 --> 0:01:38.720 out of her schedule to jump on this episode. And 0:01:38.800 --> 0:01:43.120 so now here is my conversation with Shannon Morris about 0:01:43.160 --> 0:01:49.000 the solar winds hack. I hope you enjoy it. Shannon, 0:01:49.320 --> 0:01:52.240 Welcome back to tech Stuff. It has been too long. 0:01:52.400 --> 0:01:55.800 Thank you for joining me. Thank you for having me. Jonathan, 0:01:55.840 --> 0:01:58.880 how are you. I'm well, It's always a pleasure to 0:01:58.920 --> 0:02:01.520 have you on even and we have to talk about 0:02:02.040 --> 0:02:06.720 terrifying existential threats, but this one is a fun one. 0:02:07.080 --> 0:02:10.720 This one is interesting, fun for us to talk about. Yeah, well, 0:02:10.880 --> 0:02:15.040 because it's it is different from a lot of of 0:02:15.240 --> 0:02:19.800 malware threats and hacker threats that we typically hear about. So, Shannon, 0:02:19.800 --> 0:02:23.960 you're the expert, you let me know if I'm way 0:02:23.960 --> 0:02:26.400 off base. I'm going to give kind of my take 0:02:26.520 --> 0:02:31.079 on what the typical hacker attack tends to be and 0:02:31.200 --> 0:02:32.840 the way we tend to see, at least the ones 0:02:32.840 --> 0:02:35.680 that we hear about. Um, if it's not something like 0:02:36.040 --> 0:02:39.639 someone taking advantage of a security vulnerability in a system 0:02:39.760 --> 0:02:43.160 or using social engineering to get access to someone's system, 0:02:43.400 --> 0:02:46.760 what we usually hear about our malware attacks where there's 0:02:46.800 --> 0:02:51.760 like an email attachment or someone has uploaded and infected 0:02:51.840 --> 0:02:55.880 file through some sort of distribution point where it might 0:02:55.919 --> 0:02:58.000 be a peer to peer network, it might be a database, 0:02:59.000 --> 0:03:01.480 or it might be that you go to some website 0:03:01.600 --> 0:03:04.480 that you've been directed to and you click on something 0:03:04.480 --> 0:03:07.799 that then installs malware to your system. And in this 0:03:07.840 --> 0:03:11.520 sort of attack, you've got hackers that are kind of 0:03:11.520 --> 0:03:14.400 taking a shotgun approach, right. They don't know who's going 0:03:14.440 --> 0:03:17.680 to end up getting this malware. It's more like, let's 0:03:17.680 --> 0:03:19.720 try and spread it as far and wide as we 0:03:19.800 --> 0:03:24.840 possibly can, taking a pretty brute force kind of tactic. 0:03:24.919 --> 0:03:28.520 Is that more or less accurate for the general types 0:03:28.560 --> 0:03:30.840 of stuff we hear about? Yeah, pretty much. I mean 0:03:30.919 --> 0:03:34.600 usually you hear about the very consumer oriented hacks. You know, 0:03:34.680 --> 0:03:37.920 an app gets installed from Google Play and it turns 0:03:37.920 --> 0:03:41.400 out it has hundreds of thousands of downloads and everybody 0:03:41.400 --> 0:03:43.080 all of a sudden has malware and they have to 0:03:43.080 --> 0:03:44.720 get rid of it. Blah blah blah blah blah. So 0:03:44.760 --> 0:03:48.720 you see a lot of targeted assaults happening towards consumers, 0:03:48.760 --> 0:03:51.880 but in this case, with a supply chain attack, as 0:03:51.960 --> 0:03:55.360 what it's called, uh you see a a attack that's 0:03:55.520 --> 0:03:59.240 very targeted towards a specific type of brand or a 0:03:59.320 --> 0:04:02.200 vendor that happens to work with a whole bunch of people. 0:04:02.520 --> 0:04:05.880 So the attackers don't necessarily know of the whole bunch 0:04:05.920 --> 0:04:09.240 of people these businesses, clients that this vendor works with. 0:04:09.280 --> 0:04:11.720 They don't know who's actually going to install it in 0:04:11.800 --> 0:04:14.720 order for them to be able to attack all these 0:04:14.720 --> 0:04:18.239 different brands. They just know, we know this vendor works 0:04:18.240 --> 0:04:22.400 with thousands of thousands of really important businesses, so let's 0:04:22.440 --> 0:04:26.200 just attack this one brand and then see what happens. Yeah, 0:04:26.320 --> 0:04:29.000 and in this case, the Solar Winds hack a lot 0:04:29.040 --> 0:04:31.920 of people. I'm sure the average person had never heard 0:04:31.920 --> 0:04:35.920 about solar Winds before the news broke about the actual hack. 0:04:36.720 --> 0:04:40.200 Because this is a business to business sort of enterprise. 0:04:40.279 --> 0:04:45.560 They create software packages for businesses, typically really big businesses 0:04:45.560 --> 0:04:49.360 are really big organizations to use to do things like 0:04:49.400 --> 0:04:52.680 just monitor their network system. So it's not the kind 0:04:52.680 --> 0:04:54.800 of thing that the average person would ever have to 0:04:54.839 --> 0:04:57.240 come in contact with unless you happen to be like 0:04:57.720 --> 0:05:00.480 the I T. Person at a big company or a 0:05:00.520 --> 0:05:04.640 government agency exactly. So I give an example of when 0:05:04.760 --> 0:05:08.560 I used to work at a bank and forward facing. 0:05:08.800 --> 0:05:10.600 When I was working at that bank, you know, I 0:05:10.640 --> 0:05:12.560 was talking to customers all the time, and I had 0:05:12.640 --> 0:05:16.480 my own little register where I had the money and everything, 0:05:16.920 --> 0:05:19.279 and I had my own computer. But that computer was 0:05:19.640 --> 0:05:23.320 running Windows, and it was running software on Windows. But 0:05:23.480 --> 0:05:26.640 behind the scenes, for that entire branch and for all 0:05:26.760 --> 0:05:29.920 the different branches and all the different cities for this 0:05:30.000 --> 0:05:32.960 company that I worked at, they had servers that were 0:05:33.000 --> 0:05:36.880 connected to all the different physical locations for this bank, 0:05:37.200 --> 0:05:40.640 and on those servers is where you would see these 0:05:40.720 --> 0:05:44.039 kind of platforms being used, these kind of operating systems. 0:05:44.400 --> 0:05:48.279 So if you're just working at a very like consumer 0:05:48.320 --> 0:05:51.400 facing or an office oriented job, then you don't necessarily 0:05:51.480 --> 0:05:54.520 run into this, even if you're an employee. A lot 0:05:54.520 --> 0:05:56.640 of times it's just happening on the back end for 0:05:56.720 --> 0:05:59.920 like the network administrators, the I T security and from 0:06:00.000 --> 0:06:02.080 Asian security, like those are the kind of people that 0:06:02.120 --> 0:06:07.320 would be using this kind of uh networking product. Yeah. So, 0:06:07.320 --> 0:06:09.960 so like if you're a company that does products that 0:06:10.000 --> 0:06:12.600 are like software as a service, where you need to 0:06:12.720 --> 0:06:15.800 keep a really close eye on things like network loads 0:06:16.000 --> 0:06:19.320 because you might have to react uh nimbly and and 0:06:19.720 --> 0:06:24.880 quickly to changing demands on your system. Solar Winds makes 0:06:24.920 --> 0:06:27.680 the kind of software that allows you to have that 0:06:27.680 --> 0:06:31.599 that top level look at what's going on with your networks. 0:06:31.640 --> 0:06:34.599 So again not something that most of us would run into, 0:06:34.640 --> 0:06:38.599 but it is really important software. And that's why nearly 0:06:38.760 --> 0:06:42.200 every company that's on the Fortune five list is a 0:06:42.320 --> 0:06:47.880 client of Solar Winds, and several high level government agencies, 0:06:47.920 --> 0:06:50.600 particularly in the United States, like the Department of Justice, 0:06:50.640 --> 0:06:54.200 the Department of Homeland Security, Department of the Treasury, the 0:06:54.200 --> 0:06:59.279 Department of Energy, like big national security level organizations are 0:06:59.320 --> 0:07:02.760 all client of Solar Winds, and in particular, they have 0:07:02.839 --> 0:07:06.800 a product that's called Oriyan, and this is specifically to 0:07:06.880 --> 0:07:11.720 monitor stuff like network traffic and network assets and where 0:07:11.760 --> 0:07:14.520 you might need to make adjustments on the fly. And 0:07:14.640 --> 0:07:19.000 that ends up being the bulls eye of the target 0:07:19.440 --> 0:07:22.600 for the hackers who created the Solar Winds hack, which 0:07:22.640 --> 0:07:26.560 is also sometimes called sunbursts, the particular malware that was used, 0:07:27.200 --> 0:07:30.560 and um, this is where we get into that supply 0:07:30.680 --> 0:07:35.080 chain attack. And I think an easy way for people 0:07:35.120 --> 0:07:39.160 to understand it is that it's unfortunate that it's an 0:07:39.160 --> 0:07:42.400 attack that that takes advantage of something that we typically 0:07:42.440 --> 0:07:45.760 tell people to do, which is, when a patch comes 0:07:45.760 --> 0:07:50.440 out for your software, you install it. Because typically patches 0:07:50.480 --> 0:07:55.440 do things like they address previous vulnerabilities in software and 0:07:55.480 --> 0:07:59.800 they close down an avenue of attack for hackers. But 0:08:00.560 --> 0:08:04.440 if a hacker were able to target that that actual software, 0:08:04.520 --> 0:08:07.120 whatever it might be, like, if they were able to 0:08:07.160 --> 0:08:11.320 target Windows and insert the malicious code into the Windows 0:08:11.360 --> 0:08:13.360 code so that when the patch notes go out, when 0:08:13.360 --> 0:08:17.400 the patches go out, the malicious code hitchhikes along. And 0:08:17.440 --> 0:08:19.360 then when you install your patch, as you do as 0:08:19.360 --> 0:08:23.360 a good user, you have just installed the malware that 0:08:23.600 --> 0:08:29.040 is the supply chain attack, and it's devastating. It's yeah, 0:08:29.080 --> 0:08:33.439 it's very very scary because the it kind of focuses 0:08:33.480 --> 0:08:37.000 on the inherent trust that a lot of clients have 0:08:37.320 --> 0:08:42.119 with the vendors that they use for this distributed software 0:08:42.200 --> 0:08:44.600 that they might use on their back end for for 0:08:44.640 --> 0:08:47.480 their network or whatever it might be. So by having 0:08:47.480 --> 0:08:51.360 that inherent trust, you are trusting as a business that 0:08:51.440 --> 0:08:54.719 when you do these auto updates, when you physically go 0:08:54.800 --> 0:08:57.719 in and you know, update your firmware or whatever it 0:08:57.800 --> 0:09:01.120 might be, that you are going to be protecting yourself 0:09:01.120 --> 0:09:03.439 because you're on top of it, you're downloading that stuff 0:09:03.480 --> 0:09:05.680 every single time there's a new version that comes out. 0:09:05.760 --> 0:09:09.240 But in this case, because the attackers were targeting the 0:09:09.320 --> 0:09:14.280 vendor itself and not the specific clients, they were distributing 0:09:14.320 --> 0:09:19.080 that malware, two thousands upon thousands of potential customers, and 0:09:19.120 --> 0:09:22.480 it's the ones that were updating like they should be 0:09:22.600 --> 0:09:25.840 that ended up being kind of caught in the crosshairs. Yeah, 0:09:25.840 --> 0:09:27.880 this is one of those cases where you say, I 0:09:27.920 --> 0:09:32.080 did everything right and you still screwed me. Uh yeah. 0:09:32.160 --> 0:09:36.720 So oriyan Orian is a platform that's very popular. Around 0:09:36.960 --> 0:09:40.959 thirty three thousand of solar Wind's clients have some version 0:09:41.000 --> 0:09:43.320 of Orian running on their system. Out of that thirty 0:09:43.360 --> 0:09:47.880 three thousand, solar Winds said, approximately eighteen thousand had the 0:09:48.000 --> 0:09:51.600 versions that were specifically affected when the malicious code had 0:09:51.640 --> 0:09:54.880 been inserted and those patches had been pushed out to 0:09:54.960 --> 0:09:57.360 the clients and they had actually installed it. Out of 0:09:57.360 --> 0:10:01.880 those eighteen thousand, however, we later learned that a very 0:10:02.000 --> 0:10:05.000 very small number were followed up on because, as it 0:10:05.000 --> 0:10:09.000 turns out, that sunburst attack was just stage one. It 0:10:09.120 --> 0:10:11.719 was not it was not the end all. It wasn't like, 0:10:11.960 --> 0:10:15.680 oh we snug some malicious code into a legitimate product. 0:10:16.280 --> 0:10:19.880 High fives all around. That was just the beginning. Yeah, 0:10:19.960 --> 0:10:22.960 So in this case, the attackers were like, let's just 0:10:23.120 --> 0:10:25.760 get it out there and see who gets caught in 0:10:25.800 --> 0:10:28.720 the crosshairs. And then they started following up and they 0:10:28.720 --> 0:10:31.679 were like, Okay, well, who who matters the most to us? 0:10:31.760 --> 0:10:35.240 Which ones might be financially motivated for us to hack? 0:10:35.679 --> 0:10:38.600 Who might be the ones that have the biggest and 0:10:38.679 --> 0:10:42.480 best data sets that we could potentially pilfer off and 0:10:42.600 --> 0:10:45.640 sell to a third party. Like, we don't necessarily know 0:10:45.679 --> 0:10:48.560 what their end goal is, but a lot of times 0:10:48.600 --> 0:10:51.600 with hacks like this, especially if they are distributed towards 0:10:52.040 --> 0:10:55.560 Fortune five hundreds and government and sectors like that, they 0:10:55.600 --> 0:10:59.280 are state sponsored or they are very very financially motivated. 0:10:59.640 --> 0:11:03.840 So that would be my general like hypothesis as far 0:11:03.880 --> 0:11:07.560 as what their their motivations were behind it and why 0:11:07.600 --> 0:11:12.200 they specifically target, you know, the government sector. The very 0:11:12.320 --> 0:11:15.320 few that they actually did out of the eighteen thousand, Yeah, 0:11:15.320 --> 0:11:18.880 I think the last report I read said that it 0:11:18.920 --> 0:11:23.520 looked like it was around forty systems out of eighteen thousand. 0:11:23.800 --> 0:11:26.240 That's less than that's less than less like point two 0:11:27.160 --> 0:11:30.640 of all the different systems that they hit that they 0:11:30.679 --> 0:11:33.160 followed up on, and it does say that there was 0:11:33.200 --> 0:11:37.480 a very concentrated, focused effort to look at very specific systems. 0:11:37.720 --> 0:11:39.400 Most of the ones that they targeted were out of 0:11:39.400 --> 0:11:42.960 big tech and then government agencies and then some non 0:11:43.000 --> 0:11:45.880 government offices outside of that, like think tanks and things 0:11:45.880 --> 0:11:49.320 like that. UM I've seen speculation that, as you say, 0:11:49.440 --> 0:11:53.400 it was very likely a state backed attack, and that 0:11:54.520 --> 0:11:57.840 the evidence seems to point, but it does not necessarily 0:11:57.840 --> 0:12:03.560 indicate proof positive that Russia was behind the attack. At least, yes, 0:12:03.920 --> 0:12:06.160 there appears that that's what all the signs point to, 0:12:06.280 --> 0:12:08.800 but then there's also always the possibility of what is 0:12:08.800 --> 0:12:14.600 called a false flag operation exactly. So it's very interesting 0:12:14.640 --> 0:12:19.280 when people start kind of laying blame on specific groups 0:12:19.360 --> 0:12:22.560 of attackers or groups of hackers and saying like, hey, 0:12:22.600 --> 0:12:24.960 because the code looks this way, we think that it's, 0:12:25.440 --> 0:12:27.679 you know, backed by Russia or whoever, it might be 0:12:27.760 --> 0:12:30.160 backed by China and North Korea. Those are usually the 0:12:30.200 --> 0:12:33.360 ones that we see in the news. Uh. In this case, 0:12:33.480 --> 0:12:37.560 they found samples of code that could be very very 0:12:37.559 --> 0:12:42.880 closely linked to a previous attacker group from Russia. So 0:12:42.960 --> 0:12:44.800 they made that tie and they were like, hey, we 0:12:44.840 --> 0:12:47.760 think that this is the same group. But there is 0:12:47.800 --> 0:12:52.480 always the potential that somebody could have copied previous malware 0:12:53.040 --> 0:12:56.320 and used samples of that for new quote code for 0:12:56.559 --> 0:13:00.200 solar winds for the sunburst. So it's entirely possible that 0:13:00.280 --> 0:13:04.880 it's not the same group, but it's plausible, right. So 0:13:05.520 --> 0:13:08.120 again you can't draw any firm conclusions. But when you 0:13:08.160 --> 0:13:13.320 start thinking about this as a potential state backed attack 0:13:14.200 --> 0:13:20.160 that largely gives hackers high level access to systems once 0:13:20.200 --> 0:13:24.320 they deliver that second payload of malware, which specifically allows 0:13:24.360 --> 0:13:28.880 them to move laterally across networks, not just hit a 0:13:28.920 --> 0:13:32.360 specific server, but then to kind of infiltrate across an 0:13:32.520 --> 0:13:35.920 entire system. A lot of the reports we've seen have 0:13:36.040 --> 0:13:40.400 shown that the hackers were at least able to read 0:13:40.920 --> 0:13:44.120 material to see what what material was around. They could 0:13:44.200 --> 0:13:47.000 look at source code at Microsoft, for example, or they 0:13:47.000 --> 0:13:49.480 can look at emails that had been both sent and 0:13:49.559 --> 0:13:53.640 received through a particular system. A lot of this kind 0:13:53.640 --> 0:13:58.440 of leads you down the path to thinking one potential 0:13:58.440 --> 0:14:02.240 purpose for this attack could be espionage. That it literally 0:14:02.360 --> 0:14:06.680 is another part of cyber espionage where you're spying on 0:14:07.280 --> 0:14:12.000 UM an enemy or or adversary, and that fits the 0:14:12.080 --> 0:14:16.719 narrative really well. Again, we can't draw that conclusion conclusively 0:14:17.400 --> 0:14:20.520 to be redundant, but we can at least we can 0:14:20.520 --> 0:14:24.120 at least say like that is a potential answer to 0:14:24.400 --> 0:14:30.200 why this has happened. Yeah, So I like to lay 0:14:30.200 --> 0:14:33.640 out a lot of caveats because it's it's very dangerous 0:14:33.640 --> 0:14:36.240 to speak in absolutes when you come to something like this, 0:14:36.640 --> 0:14:40.040 because it may turn out yes, ongoing. So we still 0:14:40.040 --> 0:14:42.200 have a lot of questions. But I am glad that 0:14:42.280 --> 0:14:46.240 we have companies like Microsoft, for example, with Office three 0:14:46.720 --> 0:14:49.200 and the fact that they were able to see source code, 0:14:49.360 --> 0:14:51.640 the attackers were able to see source code. I'm glad 0:14:51.680 --> 0:14:56.680 they're coming forward these clients that were attacked and we're targeted, 0:14:56.720 --> 0:14:59.880 because it's giving us a clear perspective of what was 0:15:00.080 --> 0:15:04.680 actually targeted in this assault. And in Microsoft's case, it was, 0:15:05.440 --> 0:15:08.040 or at least they believe that it was the source code, 0:15:08.040 --> 0:15:11.520 because the attackers did get access to that information. Now, 0:15:11.560 --> 0:15:14.840 were they also like collecting the source code? Were they 0:15:14.880 --> 0:15:17.960 taking it from Microsoft and collecting it into their own 0:15:18.040 --> 0:15:22.040 data set? Maybe? Probably, I mean, they did have access 0:15:22.080 --> 0:15:24.720 to it, so it's entirely plausible as well. But again 0:15:24.800 --> 0:15:28.240 it's that plausibility of like all these questions that we 0:15:28.320 --> 0:15:31.920 currently have with an active attack where there's still being 0:15:32.000 --> 0:15:37.000 discoveries happening. This is Jonathan outside the interview here. I'm 0:15:37.040 --> 0:15:39.760 just interrupting so that we can take a quick break, 0:15:39.800 --> 0:15:49.840 but we'll be right back. So we know that the 0:15:49.920 --> 0:15:53.600 nature of the attack allowed for a lot of access 0:15:53.640 --> 0:15:57.080 to things from a certain level, but in most cases 0:15:57.120 --> 0:15:59.640 that we've heard about, the companies are saying no one 0:15:59.840 --> 0:16:03.200 was able to actually make any changes to anything. They 0:16:03.280 --> 0:16:05.360 might have seen it, they might have copied it, but 0:16:05.440 --> 0:16:09.120 they could not modify anything. However, part of what I 0:16:09.120 --> 0:16:11.600 would think would be useful if you're looking at source 0:16:11.680 --> 0:16:14.520 code for products like Office three six five, which has 0:16:14.840 --> 0:16:19.800 incredible distribution to millions of systems around the world, consumer level, 0:16:19.960 --> 0:16:24.040 enterprise level, everything in between, that now that you have 0:16:24.120 --> 0:16:26.400 that source code, you can start looking at ways to 0:16:26.520 --> 0:16:31.160 exploit that. You essentially have a playground, a sandbox that 0:16:31.240 --> 0:16:33.720 you can work in with the actual source code of 0:16:33.760 --> 0:16:38.720 the product, at least from that particular era until Microsoft 0:16:39.000 --> 0:16:41.920 makes changes to it, and then you have a way 0:16:41.960 --> 0:16:45.240 of of practicing on that to try and develop malware 0:16:45.280 --> 0:16:49.360 that could potentially be used out in other distributions using 0:16:49.400 --> 0:16:53.320 perhaps totally different attack vectors. Is that something that could 0:16:53.360 --> 0:16:59.840 actually be possible or my addled by Hollywood, That's entirely possible. 0:17:00.160 --> 0:17:03.240 And that's one of the reasons why we have seen 0:17:03.400 --> 0:17:08.760 supply chain attacks targeting very specific like firmware versions or 0:17:08.920 --> 0:17:12.359 or the back ends for these really large clients like 0:17:12.480 --> 0:17:15.840 Microsoft UH in order to be able to steal source 0:17:15.880 --> 0:17:19.200 code and stuff like that, because oftentimes, even though new 0:17:19.320 --> 0:17:22.760 versions might come out of an operating system or of 0:17:22.920 --> 0:17:27.920 software or firmware UH, they will use previous generations of 0:17:27.920 --> 0:17:33.440 that firmware in order to maintain like consistency across all 0:17:33.440 --> 0:17:36.720 of the different platforms that their product might be installed onto. 0:17:37.119 --> 0:17:40.560 So there might be a few changes for future versions 0:17:40.640 --> 0:17:44.280 or future releases, but the source code might remain pretty 0:17:44.320 --> 0:17:48.879 similar to previous installations, and it's so much work to 0:17:49.080 --> 0:17:53.040 change things on a fundamental level that it's impractical. Right, 0:17:53.160 --> 0:17:59.080 There's there's almost no possibility, especially for programs that typically 0:18:00.040 --> 0:18:03.040 they typically grow larger. I don't know if you've noticed this, Shannon, 0:18:03.119 --> 0:18:07.800 but I have, even from like a programming perspective, which 0:18:07.840 --> 0:18:09.920 I am not a programmer. But I have done some 0:18:10.000 --> 0:18:13.240 coding in the past, and I know that there is 0:18:13.359 --> 0:18:17.880 a lot of turnover at companies, and oftentimes they will 0:18:18.359 --> 0:18:21.600 forcibly not change a lot of the code in order 0:18:21.920 --> 0:18:24.840 to make sure that it still works with new employees 0:18:24.960 --> 0:18:27.199 if there is like a new codeer that comes in 0:18:27.320 --> 0:18:30.480 or a new programmer. Uh and sometimes you won't find 0:18:30.560 --> 0:18:34.840 notes in the in the code for future programmers, so 0:18:35.000 --> 0:18:38.400 they just choose not to break anything by not changing anything, 0:18:38.520 --> 0:18:42.560 so code will remain the same for years and years 0:18:42.560 --> 0:18:47.800 and years before somebody actually goes in and bravely changes anything. Right, So, 0:18:47.920 --> 0:18:51.800 if you if you are someone who's creating a uh 0:18:51.880 --> 0:18:54.639 some malware and you want to target users of a 0:18:54.720 --> 0:18:59.400 specific type of of software, whatever it may be, whether 0:18:59.400 --> 0:19:03.240 it's an operating system or something entirely different, then being 0:19:03.280 --> 0:19:06.600 able to make a change to like a fundamental part 0:19:06.720 --> 0:19:09.320 of that code, one that is not likely to have 0:19:09.440 --> 0:19:13.359 been altered because it's it's sort of a pillar of 0:19:13.400 --> 0:19:17.840 the software, then that's a pretty decent bet that your malware, 0:19:17.920 --> 0:19:22.399 if you're able to inject it into the actual real 0:19:22.720 --> 0:19:26.440 software on whatever the vendor side is, that that will 0:19:26.480 --> 0:19:30.840 then get rolled out through various patches and updates or 0:19:30.880 --> 0:19:34.440 even just new installations of that that product as people 0:19:34.600 --> 0:19:38.119 come on board, and the longer you can keep that 0:19:38.200 --> 0:19:41.359 on the d L, the more systems you can infect 0:19:41.400 --> 0:19:44.560 without anyone being the wiser. As it turns out with 0:19:44.560 --> 0:19:48.240 with the solar winds hack, we now know that the 0:19:48.320 --> 0:19:53.639 attacks started no later than October two thousand nineteen. It 0:19:53.680 --> 0:19:56.560 may have been insane. Yeah, So that that was for 0:19:56.640 --> 0:20:00.280 a full year plus a couple of months before we 0:20:00.280 --> 0:20:04.200 were made aware of it. And it was another security 0:20:04.280 --> 0:20:08.760 firm called fire Eye that noticed something hinky was going on. 0:20:09.440 --> 0:20:13.399 Something hinky. Yeah, but it's kind of but it was hanky, 0:20:15.240 --> 0:20:17.320 It's true. They were They were like, hey, what's this 0:20:17.520 --> 0:20:20.600 wise our network being weird? I call it jankie. But 0:20:21.640 --> 0:20:24.600 they just like, some odd is going on, Like we're 0:20:24.600 --> 0:20:27.159 getting some red flags. And we didn't know at the 0:20:27.200 --> 0:20:29.600 time that it was Sunburst, that we didn't know that 0:20:29.640 --> 0:20:32.040 it was a solar winds hack or where it was 0:20:32.080 --> 0:20:35.320 being distributed from. So fire I was just like, we 0:20:35.359 --> 0:20:37.400 think we got hacked, and then a few days later 0:20:37.480 --> 0:20:40.480 everybody was like, oh, actually this is connected to a 0:20:40.600 --> 0:20:45.000 much bigger thing. It wasn't them, it was the vendor 0:20:45.119 --> 0:20:47.640 that they were using. So all of a sudden, everybody 0:20:47.680 --> 0:20:50.840 was just like, oh, we should probably check our systems too, 0:20:50.960 --> 0:20:54.600 And then everybody started realizing, oh, this is actually a 0:20:54.640 --> 0:20:56.480 really huge thing because it wasn't just us, it was 0:20:56.520 --> 0:21:01.880 a vendor. That's scary. Well, and when it's a cybersecurity 0:21:02.000 --> 0:21:05.359 firm that first says, oh, gosh, we were hacked, you 0:21:05.440 --> 0:21:08.360 know it's bad because these are the people who are 0:21:08.359 --> 0:21:14.520 paid to stop that from happening to other people. So 0:21:15.240 --> 0:21:17.399 it's a great example when you look at it from 0:21:17.440 --> 0:21:21.200 from that perspective of fire Eye as a cybersecurity company, 0:21:21.760 --> 0:21:26.160 even they had inherent trust in Solar Winds to distribute 0:21:26.520 --> 0:21:30.720 their firmware and their updates in a trusted way. And 0:21:30.800 --> 0:21:34.520 even then they couldn't fully trust Solar Winds to do 0:21:34.600 --> 0:21:37.960 that in a matter that would keep them protected, right right, 0:21:38.000 --> 0:21:41.520 I mean, we there's this whole certification process, this digital 0:21:41.560 --> 0:21:45.639 certification that proves that a piece of code is really 0:21:45.720 --> 0:21:49.479 coming from the source that you think you're receiving it, 0:21:49.760 --> 0:21:53.480 you know from, so that there's this approach that's very 0:21:53.560 --> 0:21:58.920 well tested, very well proven by history that this is reliable. 0:21:59.520 --> 0:22:04.040 And that's why this hack is so insidious because it said, cool, 0:22:04.160 --> 0:22:06.359 we were not going to try and get around that. 0:22:06.920 --> 0:22:12.159 We're gonna rely on that trust, on that that whole process, 0:22:12.840 --> 0:22:15.640 because everyone knows it works. So if you can, if 0:22:15.640 --> 0:22:17.920 you can get to the code before it goes through, 0:22:18.760 --> 0:22:22.359 then you're golden. And that's exactly what happened. Uh. An 0:22:22.359 --> 0:22:25.520 analogy I use is that the way we typically think 0:22:25.520 --> 0:22:28.239 of hackers is and you should appreciate this because I 0:22:28.280 --> 0:22:30.920 know you've played with them. We can think of someone 0:22:30.960 --> 0:22:33.480 who's got lock picks and they're going through an apartment 0:22:33.520 --> 0:22:36.199 building and they're just they're they're opening up locks just 0:22:36.240 --> 0:22:38.880 for fun. But the Solar Winds hack is as if 0:22:39.400 --> 0:22:43.080 the supervisor for the entire building with the master key 0:22:43.280 --> 0:22:45.200 is the one who has decided to do all the snooping, 0:22:45.200 --> 0:22:46.959 and they can just walk in when because they've been 0:22:46.960 --> 0:22:50.439 trusted with that master key. So that's kind of the 0:22:50.480 --> 0:22:54.240 analogy I give. It's it's totally different from the hacks 0:22:54.240 --> 0:22:56.680 where you're like, that person looks us I'm not gonna 0:22:56.760 --> 0:22:59.040 let them into the building. No, it's it's the supervisor. 0:22:59.080 --> 0:23:03.480 Of course, the supervisor comes in, he's tolly fied. Yeah, 0:23:03.760 --> 0:23:06.240 that's a great analogy. Actually, I don't I hope you 0:23:06.280 --> 0:23:08.520 don't mind if I steal that? Please? Do I get 0:23:08.600 --> 0:23:11.320 like two a year? So I'm just glad that I 0:23:11.400 --> 0:23:14.360 was able to. I mean I peaked early. We're in January. 0:23:14.440 --> 0:23:20.640 But but yeah, so the scope of this attack, even 0:23:20.640 --> 0:23:25.359 though only only I say only, but like forty different 0:23:25.359 --> 0:23:30.080 systems have been compromised then further infiltrated. Uh, you still 0:23:30.160 --> 0:23:34.480 have around eighteen thousand that could potentially be infiltrated because 0:23:34.520 --> 0:23:37.840 they do have the malicious code installed within their systems 0:23:38.200 --> 0:23:40.399 that allows for that backdoor access. So they have to 0:23:40.840 --> 0:23:43.240 they it is now incumbent upon them to make sure 0:23:43.320 --> 0:23:49.000 they uh they they isolate those servers, they remediate them, 0:23:49.160 --> 0:23:51.840 and that they bring everything up to a new version 0:23:51.840 --> 0:23:56.600 that no longer has that backdoor access. Meanwhile, for all 0:23:56.680 --> 0:24:00.240 the systems that we're compromised, for those forty, which again 0:24:00.280 --> 0:24:05.480 includes like national security level government offices, they have the 0:24:05.560 --> 0:24:09.919 unenviable task of figuring out how extensive the attack was 0:24:10.000 --> 0:24:14.119 within their systems, what parts of their systems were specifically affected, 0:24:14.359 --> 0:24:18.240 at what level of access did the hackers have, was 0:24:18.280 --> 0:24:20.480 it like microsoftware they could just see it or could 0:24:20.520 --> 0:24:23.439 they do more? And how do they fix it? Um? 0:24:23.480 --> 0:24:26.560 And this is. I think I think the way we 0:24:26.600 --> 0:24:31.120 could we could call it a ginormous challenge. Oh yeah, 0:24:31.400 --> 0:24:34.240 So I'll give you an example from a very much 0:24:34.440 --> 0:24:38.119 smaller scale. When I was working at Hack five in 0:24:38.160 --> 0:24:42.840 an office, I learned how I could do network sniffing 0:24:43.320 --> 0:24:46.280