Talk:2020 United States federal government data breach

This article is rated C-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing: Networking / Software Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by Networking task force. This article is supported by WikiProject Software. This article is supported by Computer hardware task force. This article is supported by WikiProject Computer Security (assessed as Low-importance). Things you can help WikiProject Computer Security with: edit history watch purge Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Espionage Low‑importance 2020 United States federal government data breach is within the scope of WikiProject Espionage, which aims to improve Wikipedia's coverage of espionage, intelligence, and related topics. If you would like to participate, visit the project page, or contribute to the discussion. Low This article has been rated as Low-importance on the project's importance scale. United States Low‑importance United States portal This article is within the scope of WikiProject United States, a collaborative effort to improve the coverage of topics relating to the United States of America on Wikipedia. If you would like to participate, please visit the project page, where you can join the ongoing discussions. Template Usage Articles Requested! Become a Member Project Talk Alerts Low This article has been rated as Low-importance on the project's importance scale.

Daily pageviews of this article A graph should have been displayed here but graphs are temporarily disabled. Until they are enabled again, visit the interactive graph at pageviews.wmcloud.org

Deletion of "Responses" quote

Latest comment: 3 years ago15 comments3 people in discussion

Novem Linguae, I note that you deleted the following quotation from the "Responses" section of the article:

Analysts said it was hard to know which was worse: that the federal government was blindsided again by Russian intelligence agencies, or that when it was evident what was happening, White House officials said nothing. But this much is clear: While President Trump was complaining about the hack that wasn't — the supposed manipulation of votes in an election he had clearly and fairly lost — he was silent on the fact that Russians were hacking the building next door to him: the United States Treasury.

— David E. Sanger, Nicole Perlroth, Eric Schmitt, Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit, The New York Times^[1]

Your edit summary said, Delete overly political blockquote that talks about trump election interference. Not relevant to this article.

I would like to respectfully challenge that deletion and its rationale.

• You say that the quote is not relevant. But it is relevant, on at least these counts:

• This is the "Responses" section. If a foreign power hacks a nation's treasury, defense department, health agencies (and more!), then readers would expect to see a response from the head of state (and perhaps also from the treasury secretary, defense secretary, health secretary, etc). In an extraordinary case, such as this one, in which those officials are all inexplicably silent on the matter, Wikipedia must note that somehow. The quote achieves this.
• Because this is the responses section, readers are also likely to want to know how selected experts in the field reacted - at least as reported by WP:RS. The quote achieves this, too.
• The quote also speaks to the relationship between the hack and the 2020 U.S. presidential election. Readers will already know from earlier in the article that based on Trump's conspiracy theory about the election, Trump had recently fired the person responsible for U.S. government network security. It is noteworthy that even after news of perhaps the biggest hack in US history, the head of state should still be focusing on a conspiracy theory. Wikipedia needs to convey that somehow, too. The quote achieves this.

• You say that the quote is overly political. But it is not, on at least these counts:

• WP:RS and politicians alike, from both sides of the aisle, have condemned Trump's election conspiracy theory as just that. To support the conspiracy theory would be WP:FRINGE, but the quote does the opposite of that; insofar as it mentions the conspiracy theory, it condemns it in line with mainstream bipartisan consensus. So, on this front, it is definitely not "overly political" in the sense of WP:FRINGE.
• The quote hardly belabors its points. It is succinct - two sentences - and addresses questions likely to be in the reader's mind. The hack was arguably a political act against political targets, so it is understandable that responses and coverage will also be "political". But the quote does not go too far. It does not, for example, bring party politics into the matter. So, it is not "overly political" on this front, either.
• This was a spectacular hack by a repeated foreign aggressor. The hack is a national embarrassment, whichever side of the aisle you sit on; it is not "overly political" to suggest this. This point about embarrassment is an important point for the article to convey. The quote makes that point concisely.

I hope that you will be at least somewhat swayed by these arguments, and will reconsider the deletion. I would be grateful for your thoughts, Zazpot (talk) 01:47, 16 December 2020 (UTC)Reply

Hey Zazpot. Thanks for your comment. I am anti Trump, but I honestly feel this quote violates WP:NPOV. It is trying to link what is in my opinion two unrelated things: Trump's election interference, and this data breach. It feels like a logical fallacy to me to try to link these two barely related or possibly completely unrelated things together.

If you think we should have a block quote, perhaps we can find a more neutral quote? Although I personally think the section reads fine without it. The rest of the section is nice and factual, which is the perfect tone for an encyclopedia.

Or idea #2. We could paraphrase the quote. "The New York Times was critical of Trump for not issuing a statement on the data breach." –Novem Linguae (talk) 02:16, 16 December 2020 (UTC)Reply

Novem_Linguae, thanks for the explanation and the suggestions.

I strive to uphold WP:NPOV, so that rebuke does sting. Even outside Wikipedia, I strive to judge the action, not the person. (I am not "anti-Trump" per se.)

• Re: a link between Trump's election interference, and this data breach, I don't see a logical fallacy. I see a basic claim ("Trump has sounded the alarm about a fictitious threat, while staying silent about a real threat"), and a more sophisticated claim ("Had Trump not been so busy sounding the alarm about a fictitious threat, his government might have detected the real threat").

The basic claim is undeniably supported by the evidence. Logically speaking, it is a pair of simple premises (or, if you prefer, a single conjunctive premise) with the truth value "true". No fallacy there.

The sophisticated claim is a conclusion resting on both the basic claim and some unstated but plausible premises like "Government resources are finite". So, not a full-fledged sound argument; but quite possibly a true conclusion anyway. Certainly not a logical fallacy.

So, I don't think you can reject the quote on a "logical fallacy" basis.

• As for the tone, it seems to me to be representative of bipartisan feelings on the topic. Outside of WP:FRINGE, I don't think you would find much disagreement with the content of the quote. So, I don't think it constitutes a WP:NPOV breach.

Does it now seem more reasonable to you? Thanks again, Zazpot (talk) 13:10, 16 December 2020 (UTC)Reply

Sorry, my friend. I wasn't trying to rebuke or sting. I do appreciate how cordial and WP:AGF you are.

Let me make my point another way. I do not think an article about hacking should be so political. Do readers really want to come to an article about hacking, which is computer science/technical, and read a bunch of subtle rebukes of Donald Trump? The Russians are the ones responsible for this hack... why are we giving so much weight to statements that try to malign Donald Trump?

I think that the proper weight for this kind of thing is either to not include it, or to include it with paraphrase and attribution. "The New York Times was critical of Trump for not issuing a statement on the data breach."

It looks like you created the article and wrote large parts of it. Thank you for your time and hard work. –Novem Linguae (talk) 13:42, 16 December 2020 (UTC)Reply

The Trump "government" is so well prepared and so much focused on real threats that his NSA O'Brien was suddenly recalled from a Europe trip to help implement an Obama-era directive.^[2][3] And yes Zazpot, my hat off for your work. Wakari07 (talk) 14:25, 16 December 2020 (UTC)Reply

Wakari07, thanks :-) Zazpot (talk) 18:48, 16 December 2020 (UTC)Reply

Novem_Linguae, thanks for the reply.

I somewhat addressed your concerns about the scope of the article, and the responsibility for events, in a different thread. But let me pick up on your statement, I do not think an article about hacking should be so political.

This article is about a multifaceted topic. All the important facets need to be addressed.

Put differently, this article isn't about hacking in general, or hacking as a pure technical skill. It's about a specific cyberattack and the resulting data breach. The victims of the attack don't seem to have been chosen at random. Even among the users of Orion, the attackers apparently targeted specific institutions for further exploitation. The nature and prominence of those institutions; the nature of the data stolen or tampered with; and the suspected identity of the attackers, suggests that the event was a skirmish designed to secure the attacker a medium-to-long-term advantage in what is often called the second Cold War.

In other words, the attack was deeply political. And in this particular skirmish, the U.S. and its allies lost, big-time.

Now, I'm not saying (and I don't think the WP:RS sources that I cited are saying either) that this is all Trump's fault. There are other factors at play. But if the Swiss cheese model tells us anything, it's that each factor matters. So we can't just cherry-pick, and exclude the factor of Trump's cybersecurity decisions. Especially not when WP:RS are citing those decisions as potentially relevant.

As for the NYT quote, I'm still in favour of it. I think it is much more concisely informative and neutrally-worded than, say, any of these alternatives:

For all of Trump's wailing about fictitious hacks that stole the election, he has been otherwise notably uncurious about the nation's cybersecurity.

— Slate^[4]

[The] CISA agency at Homeland Security is the group that Christopher Krebs successfully led through the 2020 elections until the president fired him because Krebs declined to devote his time to substantiating the president's lies and fantasies. Perhaps it would have been better not to have done that. While the hack itself did occur when Krebs was running the agency, there's no question that, had he still been in that job, the response to it would have been much less of a chewy cluster of fck. Perhaps it also would have been better not to hand the presidency over to a crooked, incompetent agent of chaos for four years, too. Live and learn.

— Esquire^[5]

CISA hasn’t had much time to work — but under Krebs, the agency was gaining trust. The director had bipartisan support and was seen by the cybersecurity community as an impartial arbiter, someone who would be honest about the facts on the ground even if it was politically inconvenient. Then, a few weeks ago, he was fired for displaying exactly these qualities. As Trump raised groundless claims of election fraud to distract from his loss at the polls, Krebs issued a clear statement [to the contrary]. In a matter of days, he was out of a job... The SolarWinds compromise dates back to March, so it happened on [Krebs's] watch. There’s no indication that the past few months of compromise would be any less ugly if Krebs were still in the director’s chair. But the incident response would be less ugly. Acting director Brandon Wales hasn’t been confirmed and has held his position for less than a month. In the midst of an unusually chaotic transition, he’s asking agency infosec leads to trust him through one of the most sensitive events of their working lives. It’s a difficult position under the best of circumstances, and it would be much, much easier with a trusted hand in charge. It’s all the worse because Krebs’ firing is just the latest in a long chain of similar incidents. President Trump took office actively denying the role of Russian active measures in the 2016 election, despite an unusually definitive attribution by US intelligence agencies. In the years since, he’s taken any suggestion of Russian influence as a personal incident and made denying it a kind of loyalty test.

— The Verge^[6]

I hope that in the light of the above, you can agree at least that this is an angle that bears mentioning. And that you can also see that I chose the most succinct and uncontroversial summary of that angle that I could find among WP:RS.

So, would you now be willing for me to restore the quote? Thanks again for your time and interest. Zazpot (talk) 18:43, 16 December 2020 (UTC); edited 18:52, 16 December 2020 (UTC)Reply

Thanks again for being very courteous throughout this whole process.

No disrespect, but I am still not in favor of any POV quotes. These quotes seem obviously POV to me. The original quote uses "blindsided again", "what's worse". The Slate quote uses "wailing". Esquire uses "lies" and "fantasies". This language is simply too emotionally charged for a technical article in an encyclopedia, in my opinion.

If another editor weighs in here in this section and disagrees with me, I'd be fine with you adding it back in. But I don't think my view will change on this. I arrived at a technical article, I gave it a read, and I'm seeing all these unexpected digs at Trump in what should be a technical article. –Novem Linguae (talk) 19:08, 16 December 2020 (UTC)Reply

Thanks, Novem_Linguae. I'm sorry that I haven't persuaded you that this is not just a "technical" (e.g. computer science) article.

Either way, I'm coming around to your "idea #2", to paraphrase the quote. That approach seems indisputably NPOV-compliant. (We might disagree slightly over what exactly the paraphrase should be, but I'm sure we'll find an acceptable compromise/consensus.) I'll try to come back to this in an hour or two. Thanks again, Zazpot (talk) 20:25, 16 December 2020 (UTC)Reply

Novem_Linguae it took me longer to get to than planned, but I have now paraphrased the NYT quote (and The Verge, Slate, and Esquire) in the Responses section. With any luck, you'll feel I have done an acceptable job of it. If not, do please follow up here. Thanks, Zazpot (talk) 10:10, 17 December 2020 (UTC)Reply

Zazpot. Looks great. Great job on this article. –Novem Linguae (talk) 15:53, 17 December 2020 (UTC)Reply

Also, quick side point... Is it even clear that CISA is in charge of protecting the executive branch's networks from foreign intrusions? Even this article mentions that FireEye/SolarWinds worked with NSA, not CISA. As far as I know, Trump didn't do any shake ups at NSA.

Also, is there any evidence that firing CISA's executive and quickly replacing him was somehow disruptive to the networks, or decreased cyber security?

Again, doesn't seem logical to me. These arguments seem weak. –Novem Linguae (talk) 19:12, 16 December 2020 (UTC)Reply

It's not for us to judge the impact of firing CISA's director; that's a matter for WP:INDEPENDENT WP:RS. If they say it was relevant, we need to mention that.

Also, the director hasn't been quickly replaced. They only have an acting director. New in post; not Senate-confirmed; not necessarily the right person for the job. See sources quoted above.

Pretty clear that CISA does play a role in protecting the executive branch's networks & especially handling incident response:

CISA builds the national capacity to defend against cyber attacks and works with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the '.gov' networks that support the essential operations of partner departments and agencies. We coordinate security and resilience efforts using trusted partnerships across the private and public sectors, and deliver technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide.

— CISA^[7]

Not sure why you're focused on the executive branch's networks, though, given that it is not one of the branches (Pentagon, State, DoC, DHS, Treasury) so far confirmed to have been breached. Zazpot (talk) 22:15, 16 December 2020 (UTC)Reply

In my opinion, the "executive branch" includes all the departments. [1] But good point about CISA. –Novem Linguae (talk) 22:21, 16 December 2020 (UTC)Reply

Sorry, yes - I was evidently having a brain fart and conflating it with the EOP :-s Zazpot (talk) 23:58, 16 December 2020 (UTC)Reply

References

1. Sanger, David E.; Perlroth, Nicole; Schmitt, Eric (December 15, 2020). "Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit" – via NYTimes.com.
2. "O'Brien cuts short Europe trip to address agency hacking". Politico.
3. "What We Know About the SolarWinds Breach". NextGov.
4. https://slate.com/news-and-politics/2020/12/solarwinds-trump-hack-fireeye.html
5. https://www.esquire.com/news-politics/politics/a34978841/russia-hack-us-government-systems-trump-administration/
6. https://www.theverge.com/2020/12/14/22174429/solarwinds-hack-russia-cisa-christopher-krebs-cybersecurity-infrastructure
7. https://www.cisa.gov/about-cisa

Article title

Latest comment: 3 years ago9 comments5 people in discussion

Initially, the attack was thought to just affect the U.S. Treasury and the U.S. DoC. So, the article's initial title was "2020 United States Treasury and Department of Commerce data breach".

When the known impact widened to many other branches of the U.S. federal government, I moved the article to its current title: "2020 United States federal government data breach".

Now, even this seems increasingly inaccurate,^[1] which raises the question: what should the title be?

• Something like "2020 SolarWinds breach" doesn't really account for the Office 365 attack vector and would definitely need to be changed if other attack vectors are discovered in future - as has been predicted (see Methodology).

• Something like "2020 global network breach" is too vague. Maybe at some point it will be discovered that other notable international network breaches occurred in 2020.

• Something like "2020 global Russian cyberattack" might be more appropriate?

I would welcome good ideas! Zazpot (talk) 07:38, 16 December 2020 (UTC)Reply

I think "2020 SolarWinds breach" is a pretty good title. That would include the non-US government victims. A google news search for "data breach solarwinds" turns up various article names that use a variation of this title: "SolarWinds hack", "SolarWinds breach", "SolarWinds supply chain attack", "SolarWinds compromise", etc. I don't feel strongly about this though, I'm happy to hear other opinions. –Novem Linguae (talk) 11:22, 16 December 2020 (UTC)Reply

I go for Sunburst hack, because it's to the point and it's the BBC catchline. Wakari07 (talk) 14:57, 16 December 2020 (UTC)Reply

Thanks, Novem_Linguae and Wakari07, but it seems other vectors were used besides SolarWinds/Sunburst.^[2][3] Plus, the average reader is probably more interested in the impact than the implementation.

For now, I think the title should be left alone: it fits the facts well enough. If it turns out lots of non-Federal organizations were breached too, then I think we should change it to 2020 U.S. data breach or 2020 international data breach as the case may be. Zazpot (talk) 21:56, 17 December 2020 (UTC)Reply

80% of the victims are in the US (but due to the global nature of the Web it might have international impact too), government accounts for 18% of the victims

source: Dan Goodin (2020-12-18). "Microsoft president calls SolarWinds hack an "act of recklessness"". Ars Technica.

The article title will have to change as more info is released.--vityok (talk) 10:47, 18 December 2020 (UTC)Reply

It is increasingly looking like 2020 international data breach will be the right title.^[4][5] But let's wait until more trustworthy sources confirm, before we change it. Zazpot (talk) 15:29, 18 December 2020 (UTC)Reply

I'd also support Sunburst hack (or Sunburst cyberattack). While it is true that sunburst wasn't the only vector, this does seem to be a name that researchers and journalists are coalescing around.[2][3][4] Since we don't have an article for the Sunburst backdoor, there'd be no need for disambiguation. A descriptive title like 2020 international data breach is not bad, but a little vague. gobonobo ^{+ c} 03:15, 19 December 2020 (UTC)Reply

Thanks, but I still think it is problematic on several fronts to name the article after SolarWinds or Sunburst:

• It's not balanced, because other companies' products/vulnerabilities were, and other malware was, also involved. (We'd be unfairly singling out SolarWinds.)
• Journalistic writing is about transient breaking news, so journalists can come up with a new title to suit whatever people are calling an incident that day. But we aren't journalists. Suppose tomorrow we learn that, for instance, Cisco also suffered a supply chain attack from the same suspects in the same time period, installing a piece of malware dubbed "Crisco", and that's how the attackers breached SolarWinds, plus now all the government's Cisco VPNs copy their contents to Moscow...? Well, the journalists would be fine: they'd just headline their new pieces "Crisco hack" or suchlike. But if we had already renamed this Wikipedia article "Sunburst hack", then suddenly we'd have to rename it again. Fundamentally, as encyclopedia editors, we should focus on the broad event, which in this case is: a data breach (however it happened) that notably empowered the attackers and had a notable impact on privacy and security for notable institutions and the millions of people they serve, and which may lead to notable policy outcomes.
• The political reaction won't make sense in an article called "Sunburst hack". Most congresspeople don't care a hoot about Sunburst and aren't very interested in how the state and federal breach occurred. They care much more about the impact of the state and federal breach (which records were stolen or tampered; how many people and projects were affected; how much will it cost to fix), why it happened, who did it, and how to react. Most of which has nothing to do with Sunburst.

So, I say let's hold our nerve and focus on the long-term encyclopedic nature of the article. But thanks for chipping in, and also for the good links! Zazpot (talk) 07:15, 19 December 2020 (UTC)Reply

See this quote, which underscores my previous point:

“Everybody’s talking about SUNBURST … but SUNBURST is just the initial show, it’s just the stage one,” said Kyle Hanslovan, the co-founder and CEO of Huntress Labs and a former National Security Agency employee. “We’re hardly talking about TEARDROP or the use of Cobalt Strike within the network, which is designed to be a sophisticated, unattributable nation-state level capability. … That’s where I think this real story is going to happen.”

— ^[6]

Zazpot (talk) 22:22, 19 December 2020 (UTC)Reply

References

1. https://www.bloomberg.com/news/articles/2020-12-14/u-k-government-nato-join-u-s-in-monitoring-risk-from-hack
2. https://www.reuters.com/article/us-usa-cyber-breach/suspected-russian-hacking-spree-used-another-major-tech-supplier-sources-idUKKBN28R2ZJ
3. https://www.nytimes.com/2020/12/17/us/politics/russia-cyber-hack-trump.html
4. https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html
5. https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
6. https://www.cyberscoop.com/cozy-bear-apt29-solarwinds-russia-persistent/

More sentences trying to blame Trump

Latest comment: 3 years ago6 comments4 people in discussion

The attack was discovered during the lame duck period of the Presidency of Donald Trump.[13][14]

At the time of the attack, the U.S. did not have a Senate-confirmed permanent appointee in the role of Director of the Cybersecurity and Infrastructure Security Agency (the nation's top cybersecurity official). The previous appointee, Christopher Krebs, had been fired on 18 November 2020 by President Trump after contradicting the latter's claim that the 2020 U.S. Presidential election result was fraudulent.[9][10][15][16][17]

Here's some more sentences that try to malign Trump. Again, I am anti Trump, but logically this just seems really weak. The attacks started in March 2020, well before Trump's lame duck period, and well before he unfairly fired Krebs. I personally think the inclusion of these sentences creates WP:NPOV problems, and I would be in favor of deleting them. However, I am happy to hear the opinion of other editors. –Novem Linguae (talk) 12:01, 16 December 2020 (UTC)Reply

For one, he's the boss. It would be sad if we couldn't blame the boss. Secondly, is there an argument in his favor? Does even one reliable source praise his preparedness or response? Wakari07 (talk) 15:05, 16 December 2020 (UTC)Reply

But to fill the logical void, the second paragraph should probably start with "When the attack was reported..." or "At the time of the discovery of the attack..." to reflect the period starting 8 December and not somewhere around March. Wakari07 (talk) 16:05, 16 December 2020 (UTC)Reply

I made it "At the time of the attack becoming public, the U.S. did not have a Senate-confirmed..." Feel free to improve the grammar/vocabulary but I think this solves the irregular representation of chronology. Wakari07 (talk) 16:09, 16 December 2020 (UTC)Reply

President Harry Truman with desk sign: "The buck stops here!"

Novem_Linguae, I think perhaps you are reading more into that text than is justified. The text is important factual context, appropriate for a "Background" section to help readers (especially future readers in years to come) to locate the events historically.

Will, say, a non-US student, reading this article five years hence, know that in December 2020, there was a lame-duck president in office; or that CISA only had an acting director at the time (or that the White House cybersecurity co-ordinator had been fired a couple of years earlier and not replaced)?

Without that knowledge, it will be hard for the reader to make an informed interpretation of the nature and timing of the responses, or the degree of opportunism displayed by the attackers. And since we cannot assume that knowledge on the part of the reader, it needs to be mentioned (concisely; encyclopedically) in the article as background.

If it were a different president, and a different context ("The attack was discovered six months after President Zarniwoop took office, bringing with him what CNN called 'the most impressive cybersecurity team in America's history...") then it would still be worthy of inclusion.

One thing this is not about, for me, is blame. I'm trying to contribute to an encyclopedia, not a poison pen letter.

That said, the matter of responsibility is also part of the context. In a successful attack (cyber, military, sports, whatever), the responsibility for that success comes down partly to the attacker's strategy and execution, and partly to the defender's strategy and execution. We would be failing in our duty to be encyclopedic if we wrote only of the attacker's actions and ignored those of the defenders. The defenders in this case include: the companies whose products were compromised (SolarWinds, Microsoft, maybe others yet to be identified); the customers of those companies (who should, ideally, have been monitoring their networks for suspicious activity, as FireEye clearly did but most others apparently did not); and the U.S. government, of which the executive branch is where, by convention, the buck stops.

So, I don't think we can escape mentioning that context. And I hope you can see that it's not about taking sides or pointing fingers. It's just about succinctly summarizing the relevant facts, whatever they happen to be. Zazpot (talk) 17:04, 16 December 2020 (UTC)Reply

I'm fine with the sufficient precision of "late in Trump's presidency". There's such a thing as a bit too much context after all! kencf0618 (talk) 21:11, 17 December 2020 (UTC)Reply

DGA decoding to identify targets

Latest comment: 3 years ago2 comments2 people in discussion

Per: https://twitter.com/RedDrip7/status/1339168187619790848

"By decoding the #DGA domain names, we discovered nearly a hundred domains suspected to be attacked by #UNC2452 #SolarWinds, including universities, governments and high tech companies such as @Intel and @Cisco. Visit our github project to get the script."

Github page: https://github.com/RedDrip7/SunBurst_DGA_Decode

Maslen (talk) 17:19, 16 December 2020 (UTC)Reply

Thanks. Do please post back here on the talk page if you notice this getting picked up by WP:INDEPENDENT WP:RS, so we can mention the findings in the article. Zazpot (talk) 17:36, 16 December 2020 (UTC)Reply

SolarFlare Release: Password Dumper for SolarWinds Orion

Latest comment: 3 years ago2 comments2 people in discussion

Breach might be worse than expected, as SolarWinds retains 'deleted' credentials in the internal database, per https://malicious.link/post/2020/solarflare-release-password-dumper-for-solarwinds-orion/ and https://github.com/mubix/solarflare — Preceding unsigned comment added by Maslen (talk • contribs) 17:52, 16 December 2020 (UTC)Reply

Thanks. Do please post back here on the talk page if you notice this getting picked up by WP:INDEPENDENT WP:RS, so we can mention the findings in the article. Zazpot (talk) 18:46, 16 December 2020 (UTC)Reply

Is FERC assistance due to Trump actions claim Original Research?

Latest comment: 3 years ago4 comments2 people in discussion

This line:

The Federal Energy Regulatory Commission (FERC) helped to compensate for a staffing shortfall at CISA caused by Trump

Is based on the following text from the references:

[...][CISA][...] indicated to FERC this week that CISA was overwhelmed and might not be able to allocate the necessary resources to respond.[...] Several top officials from CISA, including its former director Christopher Krebs, have either been pushed out by the Trump administration or resigned in recent weeks.

I don't think Trump fired Krebs is necessarily Reason why CISA is overwhelmed.. I think that makes this OR and thus require revision. However,Wikipedia:What_SYNTH_is_not adds all sorts of nuance, which leaves me slightly unsure. A second opinion would be appreciated. Jcurious (talk) 08:22, 18 December 2020 (UTC)Reply

There's also (again, cited):

In recent weeks CISA's director, and assistant director have stepped down or been fired by president Donald Trump, and other high-ranking DHS cybersecurity officials have been pushed out as well. The exodus comes at an inopportune time, as CISA helps coordinate a defensive push across government.

and (also cited):

CISA meanwhile, whose top official, Christopher Krebs, was fired for calling the 2020 U.S. Presidential election secure, told FERC that it was overwhelmed and lacked the resources to properly respond, sources said.

Other recent context (not cited, but relevant):

Matt Masterson... is leaving his post as of next week... Masterson has been a senior adviser at the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency since 2018. ... Masterson said his last day at CISA will be Dec. 18. ... Masterson, a former election official in Ohio, was part of a team of CISA officials who rebuilt trust between election officials across the country and federal personnel after the 2016 election. After CISA officials repeatedly pointed out that mail-in voting is secure, and maintained a “Rumor Control” website to debunk election conspiracy theories, the White House carried out a purge of the agency’s leadership. Trump fired CISA Director Chris Krebs by tweet on Nov. 17., and Krebs’ deputy, Matt Travis, resigned shortly thereafter...

— ^[1]

and (likewise):

Bryan S. Ware, who took the reins as the senior most Department of Homeland Security official focused exclusively on cybersecurity in January, is stepping down from his post and heading to the private sector. [He] made a point of getting better data, with the help of software tools, into the hands of CISA analysts for tracking hacking campaigns. ... Ware declined to comment on whether he was asked to leave his position by the Trump administration.

— ^[2]

and (likewise):

CISA is now led on an acting basis by Brandon Wales... How long Wales will lead the agency remains unclear. The dismantling of CISA’s leadership has employees on edge. And CISA’s continued work to debunk fraud claims could draw additional White House scrutiny. After Trump fired Krebs via tweet on Tuesday evening, Krebs’ deputy, Matt Travis, resigned under pressure from the White House, Travis said. (A DHS spokesperson disputed that Travis was forced to resign.) Last week, the White House also forced out Bryan S. Ware, CISA’s assistant director for cybersecurity. ... The most senior political appointee positions at CISA are currently vacant. In October, the White House said it would nominate Sean Plankey, a Department of Energy official, as CISA’s assistant director. But at press time Wednesday, Plankey remains at DOE. Neither the White House nor DOE responded to a request for comment about Plankey’s status.

— ^[3]

and (likewise):

Nov. 11, White House officials notified CISA that they would be asking for the resignation of Bryan Ware, who worked on election security as the assistant director of cybersecurity at CISA and whose resignation ultimately took effect two days later, according to Travis. At the same time, news broke that Valerie Boyd, the assistant secretary for international affairs at the Department of Homeland Security, which oversees CISA, had also left. ... The following week, on the night of Tuesday, Nov. 17, Trump used his Twitter feed to fire Krebs. ... In a phone call that evening, Travis said he offered to resign as well, but Krebs urged him to continue since he was next in line to run CISA. But the White House didn’t want him to run CISA, Travis said he was told in a phone call with acting Homeland Security Secretary Chad Wolf that night. Travis said he resigned after Wolf’s efforts to intervene with the White House failed. The animus between Trump’s team and the former CISA officials didn’t end there. Trump attorney Joe diGenova on Monday called for violence against Krebs... “He should be drawn and quartered. Taken out at dawn and shot,” he said.

— ^[4]

and (likewise):

Trump has decimated the cybersecurity arm of the federal government and failed to nominate confirmable leaders of Homeland Security. Last month, Trump fired the Director of the Cybersecurity and Infrastructure Security Agency, Christopher Krebs, for refusing to undermine the election. Around the same time, Assistant Director for Cybersecurity at DHS Bryan Ware and Deputy Director of CISA Matt Travis were also forced out. DHS does not have a Senate-confirmed Secretary, Deputy Secretary, General Counsel, or Undersecretary for Management. Additionally, there is no White House cybersecurity coordinator, no State Dept. cybersecurity coordinator, the National Security Agency Director is leaving on a romantic vacation in Europe...

— ^[5]

Not easy trying to summarise all that background into a sentence or so. If you have a better wording in mind, I'd be glad to consider it! Thanks, Zazpot (talk) 11:03, 18 December 2020 (UTC)Reply

None of those citations say that the FERC assistance was needed because Trump fired a couple of people out of thousands of people that work for CISA. Unless, you find a source that says CISA was overwhelmed because of Trump's actions, I think the most you can say is something like: "The Federal Energy Regulatory Commission (FERC) helped to compensate an overwhelmed CISA." Again, this is based on my understanding of the original research guidance. I'm sure my understanding could be wrong, which is why I was seeking a second opinion on original research. Specifically, I'm wondering about the limitations of synthesis of published material, Wikipedia:What_SYNTH_is_not. Jcurious (talk) 20:20, 18 December 2020 (UTC)Reply

References

1. https://www.cyberscoop.com/matt-masterson-cisa-resigns-stanford-election/
2. https://www.cyberscoop.com/bryan-ware-cisa-dhs-resignation/
3. https://www.cyberscoop.com/chris-krebs-fired-trump-dhs-cyber-wales/
4. https://www.bloomberg.com/news/articles/2020-12-02/trump-campaign-s-unproven-vote-claims-lead-to-cyber-staff-exodus
5. https://forensicnews.net/forensic-news-roundup-russia-hacks-u-s-government-trump-silent/

I think the claim was a reasonable summary of the points made in the cited sources, and I note that you yourself felt that it might be allowable. But I note your point about "thousands of people", and have applied your suggestion. Thank you for offering it, Zazpot (talk) 18:54, 19 December 2020 (UTC)Reply

Nomenclature

Latest comment: 3 years ago4 comments2 people in discussion

I haven't seen why SolarEye named the hack SunBurst. Any hard facts on this? Any backronyms out there, for that matter? kencf0618 (talk) 12:41, 19 December 2020 (UTC)Reply

FireEye, you mean? Anyway, no, I haven't seen any confirmation of the reason for the name Sunburst. I figured it was either a nod to CloudBurst (a VM escape vulnerability/exploit);^[1] or to the Orion Nebula (a burst of suns), on account of the name of the product affected. Zazpot (talk) 13:03, 19 December 2020 (UTC); edited 16:36, 20 December 2020 (UTC)Reply

Yes. Hard to keep the code names straight given that they all sound like James Bond films. kencf0618 (talk) 10:04, 20 December 2020 (UTC)Reply

FireEye is a company name rather than a code name, but I know what you mean :-) Zazpot (talk) 16:35, 20 December 2020 (UTC)Reply

References

1. https://www.zdnet.com/article/virtual-machine-exploit-lets-attackers-take-over-host/

US-focused?

Latest comment: 3 years ago4 comments2 people in discussion

This article seems very US-focused. But Solarwinds Orion is used all over the world. Wouldn't it make sense to have one article about the Sunburst trojan in itself, and then follow up with the impact in different parts of the world, possible on separate subarticles? — Preceding unsigned comment added by 185.183.147.118 (talk) 23:21, 19 December 2020 (UTC)Reply

At the moment, the only institutions publicly confirmed to have been breached are US ones. Also, the data exfiltration concerns so far published are focused on US federal departments. Until that changes, the article is appropriate as it stands.

If the situation does change (e.g. if non-US governments are also found to have suffered data breaches), then yes, the article should be updated to reflect that. However, the Sunburst trojan should still not necessarily be the focus; see #Article title. Zazpot (talk) 23:36, 19 December 2020 (UTC)Reply

According to https://www.wired.com/story/russia-solarwinds-hack-roundup only 18 percent of the 40 victims identified by Microsoft were government agencies, and 20 percent were outside the US. — Preceding unsigned comment added by 185.183.147.118 (talk) 23:40, 19 December 2020 (UTC)Reply

Thanks, but I'm aware of that. Did you read the discussion I pointed you to?

The summary data about victims - like in the example you cited - is just far too minimal and vague at this point to build an article around. Wikipedia needs at least one WP:RS for each substantive claim, and there just aren't any so far with anything notable to say about non-US victims of this event.

Don't get me wrong, I appreciate your good intentions. But the other thread already addressed your concern. Zazpot (talk) 23:46, 19 December 2020 (UTC)Reply

Trump quote in lede?

Latest comment: 3 years ago10 comments4 people in discussion

The following discussion is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

---

Here, a fellow editor added a quote from Trump to the lede that essentially says two things and is WP:FRINGE about both of them. Here is how the quote stands after some clarity clean-up, but it still unavoidably retains those two WP:FRINGE claims:

President Donald Trump was initially silent about the attack; on December 19, 2020, in his first public statement on the topic, he spuriously suggested that China, not Russia, might have been responsible, saying "everything is well under control".^[1][2]

As you can see from the cited sources (and plenty of other sources in the article), the overwhelming view among experts in the field is that in fact:

• Everything is not under control. Quite the opposite.^[3][4][5][6]
• Russia (not China) is likely responsible.^[1][2]

So, I suggest we remove the Trump quote (and the sentence containing/paraphrasing it) from the lede as WP:FRINGE. Note: I'm not advocating that Trump's view should not be mentioned. It should, and it is already mentioned in the Suspects and Responses sections. I'm just saying it should not be given WP:UNDUE prominence either in the lede or by having a third copy of it in the article. Zazpot (talk) 05:03, 20 December 2020 (UTC)Reply

I agree with your proposal to remove the quote from the lead. And let me just say: "THANK YOU" for all your very good work on this article. UnitedStatesian (talk) 06:02, 20 December 2020 (UTC)Reply

We could more accurately say it's not finally attributed, with identified experts saying "maybe an outside nation-state" (SolarWinds), "almost certainly the work of a state actor" (Deutsche Welle view), "what Microsoft and FireEye consider to be nation-state hackers" (BleepingComputer), officials saying Russia [5][6] and the Commander in Chief saying "it may be China (it may!)". [7][8] Us using a term term like "spuriously" however is a breach of WP:NPOV. Wakari07 (talk) 06:22, 20 December 2020 (UTC)Reply

Wakari07, thanks. Taking your substantive points in reverse order:

• Us using a term term like "spuriously" however is a breach of WP:NPOV. Not given the cited sources:

Contradicting his secretary of state and other top officials, President Donald Trump on Saturday suggested without evidence that China — not Russia — may be behind the cyber espionage operation against the United States and tried to minimize its impact. [Trump] claimed the media are “petrified” of “discussing the possibility that it may be China (it may!).” There is no evidence to suggest that is the case. Secretary of State Mike Pompeo said late Friday that Russia was “pretty clearly” behind the operation against the United States.^[1]

Trump, in his first public comments on the issue, appeared to undercut Pompeo's remarks in a pair of tweets Saturday, suggesting without evidence "it may be China" that's responsible.^[2]

• We could more accurately say it's not finally attributed. We already do indicate this concisely in the lede:

The data breach, considered to likely be the work of Cozy Bear backed by the Russian state agency SVR, was reported to be among the worst ever experienced by the U.S, due to the high profile of the targets and the long duration for which the attacker had access.^[7][8][9]

And we also already have a whole section to deal with perpetrator attribution in more depth: #Suspects.

With that understood, do you now think my proposal to remove the sentence from the lede is fair? If not, please could you explain why?

Thanks, Zazpot (talk) 06:36, 20 December 2020 (UTC); edited 06:55, 20 December 2020 (UTC)Reply

No. Either we just attribute to an WP:NPOV "advanced persistent threat" (which implies a nation state, all sources agree on this) and move on, or we go into more detail: who blames which (foreign) nation without providing any evidence. As argued earlier on this page, the position of the Commander in Chief is then notable. If this second option becomes a lengthy mess, we may just keep it in the lede to "an APT". Wakari07 (talk) 07:19, 20 December 2020 (UTC)Reply

Thanks, but although have clarified that you disagree with my proposal, you still have not explained why.

I appreciate that you have suggested two options ("advanced persistent threat"; vs saying who blames whom). But you haven't said why you think those are the only two alternatives, nor why you think either of them would be better than my proposal.

The first of your two options is too terse, even for a lede. Readers will want to learn within the first few sentences who is thought to be behind the attack, but your first option denies this to the reader. It also fails WP:LEDE by deliberately avoiding summarizing non-WP:FRINGE aspects of the article. So, your first option is a non-starter, I'm afraid.

Your second option goes the other way: it proposes a lede that would be too verbose to comply with WP:LEDE. It would also necessitate giving WP:UNDUE weight to a WP:FRINGE view. (Even if it comes from the President, it's still fringe.) So, I think from a policy perspective that isn't really viable either.

Please can you reconsider whether a middle ground, as I've suggested, might be the better option? Thanks, Zazpot (talk) 08:38, 20 December 2020 (UTC)Reply

We're an encyclopedia, not a propaganda mouthpiece. If we really want to introduce selected [as Pompeo has made clear: "I'm sure some of it will remain classified." (CNN)] US government-linked WP:PARTISAN claims not based on WP:SPOV evidence, then for WP:BALANCE we should also put in the lede a variant on the Russian claim, kind of a disclaimer that "possibly it is wrong to groundlessly blame Russians right away." (The Independent)

A prudent, logical phrasing, prioritizing WP:RS facts over WP:ATTRIB beliefs is appropriate, like in this last source:

The sophisticated nature of the hack points to a nation state, with US adversaries in the cyber domain most commonly being China, Iran, North Korea and Russia. "We’ve been advised that the nature of this attack indicates that it may have been conducted by an outside nation state, but SolarWinds has not verified the identity of the attacker," SolarWinds explained in its advisory. Some security experts believe it has the hallmarks of a Russian hacking (...)

Wakari07 (talk) 10:33, 20 December 2020 (UTC)Reply

Wakari07, thanks. I slightly resent the implication that my proposal is imprudent or illogical, but moving on...

We're an encyclopedia, not a propaganda mouthpiece. Exactly my point.

US adversaries in the cyber domain most commonly being China, Iran, North Korea and Russia. That is a general statement clearly intended by its author to help their readers place the event in context. It is not an attribution of responsibility, or a suspect list, for this specific event.

SolarWinds has not verified the identity of the attacker. No, but more credible people have. Identifying state-sponsored attackers is clearly not SolarWinds's area of expertise. But it is an area of expertise for CISA, the FBI, etc, who brief the Secretary of State and the politicians on Congress's intelligence committees, etc. And these politicians are the ones who, after being briefed, attributed the attack to Russia with confidence.^[10][11][12]

As for WP:RS or WP:ATTRIB: by contrast with the politicians from Congress's intelligence committees, there's no WP:RS indicating that Trump's China claim is anything other utter speculation.^[13]

All that said, with the edits made to the article since this TP thread began, the quote in the lede has since been contextualized much better, and I am content to accept its continued inclusion as long as it stays that way. I think you and I may have found consensus :-) Thanks, Zazpot (talk) 06:15, 21 December 2020 (UTC)Reply

Fringe or not, he is the POTUS, he does have access to the topmost intelligence, he has the loudest bullhorn on Earth, and he is making an assertion that is entirely consistent with his previous insistence of absolving Russia for everything and deflecting blame to his personal adversaries, and this is leadworthy due to this incident being perhaps the most significant hack to date that reportedly might have penetrated highly sensitive federal government networks, and thus the full extent of the damage might never be fully disclosed, so we are left with what the commander in chief tells us. soibangla (talk) 19:47, 20 December 2020 (UTC)Reply

Soibangla, thanks for explaining your reasoning.

entirely consistent with his previous insistence of absolving Russia for everything and deflecting blame to his personal adversaries... OK, so it seems you accept that Trump's claim is WP:FRINGE. That being so, here is the part of WP:FRINGE relevant to this discussion:

Including such a controversial quote needs to be carefully contextualized as a particular point of view. Simply including such a statement in the lead or in a section on scientific evaluation of Bigfoot claims is potentially misleading, non-neutral, and lacking in verifiability. The quote should only be included if it can be contextualized in a verifiable and neutral sense as a point of view of the Bigfoot Field Researchers Association and not necessarily a factual statement. The consensus of editors may even be to not include the quote at all.

All that said, with the edits made to the article since this TP thread began, the quote in the lede has since been contextualized much better, and I am content to accept its continued inclusion as long as it stays that way. I think you and I may have found consensus :-) Thanks again, Zazpot (talk) 06:15, 21 December 2020 (UTC)Reply

References

1. Colvin, Jill; Lee, Matthew (2020-12-19). "Trump downplays Russia in first comments on hacking campaign". Associated Press. Retrieved 2020-12-20.
2. Stracqualursi, Veronica; Liptak, Kevin; Hansler, Jennifer (19 December 2020). "Trump downplays massive cyber hack on government after Pompeo links attack to Russia". CNN. Retrieved 19 December 2020.
3. https://www.nytimes.com/2020/12/16/opinion/fireeye-solarwinds-russia-hack.html
4. https://foreignpolicy.com/2020/12/18/russias-alleged-hack-could-be-worst-in-u-s-history/
5. https://www.bloomberg.com/news/articles/2020-12-18/hackers-lurking-in-networks-for-months-snarl-solarwinds-probes
6. https://www.scmagazine.com/home/security-news/here-are-the-critical-responses-required-of-all-businesses-after-solarwinds-supply-chain-hack/
7. "U.S. Agencies Exposed in Attack by Suspected Russian Hackers". Bloomberg L.P. December 14, 2020. Archived from the original on December 16, 2020. Retrieved December 17, 2020.
8. "Cyber attack may be 'worst hacking case in the history of America'". Las Vegas Review-Journal. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 18, 2020.
9. "US under major active cyberattack from Russia, Trump's former security adviser warns". The Independent. December 17, 2020. Archived from the original on December 18, 2020. Retrieved December 17, 2020.
10. https://www.msn.com/en-us/news/politics/nothing-makes-me-worry-more-about-the-solarwinds-hack-than-trump-now-saying-it-e2-80-99s-e2-80-98under-control-e2-80-99/ar-BB1c4ep0
11. https://www.defensenews.com/congress/2020/12/17/no-2-senate-democrat-russia-hack-a-virtual-invasion/
12. https://www.bloomberg.com/news/articles/2020-12-19/at-least-200-victims-identified-in-suspected-russian-hacking
13. https://www.theverge.com/2020/12/19/22190698/trump-downplay-solarwinds-hack-russia-china-mike-pompeo

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.

Is "parts" deliberate?

Latest comment: 3 years ago4 comments2 people in discussion

The first sentence of the lede currently reads:

The 2020 United States federal government data breach was the result of a cyberattack by a group backed by a foreign government on multiple parts of the federal government of the United States.

"Parts" reads really oddly to me, unless it's meant to indicate that the attack didn't respect formal legal boundaries between those "parts". I'd suggest "agencies" instead, unless I'm missing something. AleatoryPonderings (???) (!!!) 17:36, 20 December 2020 (UTC)Reply

AleatoryPonderings, thanks for your comment. Here's how that word came to be used.

When writing the article originally, some days ago now, I, too, considered using the word "agencies". But in the end I rejected it. Here's why. Ultimately, "agencies" would risk confusion, because in the U.S. government context it is an overloaded word. In that context, its valid but mutually exclusive senses include:

• Independent agencies of the United States government;
• U.S. federal bodies with "Agency" in the name (CIA, DIA, NSA, ...) irrespective of whether they are "independent agencies of the United States government" (see above);
• the colloquial sense in which I think you are using the term, which is equivalent to one of the senses of the words "parts" or "bodies".

"Agencies" therefore risks a user mistakenly assuming the first or second sense listed above, which would be misleading. So, "agencies" would seem to be a poor choice of wording, I'm afraid.

"Departments" would be misleading too, incidentally, because in some cases only specific parts of a department were reportedly affected rather than the whole department (e.g. NTIA was reportedly the affected part of the DoC); and because it is plausible that non-departmental parts of the federal government will turn out to have been affected.

If "agencies" and "departments" are out, what does that leave us? "Organs", "bodies", and "parts" were all I could think of.

The shortest (and least gruesome!) of these is "parts", so that's what I chose. I'm open to better suggestions, but one of the conditions of "better" would be that the word not risk the forms of confusion mentioned above that I have already taken pains to avoid.

I hope this seems fair. Thanks, Zazpot (talk) 18:04, 20 December 2020 (UTC)Reply

Zazpot, Definitely seems fair—thanks for your detailed explanation. I assumed that the rationale would be something to this effect. Perhaps an {{efn}} in the lede, articulating some of the points you raise above, would help to clarify things? AleatoryPonderings (???) (!!!) 18:49, 20 December 2020 (UTC)Reply

AleatoryPonderings, thanks. Yes, I'm open to that. I would be happy for you to add an {{efn}} as you suggest, and will try to find time to review it if you do. Thanks again, Zazpot (talk) 19:01, 20 December 2020 (UTC)Reply

Inclusion criteria for breached organizations (was: Swisscom)

Latest comment: 3 years ago2 comments2 people in discussion

Hello. Someone deleted Swisscom, probably because sources were not appropriate or understood (German language). Potential sources that Swisscom is infected, but no particular damage has been announced:

Swisscom German-language Twitter

Unsere Sicherheitsexperten analysieren die betroffenen Systeme und haben bislang keine Indizien für einen tatsächlichen Missbrauch gefunden. Wenn wir Indizien haben, dass ein Missbrauch stattgefunden hat, werden wir die Kunden individuell informieren.

Our security experts analyze the affected systems and have so far not found any evidence of actual abuse. If we have evidence that abuse has taken place, we will inform the customers individually.

https://twitter.com/Swisscom_de/status/1339839315518566400

Inside-IT news publication title: “Sunburst Hack: Collateral damage in Switzerland”

Swisscom bestätigt uns auf Anfrage, dass man Kunde von Solarwinds sei. Die kompromittierte Softwarekomponente von Solarwinds überwache eine Virtualisierungs-Infrastruktur, auf der Microsoft-Produkte für Geschäftskunden laufen. Der Hersteller habe zwei Hotfixes zur Verfügung gestellt und man habe diese Patches bereits installiert.

Swisscom confirmed on request that they are Solarwinds customer. The compromised software component is used for supervising virtalization infrastructure, where Microsoft products for business customers [note: they have kind of a Swiss O365 clone for banks who do not want to operate infrastructure outside of Switzerland] are running. Two hotfixes by the vendor have been installed. [ note: no more detail given what that means or who the vendor is]

Unabhängig davon habe Swisscom die Überwachung erweitert. "Unsere Sicherheitsexperten analysieren die betroffenen Systeme und haben keine Indizien für einen Missbrauch gefunden. Die Analysen werden weitergeführt", so Swisscom-Mediensprecher Armin Schädeli.

Independently from that Swisscom has extended monitoring. "Our security experts are analyzing the affected systems and have not discovered evidence for abuse. The analysis are ongoing", says Swisscom spokesperson Armin Schädeli

https://www.inside-it.ch/de/post/sunburst-hack-die-kollateralschaeden-in-der-schweiz-20201218 — Preceding unsigned comment added by 2A04:EE41:3:3297:6CE5:2E1:F91E:4E21 (talk) 19:49, 20 December 2020 (UTC)Reply

2A04:EE41:3:3297:6CE5:2E1:F91E:4E21|2A04:EE41:3:3297:6CE5:2E1:F91E:4E21, you might want to WP:PING that user, if you want to hear from them directly.

In general, I agree that relevant encyclopedic facts sourced from WP:INDEPENDENT WP:RS should not be removed from articles, so I might be OK with restoring Swisscom.

However, re: organizations breached, we probably need to come up with inclusion criteria for this article.

Why? Because ~18000 SolarWinds customers downloaded the trojaned updates, and we certainly won't include all of them (even if a WP:RS ever publishes the list. So, we need to focus on notable incidents. (I'm not saying the Swisscom reports aren't notable, btw. I'm making a general point here.)

What do I propose? First, some context: it seems likely that at least ~100 non-Federal organizations, internationally, were targeted with second-stage malware after installing trojaned SolarWinds updates.^[1] Of these, maybe a third are notable: Capilano University, College of Law and Business, Mediatek, Signature Bank, etc.

I propose the following inclusion criteria:

An organization shall be listed as breached, in this article, if at least one WP:RS claims that the organization:

• had second-stage malware deployed on some part of its infrastructure in relation to this episode (indicating that it was deliberately exploited by the attackers); or
• suffered a supply-chain compromise that put its own customers at risk.

How does that sound?

(N.B. If we do adopt these criteria, then we would have to keep Swisscom out of the article unless additional evidence emerges that they met one of the two criteria above.) Zazpot (talk) 20:47, 20 December 2020 (UTC)Reply

References

1. https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/

"Responses" section

Latest comment: 3 years ago9 comments3 people in discussion

The "responses" section is getting a little large, and has no sub-sections. My instinct is that grouping by date is no longer the best way to organize this section. I would suggest instead grouping by topic. If you agree, I'd be happy to take a stab at re-organizing this. Thanks. –Novem Linguae (talk) 01:46, 21 December 2020 (UTC)Reply

I ended up reorganizing the "responses" section just now. Before After Take a look and see if you like it. The benefits of the new organization are 1) plenty of sub-sections, 2) easy to see if a section is getting too big, and 3) each paragraph is clearer and less of a mix of topics. –Novem Linguae (talk) 02:47, 21 December 2020 (UTC)Reply

Novem Linguae, yes, I see you didn't wait for an answer!

My primary concern about doing as you suggested above (and as you have now done) is that parts of the content could easily become incomprehensible, as many of the responses presented there were made at least partly in reply to earlier ones, or at least are introduced in the context of earlier ones. Lose the careful ordering of those sentences, and some of the threads become impossible to follow. (Unless, maybe, you recreate something like the same order within each topic's subsection, and direct the reader to other relevant subsections where appropriate.)

A case in point is can be seen here. Your edit summary says you had finished reorganizing the section; but you have left Smith apparently arguing the converse of Bossert, which is nonsense.

Would you be willing either to continue editing until the sense of each response has been restored, or else just to revert that section to how it used to be? I appreciate that you put some effort into the reorganization just now and you might be loath to do either; but I'm afraid it is unfinished, so to leave it as it stands does a disservice to the reader (and is also a little disrespectful to the care I took initially when creating the section!). I hope you understand and won't be offended. Thanks, Zazpot (talk) 03:04, 21 December 2020 (UTC)Reply

Zazpot, I think it's an organizational improvement, and that any loose ends can easily be edited and fixed. Please take a good look at it and give yourself a chance to get used to it before making a final decision. But if you disagree, feel free to revert it.

I'm done editing it for now. If you see some small mistakes that I made, feel free to correct them. –Novem Linguae (talk) 03:11, 21 December 2020 (UTC)Reply

Novem Linguae, I'm sorry to hear that you aren't willing to finish it off, because that leave me in an awkward position.

It's awkward because I admire the start you made. I broadly agree with the subsections you chose to create, and I think you have convincingly made the case for subdividing the section. I also think that in your edits, you moved each sentence from the old section into the same new subsections as I would added them into.

But I would have created a context for comprehensibility within each subsection, including specifying the dates on which each of the responses occurred. Without that, and with obvious concerns like Bossert/Smith lingering, I can't in good conscience leave it as it stands.

My strong preference would be to finish the work you have started, as you suggest. But I literally cannot spare the time just now. There is some other (unrelated) editing I need to finish so that I can clear some browser tabs; and I have much off-wiki business, besides, in the next 48 hours (and indeed, until the end of the year).

Hence the awkwardness. You force me to choose between leaving it in a confused state (which, as I say, I can't do in good conscience); or reverting, which you say I am free to do, but is still a pain on my conscience because of the effort you put in and the good start you made.

Between the two horns of this dilemma, I'm going have to choose to revert, in the hope that you or I (or someone else) will take another go at it on a day when they have enough time to see it through properly. I really hope you will be understanding of this. You had the right idea and made a great start. Thanks for the effort, and apologies again, Zazpot (talk) 03:29, 21 December 2020 (UTC)Reply

Zazpot, I didn't notice the contradictions that you mentioned. I suspect they are minor. Up to you though. –Novem Linguae (talk) 03:38, 21 December 2020 (UTC)Reply

Novem Linguae, not minor IMO. Basically, if Smith is right, then so are Durbin, Romney, et al, and the incident really was, legally, an attack (not merely espionage). Smith is a lawyer who works for a company (Microsoft) that is extensively involved in surveillance, so his words aren't idle (even if one disagrees with him, he has the ear of governments and of perhaps the most powerful software company on the planet). His is a remark in an important debate about, basically, whether the US should regard itself as now being in a cyberwar. That debate also includes contrasting arguments published recently in Wired and The Dispatch, etc; see the "Responses" section.

Bossert, OTOH, was not necessarily part of that debate (and to the extent he approached it, his position was close Smith's). But your edit made him appear to be part of it, and made it seem Smith was opposed to his views. Doubly confusing/wrong, in other words.

I realize that you only created those implications accidentally, but the point is, they were misimplications about a pretty serious topic: has Russia declared (cyber)war on the US? Thanks for being accepting that I needed to correct this, Zazpot (talk) 03:52, 21 December 2020 (UTC); edited 03:53, 21 December 2020 (UTC)Reply

Didn't see this before. I thought that the cyberattack vs. cyber-espionage debate (Goldsmith, etc.) was really important, but that the sources were not well summarized (the authors weren't even mentioned before, only the publications—which is weird since this was all commentary/opinion pieces). So I significantly expanded it and placed this debate in its own subsection. I think we pretty clearly need a topic organization rather than a strictly chronological one, which is not at all reader-friendly. Neutrality^talk 17:04, 21 December 2020 (UTC)Reply

Neutrality, yes, I agree that dividing "Responses" into subsections is the best approach, as long as the implementation of that approach does not risk causing confusion in the mind of the reader. Many thanks to you and to Novem Linguae for taking a second run at the task. It isn't quite as I would have done it (and in some ways I think you have done a better job than I would have managed!). Anyhow, this second attempt does, in my eyes, constitute an overall improvement for the section, so thank you both again for doing that work! Zazpot (talk) 07:12, 23 December 2020 (UTC)Reply

How much background is too much?

Latest comment: 3 years ago1 comment1 person in discussion

If WP:RS mention a topic as relevant background to the breach, then we have grounds to include it. Otherwise, probably not. In this pair of edits, material was added to the "Background" section that does not meet that criterion and therefore is arguably WP:SYNTH. Put differently: I can see why the editor who inserted the material felt that it probably was relevant to the event; but I also note that readers can't WP:VERIFY that connection explicitly. What do other editors think: should we keep that material or not? Is the connection obvious enough to do so? Thanks, Zazpot (talk) 16:37, 23 December 2020 (UTC)Reply

Role of SolarWinds

Latest comment: 3 years ago3 comments2 people in discussion

"In March 2020, a major cyberattack by a group backed by a foreign government penetrated multiple parts of United States federal government, via software released from three U.S. firms: Microsoft, SolarWinds, and VMware, leading to data breaches, and the breach discovered December 2020.[1][26]"

In both articles linked to in the foot notes, only SolarWinds is mentioned – not VMWare, not Microsoft. — Preceding unsigned comment added by 79.210.164.49 (talk) 10:47, 4 January 2021 (UTC)Reply

Thanks, I'll look into fixing that. Zazpot (talk) 21:44, 11 January 2021 (UTC)Reply

  Done Zazpot (talk) 05:21, 12 January 2021 (UTC)Reply

Role of JetBrains

Latest comment: 3 years ago5 comments3 people in discussion

In 2021 the New York Times claimed, through a confidential source, that JetBrains may have had malware embedded in their software that may have led to the SolarWinds hack and other widespread security compromises,^[1] although the company said they had not been contacted, and had not "taken part or been involved in this attack in any way".^[2] — Preceding unsigned comment added by 139.71.144.2 (talk) 23:25, 7 January 2021 (UTC)Reply

Thanks. I hope to read those pieces in the next few hours and will mention them in the article if appropriate. Zazpot (talk) 18:12, 11 January 2021 (UTC)Reply

After reading a number of pieces about the JetBrains product TeamCity being investigated (including by the FBI) as a possible vector in the breaches,^{[3][4][5][6][7][8][9]} I don't think the matter warrants inclusion in the article yet. It isn't notable that TeamCity is being investigated. But if in the future a credible investigation concludes that TeamCity was an attack vector, then absolutely at that point this should be mentioned. Zazpot (talk) 06:51, 12 January 2021 (UTC)Reply

Another update : interview given to Forbes by Shafirov. They had not been contacted by any US agency as of 7th Jan.^[10] Ujwal.Xankill3r (talk) 07:02, 13 January 2021 (UTC)Reply

Thanks, but Shafirov had already repeatedly denied that TeamCity/Jetbrains was an attack vector (except possibly via misconfiguration). That he has repeated those denials through Forbes changes nothing, at least in relation to whether or not to mention TeamCity/Jetbrains in the article. Zazpot (talk) 19:28, 13 January 2021 (UTC)Reply

References

1. Perlroth, Nicole; Sanger, David E.; Barnes, Julian E. (6 January 2021). "Widely Used Software Company May Be Entry Point for Huge U.S. Hacking" – via NYTimes.com.
2. Shafirov, Maxim (6 January 2021). "Statement on the story from The New York Times regarding JetBrains and SolarWinds".
3. https://www.theregister.com/2021/01/07/jetbrains_solarwinds_accusation/
4. https://www.reuters.com/article/us-global-cyber-jetbrains/fbi-probe-of-major-hack-includes-project-management-software-from-jetbrains-sources-idUSKBN29B2RR
5. https://www.securityweek.com/investigation-launched-role-jetbrains-product-solarwinds-hack-reports
6. https://www.zdnet.com/article/jetbrains-denies-being-involved-in-solarwinds-hack/
7. https://www.bleepingcomputer.com/news/security/jetbrains-denies-involvement-in-the-solarwinds-supply-chain-hack/
8. https://www.wired.com/story/solarwinds-krebs-nissan-source-code-security-roundup/
9. https://www.natlawreview.com/article/software-development-teams-are-you-using-jetbrains-teamcity
10. Brewster, Thomas (Jan 7, 2021). "Meet The Super Rich Czech Tech Company — And Its Russian CEO —Denying Links To The Huge SolarWinds Hack". Forbes.

China allegation characterized as "spurious"

Latest comment: 3 years ago2 comments2 people in discussion

Trump pointing to China characterized as spurious in Wikipedia voice. This isn't supported by the citations, which merely state that US experts they *believe* Russia to be responsible. Also, what does the "without evidence" in "U.S. president Donald Trump publicly addressed the attacks for the first time, suggesting without evidence that China" mean? I didn't see evidence offered for the culpability of Russia either by US investigators. These are all appeals to authority, why flag one? — Preceding unsigned comment added by 2601:601:1501:2BD0:49E6:3785:8CBC:EAC0 (talk) 01:29, 6 February 2021 (UTC)Reply

A recent article supports Trump's statement of Chinese involvement in the cybersecurity breach during the main events in question.^[1] Phillip Samuel (talk) 21:00, 8 February 2021 (UTC)Reply

References

1. https://www.reuters.com/article/us-cyber-solarwinds-china-exclusive-idUSKBN2A22K8

Addition of 'suspected' in first sentence

Latest comment: 1 year ago2 comments2 people in discussion

Based on the text in the article, which does not present conclusions about the involvement of Russia, would it be sensible to change the first sentence to: "In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally..." Dhawk790 (talk) 16:36, 29 May 2021 (UTC)Reply

I don't know we can conclude Russia or China or US False Flag or disgruntled employee plus at this point, the open sources investigation has fizzled out per SolarWinds corporate communications. The open source reporting of how much a dead end Russian VPN servers paid for by untraceable cash to gift cards is where every RS source fizzles out. With the mitigation long over, the search for the exploiters fell apart, and every hacker seems to hop through and use a Ukrainian, Belarus or Russian VPN service. Baring a 1989-1991 opening of the KGB valt type event in Russia, I don't think it will ever be clear for RS reporting. 2601:248:C000:3F:3492:6A55:752C:FAA7 (talk) 20:01, 3 February 2023 (UTC)Reply