MCViewPoint

Opinion from a Libertarian ViewPoint

Another Mega Group Spy Scandal? Samanage, Sabotage, and the SolarWinds Hack

Posted by M. C. on January 23, 2021

FireEye’s account can be taken with a grain of salt, however, as the CIA is one of FireEye’s clients, and FireEye was launched with funding from the CIA’s venture capital arm In-Q-tel. It is also worth being skeptical of the “free tool” FireEye has made available in the hack’s aftermath for “spotting and keeping suspected Russians out of systems.” 

Microsoft, like some of Samanage’s main backers, is part of the World Economic Forum and is an enthusiastic supporter of and participant in the Great Reset agenda, so much so that Microsoft CEO Satya Nadella wrote the foreword to Klaus Schwab’s book “Shaping the Fourth Industrial Revolution.” With the WEF simulating a cyber “pandemic” and both the WEF and Israel’s head of Israel’s National Cyber Directorate warning of an imminent “cyber winter”, SolarWinds does indeed appear to be just the beginning, though perhaps a scripted one to create the foundation for something much more severe. A cyberattack on Microsoft products globally would certainly upend most of the global economy and likely have economic effects more severe than the COVID-19 crisis, just as the WEF has been warning. Yet, if such a hack does occur, it will inevitably serve the aims of the Great Reset to “reset” and then rebuild electronic infrastructure. 

https://www.thelastamericanvagabond.com/another-mega-group-spy-scandal-samanage-sabotage-and-the-solarwinds-hack/

Whitney Webb

The devastating hack on SolarWinds was quickly pinned on Russia by US intelligence. A more likely culprit, Samanage, a company whose software was integrated into SolarWinds’ software just as the “back door” was inserted, is deeply tied to Israeli intelligence and intelligence-linked families such as the Maxwells.

In mid-December of 2020, a massive hack compromised the networks of numerous US federal agencies, major corporations, the top five accounting firms in the country, and the military, among others. Despite most US media attention now focusing on election-related chaos, the fallout from the hack continues to make headlines day after day.

The hack, which affected Texas-based software provider SolarWinds, was blamed on Russia on January 5 by the US government’s Cyber Unified Coordination Group. Their statement asserted that the attackers were “likely Russian in origin,” but they failed to provide evidence to back up that claim.

Since then, numerous developments in the official investigation have been reported, but no actual evidence pointing to Russia has yet to be released. Rather, mainstream media outlets began reporting the intelligence community’s “likely” conclusion as fact right away, with the New York Times subsequently reporting that US investigators were examining a product used by SolarWinds that was sold by a Czech Republic–based company, as the possible entry point for the “Russian hackers.” Interest in that company, however, comes from the fact that the attackers most likely had access to the systems of a contractor or subsidiary of SolarWinds. This, combined with the evidence-free report from US intelligence on “likely” Russian involvement, is said to be the reason investigators are focusing on the Czech company, though any of SolarWinds’ contractors/subsidiaries could have been the entry point.

Such narratives clearly echo those that became prominent in the wake of the 2016 election, when now-debunked claims were made that Russian hackers were responsible for leaked emails published by WikiLeaks. Parallels are obvious when one considers that SolarWinds quickly brought on the discredited firm CrowdStrike to aid them in securing their networks and investigating the hack. CrowdStrike had also been brought on by the DNC after the 2016 WikiLeaks publication, and subsequently it was central in developing the false declarations regarding the involvement of “Russian hackers” in that event.

There are also other parallels. As Russiagate played out, it became apparent that there was collusion between the Trump campaign and a foreign power, but the nation was Israel, not Russia. Indeed, many of the reports that came out of Russiagate revealed collusion with Israel, yet those instances received little coverage and generated little media outrage. This has led some to suggest that Russiagate may have been a cover for what was in fact Israelgate.

Similarly, in the case of the SolarWinds hack, there is the odd case and timing of SolarWinds’ acquisition of a company called Samanage in 2019. As this report will explore, Samanage’s deep ties to Israeli intelligence, venture-capital firms connected to both intelligence and Isabel Maxwell, as well as Samange’s integration with the Orion software at the time of the back door’s insertion warrant investigation every bit as much as SolarWinds’ Czech-based contractor. 

Orion’s Fall

In the month since the hack, evidence has emerged detailing the extent of the damage, with the Justice Department quietly announcing, the same day as the Capitol riots (January 6), that their email system had been breached in the hack—a “major incident” according to the department. This terminology means that the attack “is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people,” per NextGov.

The Justice Department was the fourth US government agency to publicly acknowledge a breach in connection to the hack, with the others being the Departments of Commerce and Energy and the Treasury. Yet, while only four agencies have publicly acknowledged fallout from the hack, SolarWinds software is also used by the Department of Defense, the State Department, NASA, the NSA, and the Executive Office. Given that the Cyber Unified Coordination Group stated that “fewer than ten” US government agencies had been affected, it’s likely that some of these agencies were compromised, and some press reports have asserted that the State Department and Pentagon were affected.

In addition to government agencies, SolarWinds Orion software was in use by the top ten US telecommunications corporations, the top five US accounting firms, the New York Power Authority, and numerous US government contractors such as Booz Allen Hamilton, General Dynamics, and the Federal Reserve. Other notable SolarWinds clients include the Bill & Melinda Gates Foundation, Microsoft, Credit Suisse, and several mainstream news outlets including the Economist and the New York Times

Based on what is officially known so far, the hackers appeared to have been highly sophisticated, with FireEye, the cybersecurity company that first discovered the implanted code used to conduct the hack, stating that the hackers “routinely removed their tools, including the backdoors, once legitimate remote access was achieved—implying a high degree of technical sophistication and attention to operational security.” In addition, top security experts have noted that the hack was “very very carefully orchestrated,” leading to a consensus that the hack was state sponsored.

FireEye stated that they first identified the compromise of SolarWinds after the version of the Orion software they were using contained a back door that was used to gain access to its “red team” suite of hacking tools. Not long after the disclosure of the SolarWinds hack, on December 31, the hackers were able to partially access Microsoft’s source code, raising concerns that the act was preparation for future and equally devastating attacks. 

FireEye’s account can be taken with a grain of salt, however, as the CIA is one of FireEye’s clients, and FireEye was launched with funding from the CIA’s venture capital arm In-Q-tel. It is also worth being skeptical of the “free tool” FireEye has made available in the hack’s aftermath for “spotting and keeping suspected Russians out of systems.” 

In addition, Microsoft, another key source in the SolarWinds story, is a military contractor with close ties to Israel’s intelligence apparatus, especially Unit 8200, and their reports of events also deserve scrutiny. Notably, it was Unit 8200 alumnus and executive at Israeli cybersecurity firm Cycode, Ronen Slavin, who told Reuters in a widely quoted article that he “was worried by the possibility that the SolarWinds hackers were poring over Microsoft’s source code as prelude to a much more ambitious offensive.” “To me the biggest question is, ‘Was this recon for the next big operation?’” Slavin stated.

Also odd about the actors involved in the response to the hack is the decision to bring on not only the discredited firm CrowdStrike but also the new consultancy firm of Chris Krebs and Alex Stamos, former chief information security officer of Facebook and Yahoo, to investigate the hack. Chris Krebs is the former head of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and was previously a top Microsoft executive. Krebs was fired by Donald Trump after repeatedly and publicly challenging Trump on the issue of election fraud in the 2020 election. 

As head of CISA, Krebs gave access to networks of critical infrastructure throughout the US, with a focus on the health-care industry, to the CTI League, a suspicious outfit of anonymous volunteers working “for free” and led by a former Unit 8200 officer. “We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company,” a SolarWinds spokesperson said in an email cited by Reuters.

It is also worth noting that the SolarWinds hack did benefit a few actors aside from the attackers themselves. For instance, Israeli cybersecurity firms CheckPoint and CyberArk, which have close ties to Israeli intelligence Unit 8200, have seen their stocks soar in the weeks since the SolarWinds compromise was announced. Notably, in 2017, CyberArk was the company that “discovered” one of the main tactics used in an attack, a form of SAML token manipulation called GoldenSAML. CyberArk does not specify how they discovered this method of attack and, at the time they announced the tactic’s existence, released a free tool to identify systems vulnerable to GoldenSAML manipulation. 

In addition, the other main mode of attack, a back door program nicknamed Sunburst, was found by Kaspersky researchers to be similar to a piece of malware called Kazuar that was also first discovered by another Unit 8200-linked company, Palo Alto Networks, also in 2017. The similarities only suggest that those who developed the Sunburst backdoor may have been inspired by Kazuar and “they may have common members between them or a shared software developer building their malware.” Kaspersky stressed that Sunburst and Kazuar are not likely to be one and the same. It is worth noting, as an aside, that Unit 8200 is known to have previously hacked Kaspersky and attempted to insert a back door into their products, per Kaspersky employees.

Crowdstrike claimed that this finding confirmed “the attribution at least to Russian intelligence,” only because an allegedly Russian hacking group is believed to have used Kazuar before. No technical evidence linking Russia to the SolarWinds hacking has yet been presented.

Samanage and Sabotage

The implanted code used to execute the hack was directly injected into the source code of SolarWinds Orion. Then, the modified and bugged version of the software was “compiled, signed and delivered through the existing software patch release management system,” per reports. This has led US investigators and observers to conclude that the perpetrators had direct access to SolarWinds code as they had “a high degree of familiarity with the software.” While the way the attackers gained access to Orion’s code base has yet to be determined, one possibility being pursued by investigators is that the attackers were working with employee(s) of a SolarWinds contractor or subsidiary. 

US investigators have been focusing on offices of SolarWinds that are based abroad, suggesting that—in addition to the above—the attackers were likely working for SolarWinds or were given access by someone working for the company. That investigation has focused on offices in eastern Europe, allegedly because “Russian intelligence operatives are deeply rooted” in those countries.

It is worth pointing out, however, that Israeli intelligence is similarly “deeply rooted” in eastern European states both before and after the fall of the Soviet Union, ties well illustrated by Israeli superspy and media tycoon Robert Maxwell’s frequent and close associations with Eastern European and Russian intelligence agencies as well as the leaders of many of those countries. Israeli intelligence operatives like Maxwell also had cozy ties with Russian organized crime. For instance, Maxwell enabled the access of the Russian organized crime network headed by Semion Mogilevich into the US financial system and was also Mogilevich’s business partner. In addition, the cross-pollination between Israeli and Russian organized crime networks (networks which also share ties to their respective intelligence agencies) and such links should be considered if the cybercriminals due prove to be Russian in origin, as US intelligence has claimed.

Though some contractors and subsidiaries of SolarWinds are now being investigated, one that has yet to be investigated, but should be, is Samanage. Samanage, acquired by SolarWinds in 2019, not only gained automatic access to Orion just as the malicious code was first inserted, but it has deep ties to Israeli intelligence and a web of venture-capital firms associated with numerous Israeli espionage scandals that have targeted the US government. Israel is deemed by the NSA to be one of the top spy threats facing US government agencies and Israel’s list of espionage scandals in the US is arguably the longest, and includes the Jonathan Pollard and PROMIS software scandals of the 1980s to the Larry Franklin/AIPAC espionage scandal in 2009. 

Though much reporting has since been done on the recent compromise of SolarWinds Orion software, little attention has been paid to Samanage. Samanage offers what it describes as “an IT Service Desk solution.” It was acquired by SolarWinds so Samanage’s products could be added to SolarWinds’ IT Operations Management portfolio. Though US reporting and SolarWinds press releases state that Samanage is based in Cary, North Carolina, implying that it is an American company, Samanage is actually an Israeli firm. It was founded in 2007 by Doron Gordon, who previously worked for several years at MAMRAM, the Israeli military’s central computing unit.

Samanage was SolarWinds’ first acquisition of an Israeli company, and, at the time, Israeli media reported that SolarWinds was expected to set up its first development center in Israel. It appears, however, that SolarWinds, rather than setting up a new center, merely began using Samanage’s research and development center located in Netanya, Israel.

Several months after the acquisition was announced, in November 2019, Samanage, renamed SolarWinds Service Desk, became listed as a standard feature of SolarWinds Orion software, whereas the integration of Samanage and Orion had previously been optional since the acquisition’s announcement in April of that year. This means that complete integration was likely made standard in either October or November. It has since been reported that the perpetrators of the recent hack gained access to the networks of US federal agencies and major corporations at around the same time. Samanage’s automatic integration into Orion was a major modification made to the now-compromised software during that period. 

Samanage appears to have had access to Orion following the announcement of the acquisition in April 2019. Integration first began with Orion version 2019.4, the earliest version believed to contain the malicious code that enabled the hack. In addition, the integrated Samanage component of Orion was responsible for “ensuring the appropriate teams are quickly notified when critical events or performance issues [with Orion] are detected,” which was meant to allow “service agents to react faster and resolve issues before . . . employees are impacted.” 

In other words, the Samanage component that was integrated into Orion at the same time the compromise took place was also responsible for Orion’s alert system for critical events or performance issues. The code that was inserted into Orion by hackers in late 2019 nevertheless went undetected by this Samanage-made component for over a year, giving the “hackers” access to millions of devices critical to both US government and corporate networks. Furthermore, it is this Samanage-produced component of the affected Orion software that advises end users to exempt the software from antivirus scans and group policy object (GPO) restrictions by providing a warning that Orion may not work properly unless those exemptions are granted.

Samanage, Salesforce, and the World Economic Forum

Around the time of Samange’s acquisition by SolarWinds, it was reported that one of Samanage’s top backers was the company Salesforce, with Salesforce being both a major investor in Samanage as well as a partner of the company.

Salesforce is run by Marc Benioff, a billionaire who got his start at the tech giant Oracle. Oracle was originally created as a CIA spin-off and has deep ties to Israel’s government and the outgoing Trump administration. Salesforce also has a large presence in Israel, with much of its global research and development based there. Salesforce also recently partnered with the Unit 8200-linked Israeli firm Diagnostic Robotics to “predictively” diagnose COVID-19 cases using Artificial Intelligence.

Aside from leading Salesforce, Benioff is a member of the Vatican’s Council for Inclusive Capitalism alongside Lynn Forester de Rothschild, a close associate of Jeffrey Epstein and the Clintons, and members of the Lauder family, who have deep ties to the Mega Group and Israeli politics. 

Benioff is also a prominent member of the board of trustees of the World Economic Forum and the inaugural chair of the WEF’s Centre for the Fourth Industrial Revolution (C4IR), making him one of the most critical players in the unfolding of the WEF-backed Great Reset. Other WEF leaders, including the organization’s founder Klaus Schwab, have openly discussed how massive cyberattacks such as befell SolarWinds will soon result in “even more significant economic and social implications than COVID-19.”

Last year, the WEF’s Centre for Cybersecurity, of which Salesforce is part, simulated a “digital pandemic” cyberattack in an exercise entitled Cyber Polygon. Cyber Polygon’s speakers in 2020 included former UK Prime Minister Tony Blair, the Prime Minister of Russia Mikhail Mishustin, WEF founder Klaus Schwab, and IBM executive Wendi Whitmore, who previously held top posts at both Crowdstrike and a FireEye subsidiary. Notably, just months before the COVID-19 crisis, the WEF had held Event 201, which simulated a global coronavirus pandemic that crippled the world’s economy.

In addition to Samanage’s ties to WEF big shots such as Marc Benioff, the other main investors behind Samanage’s rise have ties to major Israeli espionage scandals, including the Jonathan Pollard affair and the PROMIS software scandal. There are also ties to one of the WEF’s founding “technology pioneers,” Isabel Maxwell (the daughter of Robert Maxwell and sister of Ghislaine), who has long-standing ties to Israel’s intelligence apparatus and the country’s hi-tech sector.

The Bronfmans, the Maxwells, and Viola Ventures

See the rest here

Whitney Webb Whitney Webb is a staff writer for The Last American Vagabond. She has previously written for Mintpress News, Ben Swann’s Truth In Media. Her work has appeared on Global Research, the Ron Paul Institute and 21st Century Wire, among others. She currently lives with her family in southern Chile.

Be seeing you

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

 
%d bloggers like this: