Home Blog CEO Midday. The XXI century.
Blog CEO

Midday. The XXI century.

Author: Andrew Mikhaliuk, CEO of CoreWin

Good evening, Samurais! With the news about the Ukrainian government, the pandemic, and sleepless nights watching Cyberpunk 2077, many of us missed the moment when the world was divided into Before and After. Let’s dive into what happened on 14 December 2020. The Washington Post published an article with information from an anonymous source about the details of the hacking of US government institutions. What happened, why did we wake up on 14 December in a new world, and what should we do next?

Here’s a brief summary of what happened. There is a group of russian hackers called Cozy Bear, which, according to Western intelligence services, operates under the auspices of the russian FSB (this is a quote from russian Wikipedia). Here is a list of victims of known successful operations of this special unit:

  • White House
  • US Department of State
  • Pentagon
  • Government of Norway
  • US elections (exactly THAT incident)
  • UK, USA and Canada – stolen data on the Covid vaccine

I think it is obvious that this is not a complete list. So, according to an anonymous source, it was this group of hackers who found a vulnerability in the SolarWinds Orion software. And thanks to this vulnerability, they gained full access to the infrastructure of this system’s clients. And here I mean not just being able to transfer a byte or two, not just gaining access to the DMZ. I mean that these plainclothes attackers were pumping in hundreds of metres of spyware and downloading terabytes of data. In other words, they felt no less dignified than the sudo root superadmin user. No one can say how long this cohort of inglorious people has been running amok in corporate networks. Experts say it was at least six months.

Why do we know about this? Every story has a hero. The hero of this one is Kevin Thompson from FireEye. It was FireEye that provided security services to a large part of US government agencies, and it was FireEye that used Orion. What’s done is done: Cozy Bear broke into their systems. They stole data along with a complete set of cutting-edge, even classified, hacking tools. FireEye, in turn, had been using these tools not for hacking, but to enhance security. Why do I call him a hero? Because thanks to his strong-willed decision, we know what happened. The company made an official statement, admitted that it had been hacked, and provided all the details.

What is the mechanism of this hack? Below is a brief scheme. This is literally a first-level scheme, because by accessing the data of the system’s users, hackers gained access to the contractors and clients of these users. Essentially, it all started with the system update servers. By the way, the Petya virus, well-known to all Ukrainians, was also distributed similarly. Back then, however, the MEDoc servers were the ones affected and spreading the infection. The public doesn’t know for certain who was behind that attack, but Ukrainian specialists (myself included) draw a clear parallel between this attack and the previous one. The signature style is the same.

In fact, the attack took place in the following stages:

  • Gaining access to SolarWinds Orion update servers via a SunBurst family vulnerability

  • Infecting service packs with malicious code that masks the hacker’s connection under the Orion signature (the same backdoor)

  • Logging into infected users’ systems and applying the entire arsenal of hacker tools, using the Orion signature to gain the trust of third-party systems

  • Downloading useful data

  • Leaving other backdoors, worms, settings that will allow you to return at any time

What makes this incident different from hundreds of others? I think those in the know have already guessed.

Scope

Duration

Concealment

Even now, we don’t know exactly how many users were compromised; we only know it was not fewer than 18,000. We don’t know how long this operation lasted; we only know it was at least six months. We don’t know what was done or what traces these intruders left behind. What is there to say! Even now, you might be reading these lines on a compromised laptop, with a russian hacker watching your surprised face through the webcam. Did a chill run down your spine? Exactly.

How events have been developing lately. The FBI and NSA have opened cases and launched official investigations. FireEye has published a list of all stolen tools. Although, in truth, it turned out that most of them had already been on the dark web, meaning they had been hacked not a week ago, but some time ago. Even your humble servant came across an archive containing a set of these tools, so you can be certain that the entire cybercriminal community is ALREADY armed with America’s secret developments. FireEye has also published patches and recommendations on GitHub. Right here.

SolarWinds, in turn, published an update that they claimed closed the vulnerability. It published and… shut down, accepting FBI searches. The US federal agencies simply shut down all their SolarWinds Orions. Coincidentally or not, on 15 December, entire Google services and multiple other services went down. Ukraine reacted with a warning from the National Security and Defense Council and… well, that’s it 🙂.

What information has the internet dug up? It’s clear that the official investigation won’t conclude anytime soon. And even when it ends, it is not clear how much of the results will be classified. That is, humanity will know the truth about these events for sure only in a few generations. But in today’s world, it’s worth attracting the attention of users, as many things are coming out.

Some facts to think about and laugh at:

What to do?

And now for the most interesting part: what to do with Solarigate (SolarWinds Watergate)? Nobody knows 🙂 And that’s the worst part. One thing is clear today: there is no solution to this situation. There are, of course, obvious ways to protect yourself (there will be a little bit of advertising):

  1. Turn off Orion if it is installed
  2. Update it, or even better, migrate to an analogue, for example, Motadata
  3. Forcibly scan PCs and servers with any antivirus
  4. Check or install firewalls, such as Untangle
  5. Scan your local network and websites for vulnerabilities with Acunetix or NetSparker
  6. Redirect access to critical servers through a PAM, for example ARCON
  7. Install DLP, for example, Endpoint Protector, so that hackers do not steal at least the most valuable information

In general, it’s a good idea to make a plan and:

  • make data backups (not snapshots of systems, but data backups, so as not to back up malicious code)
  • demolish services, facilities, systems
  • reinstall the systems
  • restore data from backup
  • recheck the already restored system

This is the moment when any reasonable admin’s eyes would pop out. And rightly so, because this is a complete disaster. A disaster so overwhelming, it’s difficult to even imagine. And it will have to be resolved. It’s no wonder experts say that the world (meaning the largest companies and organizations) won’t be able to address the consequences of this operation any sooner than six months from now.

So, congratulations! Tomorrow has already arrived – silently, hidden from sight, but completely and inevitably. Welcome to the new cyber world. While it may seem a bit apocalyptic for now, our primary task is to respond quickly and professionally to survive in it.

Other materials on the topic

insider threats

A Complete Guide to Insider Risk Management

11.03.2026
Browser DLP

How browser-based workflows undermine the effectiveness of traditional DLP

24.02.2026
Case Study Blocking Code Transfer to ChatGPT

Protecting Source Code and Sensitive Data When Using ChatGPT and Other AI Chatbots with Netwrix Endpoint Protector (DLP)

12.02.2026

Підписатися на новини

    Leave your contact details and we will get in touch with you