Hackers working on behalf a foreign government are believed to be behind a highly sophisticated attack into a range of key government networks, including in the Treasury and Commerce Departments, and other agencies. The hackers had free access to their email systems.
According to The New York Times, government officials confirmed the hack and said they were determining what other agencies had been breached. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.
Cybersecurity firm FireEye, who recently disclosed a major security breach, also confirmed the attack, noting they had identified "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors."
The attacks, according to FireEye, share common elements such as:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment. SolarWinds, in a press release, admitted to the breach of their software platform Orion.
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
Based on analysis, the compromise dates back to the Spring of 2020, meaning hackers had free access to email systems for months.
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, it’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce department. "However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this," he says. "The key takeaway from this, while the damage is being examined, is to determine if your organization is at risk. For any customer of SolarWinds Orion, it is worth digging as deep as possible to understand the implications. It's not clear whether this is a flaw that SolarWinds totally understands yet. If they do, a fix needs to be issued immediately. If not, it may be worth shutting down that system until there is one. This may seem like overkill, but the risk is obvious, especially for targets considered higher priority. We still don't know enough to determine if the attackers have been completely rooted out of the breached systems or even if the full extent of their lateral movements are known.”
Matt Walmsley, EMEA Director at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, says that this is significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism. The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence, says Walmsley.
Just yesterday, the US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
Wamsley adds, "As organizations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions. For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organizations exhibited lateral movement behaviors including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate. Opportunities for these kind of attacks are vast and growing. It highlights the need for security teams to be able to tie together all host and account interactions as they move between cloud and on-premise environments in a consolidated view. Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.”
Commenting on the news, Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes: “Cyber espionage campaigns can target both the public and private sector, as proven by this attack. Adversarial nation-states have recognized the value in targeting both sectors, which means neither is safe from the types of attacks that have government resources behind them. Attackers will continue to get more creative with their campaigns as cybersecurity protections get more advanced. Infecting the legitimate software updates of a widely-used vendor can be an effective way to covertly inject malware into a large number of organizations. If successful, this form of software supply chain attack can be used to attack an entire industry in one swoop."
Schless adds, "In order to avoid this type of attack, it’s key to have visibility into all internal and third-party software in your infrastructure. Apps and updates from other vendors may be carrying infected code, excessive data access, or invasive permissions that violate your organization’s data risk policies. Your host infrastructure, mobile devices, and computers all represent potential access points for threat actors. You need to know where software vulnerabilities exist across your infrastructure. Limiting data access based on whether a device has any vulnerable software is a key step to protecting your entire infrastructure."
While details about the breach haven’t been released yet, the report does mention that the departments’ email traffic was being monitored, says Schless. "Most agencies in the Federal government use Microsoft Office 365 for email and as a productivity suite. If their email is being monitored, it’s not out of the question that they could have access to any sensitive documentation stored or shared in the platform. Email attachments that include highly sensitive documents such as an individual’s travel details during a campaign and spreadsheets that break down federal spending could be accessed. Lookout found that mobile users with Office 365 or Google Workspace installed on their smartphone or tablet were 50% more likely to encounter mobile phishing than those without them. Executing attacks that leverage the name and appearance of known software increases the likelihood of success for the threat actor. If it’s something that can be accessed from both desktop and mobile, then those odds only increase.”\
“The SolarWinds attack raises important questions that will need to be answered as part of the currently underway investigation. But the most important aspect will be to determine if foreign malware code was injected into their software environment undetected and how long was it there. As processes and security are evaluated, it’s important to remember that basic cyber hygiene, including multifactor authentication and proper code signing with strong certificate management, goes a long way to protecting valuable data and makes it more difficult to establish a foothold in critical systems," says Todd Moore, Senior VP, Encryption, at Thales.