Source: Joe Hoft
Were Dominion and SolarWinds aware of a back door in the system which allowed for election fraud?
Two days ago we reported that a CISA emergency directive called on all federal civilian agencies to review and power down or disconnect all SolarWinds Orion Products:
Per experts on the Internet, a certain version of SolarWinds contained a backdoor since March of 2020.
On December 13, several news outlets, including Reuters, The Washington Post and The Wall Street Journal, reported that multiple U.S. government agencies were the victims of a significant breach reportedly linked to hackers associated with a nation-state. Additional reporting has since confirmed a direct connection between this breach and last week’s breach of cybersecurity firm FireEye.
According to a tweet from Dustin Volz, reporter for The Wall Street Journal, the source of the breach was “a flaw in IT firm SolarWinds.”
The backdoor was available in March through June versions of SolarWinds:
The backdoor resides in a dynamic-link library (DLL) file name SolarWinds.Orion.Core.BusinessLayer.dll. The file was digitally signed by SolarWinds with a valid certificate on March 24, meaning it would be trusted by the underlying operating system and would not raise any alarms.
The backdoored DLL file was seeded as part of SolarWinds software builds between March and June 2020, which are accessible via the SolarWinds website. Once an organization installed the malicious software update, the backdoored DLL file would remain in hibernation for a period of two weeks before beginning its operation. This is one of the stealthy elements of this operation. FireEye says in its blog post that the backdoor also managed to “blend in with legitimate SolarWinds activity” in order to evade detection.
SolarWinds filed a report with the SEC where they mention that 18,000 customers had the backdoor problem:
On December 14, SolarWinds filed a Form 8-K with the U.S. Securities and Exchange Commission that sheds light on the potential impact from this incident. In the 8-K, SolarWinds says it believes the number of customers with an active installation of Orion products containing this backdoor is “fewer than 18,000.”
A highly sophisticated adversary (China?) planted malicious codes on SolarWinds software:
According to the Microsoft TAR and the FireEye blog post, a “highly sophisticated” adversary managed to breach the supply chain of SolarWinds, a company that develops IT infrastructure management software, resulting in the placement of malicious code inside of the company’s Orion Platform software builds.
There is no mention of SolarWinds in the Antrim County Michigan forensic audit report, so we don’t know which version of SolarWinds was used by Dominion in Antrim County:
Two IT professionals have reached out to us to share the following about SolarWinds and their Dominion connection:
One reader shared with us some thoughts about SolarWinds technology:
I work in IT and I am now left wondering if Solar Winds was used as a backdoor “jump host” to get into Dominion machines. If the machines each had a unique hostname and they were being connected to a central network it is a rational way to explain it. A “jumphost” is a server (which is very bad security practice, by the way) that contains all the hosts on a network with their hostnames and ip addresses so you can just “jump” to them or remote to them. If they did indeed put a backdoor in Solar Winds and connected these to a network, this is how they would do it: Solar Winds might be hacked to be a jumphost. I cannot say this is true for sure, but it is worth digging into. A “jumphost” is bad because it puts all your hosts and devices into one basket and if a hacker gets in there, you can only imagine what a nightmare they can create.
Another IT professional shared this:
I am also an IT professional that uses SolarWinds. We use SolarWinds to manage network equipment, servers, etc. SolarWinds is a very powerful tool. SolarWinds has a scripting tool capable of automated task scheduling for configuration management. So say you had 1000 or more voting machines spread across the country. You could build scripts to download data from or upload data to rapidly in seconds. SolarWinds services and accounts are granted elevated permissions on equipment to perform these tasks. Hackers could take over a company’s SolarWinds management server to use as a “zombie” and orchestrate attacks on voting machines from all over making it difficult to track.
If the versions of SolarWinds were not timely updated, this problem with SolarWinds would be in place through the election and would therefore allow for election fraud using the Dominion voting machines.