This is light on one detail: who was running the compromised infrastructure?
Because the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars. And here, the report conveniently doesn’t mention who let the hackers in.
I’d like to know which sloppy cloud contractor is responsible.
It’s a hell of a lot wider than one specific sloppy contractor. They basically compromised everybody (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, the system for CALEA requests, routers made by Cisco, phones belonging to Trump and Vance… basically, everything.) Viasat is on that list, but they’re no more particularly sloppy than any other contractor in that space. Basically it would have been truly remarkable if some Guard agency had managed to hire a cloud contractor that was able to resist it.
The DoD report doesn’t get into it. It repeatedly references “a US state’s Army National Guard network”. Which, is probably not the same network as the US Army’s network. It’s also likely to be an Unclassified network; so, it’s not quite as bad as it could be. But also not great.
the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars.
While some of it is on Microsoft’s and other cloud providers, there is also a lot which isn’t. On top of that, much of the stuff “in the cloud” is all IaaS or PaaS. So, while MS, et al. run the hardware, the operating systems and software is often run by the IT departments for the various branches and programs. These IT departments will be some mix of US Civilian State or Federal employees and then a lot of IT contractors. Generally, the people doing the actual IT work are contractors working for companies like Boeing or Booz-Allen-Hamilton.
I’d like to know which sloppy cloud contractor is responsible.
If you want to find the people responsible, find the managers who have programs on the “state’s Army National Guard network” (as the report puts it) and figure out which one of them either authorized some sort of “shadow IT” project, or just threw a hissy-fit every time the IT folks tried to roll out patches. That’s often how these things go. The report mentions multiple CVEs which were exploited, and I’d place a pretty large bet that they were unpatched in the environment because some manager whined loud enough to get his assets exempted from patching. All too often these types of vulnerabilities hang out there far too long because some department wants high availability on their stuff, but aren’t willing to pay for high availability. So, they bitch and moan that they should be exempt from regular patching. And upper management isn’t willing to back IT and say, “no you aren’t special, you get patched like everyone else”.
This is light on one detail: who was running the compromised infrastructure?
Because the US military doesn’t do its own IT anymore. It’s all outsourced to Microsoft and other cloud providers to the tune of tens of billions of dollars. And here, the report conveniently doesn’t mention who let the hackers in.
I’d like to know which sloppy cloud contractor is responsible.
It’s a hell of a lot wider than one specific sloppy contractor. They basically compromised everybody (Verizon, AT&T, T-Mobile, Spectrum, Lumen, Consolidated Communications, Windstream, the system for CALEA requests, routers made by Cisco, phones belonging to Trump and Vance… basically, everything.) Viasat is on that list, but they’re no more particularly sloppy than any other contractor in that space. Basically it would have been truly remarkable if some Guard agency had managed to hire a cloud contractor that was able to resist it.
The DoD report doesn’t get into it. It repeatedly references “a US state’s Army National Guard network”. Which, is probably not the same network as the US Army’s network. It’s also likely to be an Unclassified network; so, it’s not quite as bad as it could be. But also not great.
While some of it is on Microsoft’s and other cloud providers, there is also a lot which isn’t. On top of that, much of the stuff “in the cloud” is all IaaS or PaaS. So, while MS, et al. run the hardware, the operating systems and software is often run by the IT departments for the various branches and programs. These IT departments will be some mix of US Civilian State or Federal employees and then a lot of IT contractors. Generally, the people doing the actual IT work are contractors working for companies like Boeing or Booz-Allen-Hamilton.
If you want to find the people responsible, find the managers who have programs on the “state’s Army National Guard network” (as the report puts it) and figure out which one of them either authorized some sort of “shadow IT” project, or just threw a hissy-fit every time the IT folks tried to roll out patches. That’s often how these things go. The report mentions multiple CVEs which were exploited, and I’d place a pretty large bet that they were unpatched in the environment because some manager whined loud enough to get his assets exempted from patching. All too often these types of vulnerabilities hang out there far too long because some department wants high availability on their stuff, but aren’t willing to pay for high availability. So, they bitch and moan that they should be exempt from regular patching. And upper management isn’t willing to back IT and say, “no you aren’t special, you get patched like everyone else”.
Guard? Yeah that shit doesn’t even stay powered on for more than like a week a month lol