Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I don't know that they had a singular target necessarily. Much like Solarwinds, they could take their pick of thousands of targets if this had gone undetected.


I think we can all agree this attacker was sophisticated. But why would a government want to own tons of random Linux machines that have open sshd mappings? You have to expose sshd explicitly in most cloud environments (or on interesting networks worthy of attack.) Besides, the attacker must've known that if this is all over the internet eventually someone is going to notice.

I think the attacker had a target in mind. They were clearly focused on specific Linux distros. I'd imagine they were after a specific set of sshd bastion machine(s). Maybe they have the ability to get on the VPN that has access to the bastion(s) but the subset of users with actual bastion access is perhaps much smaller and more alert/less vulnerable to phishing.

So what's going to be the most valuable thing to hack that uses Linux sshd bastions? Something so valuable it's worth dedicating ~3 years of your life to it? My best guess is a crypto exchange.


> Something so valuable it's worth dedicating ~3 years of your life to it?

This isn't the right mindset if you want to consider a state actor, particularly for something like contributing to an open source project. It's not like you had to physically live your cover life while trying infiltrate a company or something.

Yes, this is a lot of resources to spend, but at the same, even dedicating one whole FTE 3 years isn't that much resources. It's just salary at that point.


> But why would a government want to own tons of random Linux machines that have open sshd mappings?

They don’t want tons. They want the few important ones.

Turns out it was easiest to get to the important ones by pwning tons of random ones.


That still implies there was a target in mind. But also they would've had to assume the access would be relatively short-lived. This means to me they had something specific they wanted to get access to, didn't plan to be there long, and weren't terribly concerned about leaving a trail of their methods.


Why couldn't they have had 50 or 100 targets in mind, and hoped that the exploit would last for at least the month (or whatever) they needed to accomplish their multiple, unrelated goals?

I think your imagination is telling you a story that is prematurely limiting the range of real possibilities.


Government have lot of money and time to spend. So having one more tool in box for that single time you need to access a target where this work is entirely reasonable investment. Would this if it weren't used have been noticed possibly in years? That gives quite a lot of room to find target for times when it is needed.

And you could have multiple projects doing this type of work in parallel.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: