State-sponsored hackers who exploited a security hole in a SolarWinds monitoring tool to infiltrate government and business networks have apparently left a long line of victims in their wake.
SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)
In an alert published Thursday, the Cybersecurity and Infrastructure Security Agency (CISA) said that it’s aware of compromises going back as far as March 2020 by an Advanced Persistent Threat (APT) actor against US government agencies and other entities.
Asserting that this threat “poses a grave risk” to the federal, state, and local governments as well as to critical infrastructure providers and the private sector, CISA sees the removal of the attackers from compromised networks as a highly complex and challenging endeavor.
Security firm FireEye, which itself was the victim of an attack that it blamed on a foreign nation-state, reported that the attackers were able to gain access to victims by hiding malicious code in updates to the SolarWinds Orion networking monitor platform in what is known as a supply chain compromise. The Orion software is a commonly used product among government agencies, Fortune 500 companies, and other organizations in the US and around the world.
As a result of the breaches, the hackers were able to monitor internal email traffic at the US Treasury and Commerce departments as well as other agencies, according to Reuters. FireEye reported that the victims have also included government, consulting, technology, and telecom firms, as well as others in North America, Europe, Asia, and the Middle East. Now it seems the attacks have affected even more entities going back as far as late 2019.
On Friday, the US Department of Energy reported that it was targeted by a cyber incident related to the SolarWinds vulnerability, a matter currently being investigated. The concern here is whether the incident also impacted the DOE’s sub-agency, the National Nuclear Security Administration (NNSA), which manages the US stockpile of nuclear weapons.
In its statement, the DOE said that the malware was isolated only to its business network and did not affect the security functions of the department or that of the NNSA. Further, any software that was identified as vulnerable was disconnected from the DOE’s network.
But breaches and suspicious network activity have affected other critical agencies as well, including the Federal Energy Regulatory Commission (FERC), the Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE, Politico reported on Thursday.
Among these, the FERC reportedly suffered more damage than did the other agencies, though officials declined to elaborate further. The FERC oversees the reliability of the nation’s electrical power grid, always a tempting target for foreign cyberattacks.
The breaches go back even further, however, and have employed clever ways to thwart the usual security defenses. On Monday, cybersecurity provider Volexity said that it was able to tie the recent cyberattacks exploiting SolarWinds software to multiple incidents from late 2019 and 2020 against a US think tank. Dubbing the cyberattacker Dark Halo, Volexity said it found three separate incidents all designed to obtain the e-mails of specific individuals within the think tank.
In one incident, the threat actor was discovered accessing the email account of a user through Microsoft’s Outlook on the web. Though the targeted mailbox was protected by multifactor authentication, the attacker was able to bypass the MFA security by using a special cookie that granted access to the account only with a username and password.
The federal agencies who’ve been targeted by the breaches or are investigating them have declined to name the specific nation-state believed responsible for the attacks. However, several sources have pointed the finger at Russia, specifically a group of Russian hackers called APT29 or Cozy Bear, who are part of Russia’s SVR foreign intelligence service. Representatives for Russia have denied any culpability in the attacks.
“Several media outlets have reported that APT29, a Russian state-sponsored hacking group also known as Cozy Bear, was behind the SolarWinds campaign,” Lior Div, CEO of security firm Cybereason, told TechRepublic.
“This is not the first time we’ve seen the Russians using this method,” Div added. “For a supply chain attack of this nature, the amount of manpower and time needed to prepare and the accuracy required by the threat actors make it very difficult to achieve. But the attack also demonstrates what’s possible when threat actors gain access to a major vendor’s supply chain.”
The recent attacks also show a talent for the right timing as the US has been busy and preoccupied with the election, the coronavirus pandemic, and COVID-19 vaccine planning.
“The period of transitioning from one administration to the next is always a vulnerable time for the US,” Div said. “We’ve been heads down on the election and working to combat disinformation campaigns tied to COVID research and vaccine dissemination, both of which demand a great deal of attention and resources where security is concerned. Adversaries like Russia look for this kind of instability and distraction to exploit for their benefit.”
At this point, multiple agencies and companies have joined the effort to try to detect and combat the breaches and exploits. On Wednesday, the FBI, CISA, and Office of the Director of National Intelligence (ODNI) announced the formation of a Cyber Unified Coordination Group (UCG) to coordinate government responses to the incident.
After identifying the malware with the name Sunburst, FireEye worked with GoDaddy and Microsoft to create a kill switch used to deactivate and disable new and previous infections. Microsoft, which found the malicious SolarWinds code in its own environment, has taken several additional actions, including removing the digital certificates used by the trojaned files, updating its Defender Antivirus software to block the known malicious SolarWinds code, and changing the default response in Defender to automatically quarantine the malware if discovered.
Despite the efforts by the federal government and companies such as Microsoft and FireEye, the threat continues and remains a cause for alarm. In its advisory, CISA said that the attacker is patient, well-resourced, and focused. The SolarWinds Orion supply chain compromise is not the only infection vector used by this threat actor. Further, not all organizations affected by the SolarWinds compromise have yet been targeted by the attacker with additional actions.
CISA also said the adversary has shown an ability to exploit software supply chains combined with a strong knowledge of Windows networks. As such, the attacker likely has more access vectors as well as tactics, techniques, and procedures (TTPs) yet to be discovered.
“This is really just the beginning,” said Brandon Hoffman, chief information security officer at NetEnrich. “As soon as we think it can’t get any worse, more evidence will be found. The government needs to really step up and prepare for the fallout of all this data loss. Claiming we don’t know will not satisfy the public about the state of national security. There needs to be some level of transparency about what was taken and how we plan to respond based on all the potential ways this data can be used.”