Read time: 2 minutes

The Empire Strikes Back: How Microsoft Unleashed The Death Star On SolarWinds Hackers

"These actions together come as close to obliterating an attack as we’ve seen, which is all the more notable because of the likely attackers," Geekwire reported.

Tom Bossert, Trump's former national security advisor, wrote in the New York Times yesterday about the ongoing SolarWinds hack:

The magnitude of this ongoing attack is hard to overstate.

The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.

While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy.

But Geekwire's Christopher Budd reports the four exhaustive steps taken by Microsoft to mitigate the attack, calling it the "unleashing of the Death Star":

"[...] Finally, today, Wednesday, Dec. 16, Microsoft basically changed its phasers from “stun” to “kill” by changing Windows Defender’s default action for Solorigate from “Alert” to “Quarantine,” a drastic action that could cause systems to crash but will effectively kill the malware when it finds it. This action is important, too, because it gives other security companies license now to follow suit with this drastic step: Microsoft’s size and leadership of its platform give cover to other security companies that they wouldn’t otherwise have.

Taken together, these steps amount to Microsoft first neutralizing and then killing the malware while wresting control over the malware’s infrastructure from the attackers. By the end of this week, the attackers will be left with barely a fraction of the systems under their control.

They may still have access to compromised networks through other means: that’s what incident responders are likely working on now. And there’s no undoing whatever they did while the infiltration went unnoticed for months. But still, these actions together come as close to obliterating an attack as we’ve seen, which is all the more notable because of the likely attackers.

Budd reminds us just how much power Microsoft has at its command: control of the Windows OS, their legal team, and its position in the industry. He wrote:

"It has the power to change the world nearly overnight if it wants to. And when it chooses to rain that power on an adversary, it really is the equivalent of the Death Star: able to completely destroy a planet in a single blast."

Can you help us out?

For 16 years we have been exposing Washington lies and untangling media deceit. We work 7 days a week, 16 hours a day for our labor of love, but with rising hosting and associated costs, we need your help! Could you donate $21 for 2021? Please consider a one-time or recurring donation of whatever amount you can spare, or consider subscribing for an ad-free experience. It will be greatly appreciated and help us continue our mission of exposing the real FAKE NEWS!

More C&L Coverage

Discussion

New Commenting System

Our comments are now powered by Insticator. In order to comment you will need to create an Insticator account. The process is quick and simple. Please note that the ability to comment with a C&L site account is no longer available.

We welcome relevant, respectful comments. Any comments that are sexist or in any other way deemed hateful by our staff will be deleted and constitute grounds for a ban from posting on the site. Please refer to our Terms of Service (revised 3/17/2016) for information on our posting policy.

Please Do Not Use the Login Link at the Top of the Site.

In order to comment you must use an Insticator account. To register an account, enter your comment and click the post button. A dialog will then appear allowing you create your account.

We will be retiring our Crooks and Liars user account system in January, 2021.

Thank you.
C&L Team