Bad actors believed to be operating on behalf of the Russian government have breached software provider SolarWinds, and then deployed a malware-riddled update for its Orion software to infect the networks of multiple US companies and government networks, security giant FireEye said yesterday.
On Sunday, the US Department of Homeland Security (DHS) warned SolarWinds users to disconnect or disable the software once they discovered attackers had compromised the update from the company from earlier in the year.
In a statement, the DHS said it is aware of cyber breaches across the federal government and is working closely with its partners in the public and private sector on the federal response.
“As the federal lead for cyber breaches of civilian federal agencies, the Department of Homeland Security’s Cyber Security and Infrastructure Security Agency (CISA) has already issued Emergency Directive 21-01 to the federal government to address compromises related to SolarWinds. As further remedies to these vulnerabilities are available, CISA will update the public at www.cisa.gov."
An 11 out of 10
Morgan Wright, chief security adviser at cyber security company Sentinel One and a top cyber security analyst, told Fox News on Monday morning that in terms of the seriousness, magnitude and damage it has done, on a scale of one to 10, the attack is 'probably an 11.
“Not from an infrastructure standpoint like going after the energy grid or taking things down. But simply from the loss of information, the stealing of secrets, especially very sensitive information and the fact that this was going on for months,” Wright added.
"We have yet to even understand how big the damage assessment will be. But I guarantee you, by the time it's done, it will be far worse than what we think it is right now because we still haven't uncovered all of the people who have been attacked by this campaign," Wright noted.
Kevin Mandia, CEO of FireEye, says the global campaign introduces a compromise into the networks of public and private organisations through the software supply chain.
“The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors,” he says
Based on FireEye’s analysis, the attacks share certain common elements. Firstly, the use of a malicious SolarWinds update, inserting malicious code into legitimate software updates for the Orion software that enable a threat actor to gain remote access into the victim’s environment.
In addition, it has a light malware footprint, by using limited malware to achieve its goals, while evading the security nets. In fact, Mandia says stealth is a priority, and the campaign goes to "significant lengths" to observe and blend into normal network activity.
Finally, it employs high operations security, patiently reconnoitering, carefully covering their tracks, and using tools that are difficult to attribute.
“Based on our analysis, we have now identified multiple organisations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organisations,” adds Mandia.
Meticulous planning
Analysis indicates that these compromises are not self-propagating, he explains. “Each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.”
Mandia says FireEye has been in close coordination with SolarWinds, the FBI as well as other key partners. He says FireEye believes notifying all its customers and the security community is crucial, to enable them to take the appropriate measures.
“As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share at this time,” he says.
FireEye has already updated its products to detect all known altered SolarWinds binaries, and is scanning for any traces of activity by this actor and reaching out to both customers and non-customers if it sees potential indicators.
Ekaterina Khrustaleva, COO of ImmuniWeb, says supply chain attacks have surged this year, as these attacks offer rapid and inexpensive access to valuable data held by high-profile targets.
“The victims, like what has happened in the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them,” she says.
Many third-party suppliers simply don’t have the budgets for the same level of incident detection and response as their enterprise clients. Hackers and nation-state threat actors deliberately target the weakest link to get rapid results and remain undetected.
Attribution of sophisticated APT attacks, such as this one, remain a highly complicated, time-consuming and costly task, she says. “Global cooperation in cyber crime prosecution is vital to break the impasse and make computer crime investigatable.”
Share