5 Big Things To Know About The Synnex Hack

From the role Microsoft’s cloud environment played in the hack to the risk posed to VARs to the likelihood of a connection with the Kaseya attack, here are five things to know about the Synnex hack.

More Questions Than Answers

The Russian foreign intelligence service (SVR) took advantage of chaos generated by Friday’s Kaseya ransomware attack to carry out a hack of its own against Fremont, Calif.-based distributor Synnex, according to Bloomberg. While Synnex said it’s aware of “a few instances” where hackers tried to access customer cloud environments, the only publicly known target is the Republican National Committee.

Synnex’s communication about the attack has been limited, with the distributor putting out a three-paragraph statement Tuesday morning and not responding to an executive interview request from CRN. The company said it can’t provide any specific details at this point since its review is ongoing, and that all systems, third-party apps and related tools must be examined prior to making final determinations.

From the role Microsoft’s cloud environment played in the hack to the risk posed to VARs to the likelihood of a connection with the Kaseya cyberattack, here are five things solution providers need to know about the Synnex hack.

5. Microsoft Cloud Customer Apps Attacked Via Synnex

Synnex said Tuesday morning that hackers had attempted to use the distributor to gain access to customer applications within the Microsoft cloud environment. The bad actors were attempting to access Microsoft cloud applications used by end-user entities, a company spokesperson told CRN Wednesday, rather than applications used by value-added resellers that work directly with Synnex.

Synnex said bad actors attempted in “a few instances” to access Microsoft cloud customer apps via the distributor, and the company declined to comment to CRN on how successful those attempts were. The distributor said Tuesday it’s been working with Microsoft as well as a third-party cybersecurity vendor to conduct a thorough review of the attack since it was identified. Microsoft declined to comment.

Bloomberg reported Tuesday afternoon that the Russian foreign intelligence service (SVR) was behind the Synnex hack. The U.S. government formally blamed the SVR in April for the colossal SolarWinds attack, which compromised nine federal agencies as well as more than 100 private sector organizations. The SVR is also known as APT 29, Cozy Bear and Nobelium.

4. RNC Reportedly Breached Via Synnex; RNC Denies It

The Republican National Committee said it was informed over the weekend that Synnex—which it characterized as a “third-party provider”—had been breached, according to a statement from RNC Chief of Staff Richard Walters posted to Twitter at 5:50 p.m. ET Tuesday. The RNC was informed of the potential Synnex system exposure by Microsoft, RNC spokesman Mike Reed told Bloomberg Saturday.

Walters said the RNC immediately blocked all access from Synnex accounts to the political committee’s cloud environment. The RNC worked with Microsoft to conduct a review of its systems and determined after a thorough investigation that no data had been accessed, according to Walters.

Bloomberg reported Tuesday afternoon that the Russian government hackers behind the SolarWinds campaign breached the computer systems of the RNC through Synnex, according to two people familiar with the matter. “We of course are investigating,” White House Press Secretary Jen Psaki said. “The FBI and CISA are in touch with the RNC and we will determine attribution and make a decision accordingly.”

3. Spying On Political Parties Is A Tale As Old As Time

The SVR is an equal opportunity hacker, having in 2015 compromised the Democratic National Committee servers. But the SVR didn’t end up leaking the hacked DNC material. Instead, the Russian military spy agency GRU separately hacked the DNC and leaked its emails to WikiLeaks in 2016, The Washington Post reported in December.

Espionage is a constant since the early days of human civilization and will be with us forever, said Dmitry Alperovtich, co-founder and former CTO of CrowdStrike. “Attempted hacking of political organizations (without dump of data) is called espionage,” Alperovitch wrote on Twitter at 10:09 p.m. ET Tuesday. “The Russians have been doing it for hundreds of years and will continue doing it for hundreds more. As will we.”

The reported breach of the RNC by Russian government hackers doesn’t necessarily mean GOP emails will be leaked down the road, said John Hultquist, vice president of FireEye’s Mandiant Threat Intelligence. “Political parties are regular targets of state espionage,” Hultquist wrote on Twitter Tuesday. “They offer insight into incubating public policy. This does not necessarily presage shenanigans like hack and leak ops.”

2. SVR Took Advantage Of Kaseya Chaos To Gather Intel

The SVR is looking to take advantage of the chaos created by Friday’s REvil ransomware attack against Kaseya and its MSP customers to go after valuable intelligence targets, a source familiar with the matter told Bloomberg. FireEye’s Mandiant incident response division has observed Russian government hackers carrying out breaches in recent days, Mandiant Senior Vice President Charles Carmakal told Blomberg.

“No question, the Russian government is absolutely benefiting from security companies and intelligence organizations being so focused on ransomware right now,” Carmakal told Bloomberg. “But the question is, is the Russian government providing tacit approval for ransomware operators or are they providing instructions? I don’t know.”

REvil’s noisy and disruptive ransomware attack against Kaseya provided cover for the Russian foreign intelligence service to engage in intelligence collection, Johns Hopkins Professor Thomas Rid said on Twitter. “At-scale ransomware attacks probably facilitate espionage to some degree by pinning down incident responders and security professionals across the land,” Rid wrote at 10:23 p.m. ET Tuesday.

1. Synnex Hack Not Correlated With Kaseya Attack

Bloomberg reported late Friday that Synnex was one of the companies affected in the Kaseya cyberattack, which exploited a vulnerability in Kaseya’s on-premises VSA tool to compromise nearly 60 MSPs and encrypt the data and demand ransom payments from up to 1,500 of their end-user customers. Synnex told CRN Sunday that the company didn’t have comment on the Bloomberg report.

Then on Tuesday morning, Synnex said in a press release that the attack against the distributor could potentially be connected to the Kaseya attack. “We do not know if this is related to the Kaseya ransomware attack to MSPs and some end customers,” Michael Urban, Synnex’s president of worldwide technology solutions distribution, said in an emailed statement to CRN. “That is part of the review.”

Then on Wednesday morning, a Synnex spokesperson told CRN that while the matter is still under review, the distributor doesn’t currently see a correlation between the attacks on Synnex and Kaseya, with the latter having been carried out by the REvil ransomware gang. Urban told The Register Wednesday morning that the instances pertaining to Synnex customers don’t involve ransomware.