Russia’s Foreign Intelligence Service has been blamed for the SolarWinds cyber attack.
The UK and US have revealed for the first time that Russia’s Foreign Intelligence Service (SVR) was behind a series of cyber intrusions, including the SolarWinds compromise.
The National Cyber Security Centre, a part of GCHQ, assesses that it is highly likely the SVR was responsible for gaining unauthorised access to SolarWinds Orion software and subsequent targeting. You can read from the source here.
The US National Security Agency (NSA), Department of Homeland Security’s Cybersecurity Infrastructure Security Agency (CISA) and the FBI have published a technical advisory with mitigation advice. Read the guidance in full.
The NCSC has previously published guidance for organisations on this compromise:
Foreign Secretary Dominic Raab, said:
“We see what Russia is doing to undermine our democracies. The UK and US are calling out Russia’s malicious behaviour, to enable our international partners and businesses at home to better defend and prepare themselves against this kind of action. The UK will continue to work with allies to call out Russia’s malign behaviour where we see it.”
You can read the Foreign Secretary’s statement on this action in full here.
It never fails to amaze me how complacent the Uk is regards computer security. I fix peoples computers for a hobby and the number of people who refuse to pay for a AV package beggars belief and that Laissez-faire attitude is transferred across to business where swapping passwords is rife. lets not forget that a large number of ransomware hijacks at the NHS was because their security experts didn’t bother to upgrade their systems, I can remember before i left, having an argument with a Lt Col who demanded I give her my Dii passwords so she could check my mail when I was away. Told her where to get off by quoting chapter and verse army standing orders regards passwords. We can complain all we want about Russia, China and Iran regards computer security, but until we start to take things seriously from our end things will only get worse. Anyway must go.as I have just received a email from the son of a Nigerian prime minister who unfortunately died and wants to borrow my bank account so as to deposit a few million
The problem at the NHS was that the security experts wanted to install the updates but were overruled by management as it would break their in-house applications. Although supposedly coded for ‘web-browsers’, the applications had been coded for specific versions of a highly non-standard web browser, Internet Explorer. That tied the applications to specific versions of IE and MS Windows. Any half competent developer could have pointed this is out, and presumably did. But as with the Challenger disaster, managers overruled the experts.
The problem is always money, resource, complexity and chaos.
1) money impacts on what you can do in year, so NHS IT is always a fix it today affair, and every £1500 pound spent on IT is a hip replacement not done (it costs about 10 times that at a private hospital) or 100 children not immunised. The money is everything and NHS managers always have to think, money spent on infrastructure is not money spent on patient care.
2) resources: the NHS is made up of around 10 thousands independent organisations each with their own IT systems Holding untold billions of records. doing any major changes in NHS IT is Massively resource intensive and every step needs to be considered. The single patient record was a classic example, 10 billion pounds flushed down the toilet in funding paid to some of the biggest IT companies in the world, who said “ we can do that” the NHS actually said it’s not possible, politicians believed the IT experts, 10 billion of funding and a failed project later guess who was right ( it turns out the nhs knew more about clinical record keeping than IT companies) .
3) complexity and chaos, national health systems of any type are the most complex systems ever developed by humanity, the interdependencies and amount of activity is staggering ( the those 10 thousand NHS organisations generate something like 1 million patient episodes a day). Because of the complexity, health systems are very at risk from chaos (complexity and chaos is a killer) , this makes NHS decision makers very conservative they will only make changes if they have to ( politicians on the other hand are always making massive changes based on dogma, that take the system years to get over, that Lansley reforms for instance are still creating problems now, and the NHS as a whole has been trying to get itself back in good order for 9 years ( now we are changing all over again, mainly because covid laid bare a number of significant weaknesses in the Lansley Reforms, as they split the nhs into smaller bite sized units that are easy to privatise but very difficult to manage from a population health perspective, private healthcare is really a bit rubbish at a population level).
Now I see everything as a risk, but I acknowledge that many of my colleagues have other considerations and we have to balance what we do, learn from our errors and not actual constantly blame people for having to make crappy difficult choices.
Good to know it was all the UK’s fault for Russia’s attack.
Ron wrote:
Need to push that to the back of the queue after the Uk’s guilt with the following:
Global warmingclimate changeSlavery
Empire
Not taking in 30 year old children from France
WW2
Covid
Oppressing the alphabet people
Upsetting Napoleon
Starting the Spanish Armada
The Inquisition
Norman firing arrows
Vikings raping and pillaging
Roman eating habits
Druids painting themselves blue
Killing the dinosaurs
My God ..your right. Our crimes are endless. Why don’t you leave.
GR wrote:
“”My God ..your right. Our crimes are endless. Why don’t you leave.””
Gee look at you,
No sense of humour then.
Richard Edward wrote:
“”No sense of humour then.”
You replied to my post in a most condescending manner, which you ended with telling me to leave the country. seen as I have kept away from you since your previous vapid remarks ,don’t try to excuse your surreptitious bigoted mindset as humour.
Um Geoff, couple things, if you look at historic migration we are sort of Romano-Celtic, Anglo Saxon, Viking and Norman….so really the following is defo US
blue druids, Check
roman eating habits, check
viking raping and pillaging, check
Normans, check.
and we really really irritated Napoleon, I mean he really did not like the British, infact he really hated us, not in a geopolitical sense, but in everything Britain was and stood for. It was noted by a number of contemporary sources that his hatred was “palpable” even before the peninsula war.
It amazes me how they can gain access to even the most secure technology that you would have thought to be completely secure.
https://www.cnbc.com/2017/11/08/chinese-theft-of-sensitive-us-military-technology-still-huge-problem.html
The current Government appears to be myopic regards the threat faced by China. for example Huawei which has very strong links to the Chinese government was allowed to build the backbone to our computer network with the likes of BT using a lot of their stuff, yet the British Military (and I can only presume the civil service as well) use BT networks for their computer networks this from a company banned from most western nations (add Romania the other other day) only yesterday it was revealed that Huawei had access to Dutch phone calls, But the Uk feels that we have nothing to fear as all Huawei kit used in the Uk has to be vetted at the Huawei Cyber Security Evaluation Centre where Huawei personnel check Huawei kit for anything nefarious .
A few years ago when I was on my C-IED instructors course there was a officer from the Signals on it and over drinks he started talking about how a free USB stick he had received at a trade fair was sending information to China when connected to his laptop. He naturally passed this info onto up the chain. Now if the likes of buckshee USB sticks are spying on us, what are the much bigger stuff doing.
Yet the Government, we should be buying more kit from China not less and Boris was forced to curtail links with Huawei a mindset which was made very clear in the latest defence review.
Indeed, if you type into Google ‘cyber news’ and read the various daily updates of security breaches at various companies and government depots its frightening. I normally check them out daily and I’m pretty convinced if they really want to get into a system they will find a way. All you can do is practice good I.T. hygiene, make sure your updates are up to date, use a good AV, strong passwords, beware of anything out of the unusual. It’s all a bit of a mine field really but keep in mind most attempts will still be through dodgy links in emails.
https://www.theguardian.com/business/2021/apr/17/poppy-gustafsson-the-darktrace-tycoon-in-new-cybersecurity-era
I attach a link to a story about a UK company called Darktrace, they are going down an innovative route of AI. They are due to float on the stock exchange in the next few weeks and I’m of the opinion we will hear a lot more in the future about them, another UK success I hope.
Cheers farouk, it’s no wonder how China is catching up with the West and we appear to be playing our part in letting them.
Give it another five years and I can see us in real trouble as they will have solved their engine problems and no doubt have the information to do it! Not forgetting the numbers or the missiles.
Thank god for small mercies like Radar 2!
“A modified version of the J-20B entered mass production in June last year after Chengdu Aerospace Corporation (CAC), the developer of the J-20, set up a fourth production line in 2019. Each line has the capacity to make about one J-20 a month.
But these mass-produced J-20 will still be fitted with Russian engines because testing the WS-10C will take at least a year, according to the insider.”
https://www.businessinsider.com/china-modifies-j20-stealth-fighter-engine-to-match-us-f22-2021-1?r=US&IR=T
Unfortunately most people trust there colleagues and so work around the rules of expediency by sharing passwords, allowing them to use their account by staying logged in, accessing security doors, giving over keys, not fully checking drugs or blood products before they are administered, not checking work etc etc etc
What most people who do this forget is that:
1) Some people will not be honest and may be trying to defraud
2) some people are not very good at their jobs and make lots of error
3) even highly competent individuals actual make plenty of errors
4) Some people are actually mass murders and are going to use you to obfuscate their actions.
trouble is you average person is not really very good at considering these things a risk until it happens to them. You can teach them all you want, until it’s happened it’s not a problem, doing the day job as quickly as possible is the thing they see every day.
Having worked in NHS IT security in the past I can only agree with you but I promise, there was no lack of desire on our part to improve things. We were often met with conflicting demands from management to make the system 100% secure whilst enabling old systems to soldier on because they didn’t have the money to develop new systems. When the money was made available, the organisation I worked for was very adept and spending the money on anything but IT security.
Part of the issue is the huge number of antiquated systems that rely on old, unpatched and out dated versions of programs like Internet Explorer. It’s frankly an insane position to be in.
One memorable incident was the trust being given a seven figure sum of money to secure and update one particular system, they employed someone on a temporary 6 month contract, at the end of which we were told the money was spent and the project was closed. That money was spent on new IT equipment for the boardroom and little else IT related as far as I could tell. Despite months of effort I never did get a satisfactory answer as to where the money had gone.
The Government did try to address this with the failed ‘NHS Digital’ plan but the decades of under-investment that preceded it led to a situation where it was financially untenable to continue after years of work and billions of pounds spent so it was all quietly dropped.
I think the US is doing quite enough on it’s own to destroy it’s democracy to be honest.
China hacks, ect Western systems 100 times more than Russia yet China Joe doesn’t say a thing. Hmmm
And how do you know that fox news dan? You trumpski supporters really cant drop your love for pootin can you lol.
If your going to be ideologically so far right that Hitler would be happy at least be consistent …last week you were advocating Biden was in bed with Putin ….lol