The U.S. Department of Homeland Security (DHS), plus the Treasury and Commerce departments, have been hacked in an attack related to the FireEye compromise last week, according to reports. In addition, defense contractors and enterprises were caught up in the attack, FireEye said, which was carried out using a supply-chain attack targeting a SolarWinds network-management platform.
The Russian foreign-intelligence service is believed to be the culprit, people familiar with the matter told the Wall Street Journal. “Hundreds of thousands of government and corporate networks” have been opened to potential risk, making it a notable attack that goes far beyond the garden-variety espionage attempt, the sources said.
The Commerce Department has confirmed that its National Telecommunications and Information Administration was hit, while the FBI said that it was “appropriately engaged.” Chris Bing, a Reuters reporter, tweeted out that the DHS has also been confirmed as a victim.
The Russian Embassy in Washington D.C. meanwhile said that the reports are “unfounded attempts of the U.S. media to blame Russia.”
FireEye Hack a Precursor
On Dec. 8, FireEye confirmed what CEO Kevin Mandia described as a highly targeted cyberattack. The attacker was able to access certain Red Team assessment tools that the company uses to test its customers’ security.
Mandia said that based on the techniques and sophistication of the attack, he believes state-sponsored actors were behind the hack. The attacker was primarily hunting out data related to certain government customers, according to FireEye. The hack “used a novel combination of techniques not witnessed by us or our partners in the past,” he said.
Now, the Cybersecurity and Infrastructure Security Agency (CISA) said that the cyberattackers were able to infiltrate both FireEye and the government agencies via trojanized updates to SolarWind’s Orion IT monitoring and management software. The updates were pushed out between March and June, meaning that the attack has been going on for months. CISA has instructed all federal civilian agencies to cut off the use of Orion and to check for network compromise.
The attack appears to be possible thanks to a zero-day bug, researchers said.
“It’s not clear whether this is a flaw that SolarWinds totally understands yet,” Brandon Hoffman, CISO at Netenrich, said via email. “If they do, a fix needs to be issued immediately. If not, it may be worth shutting down that system until there is one. This may seem like overkill, but the risk is obvious, especially for targets considered higher priority. We still don’t know enough to determine if the attackers have been completely rooted out of the breached systems or even if the full extent of their lateral movements are known.”
Malicious Software Updates
SolarWinds acknowledged the bug in an advisory over the weekend, saying that exploitation of the issue must be done in a “narrow, extremely targeted, and manually executed attack,” and was likely the work of a nation-state. Users should upgrade to Orion Platform version 2020.2.1 HF 1 to protect themselves, it added.
The scope of the attack is for now unknown, but it could be wide-ranging: According to its website, SolarWinds has more than 300,000 customers around the globe, including most of the Fortune 500, the Secret Service, the Defense Department, the U.S. Post Office, the Federal Reserve, Lockheed Martin, PricewaterhouseCoopers and the National Security Agency.
FireEye said in a blog post late Sunday that government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East have all been affected.
“We anticipate there are additional victims in other countries and verticals,” FireEye said in its blog.
FireEye did not link the attack to Russia, but said it was tracking the campaign as “UNC2452,” and characterized it as “currently ongoing.” The cybercriminals are highly skilled, it added, with the operation exhibiting “significant operational security.”
The attackers were able to use SolarWinds.Orion.Core.BusinessLayer.dll, a SolarWinds digitally signed component of the Orion software framework, which is a plugin that communicates via HTTP to third-party servers, according to the firm. The bad actors were able to trojanize the plug-in, to inject a backdoor that FireEye is calling “Sunburst.” Once the malicious update is installed, the malicious DLL will be loaded by the legitimate SolarWinds processes, making it difficult to detect.
“After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine and disable system services,” according to the company. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and antivirus tools running as processes, services and drivers.”
Chris Krebs, former head of CISA prior to President Trump firing him for saying the presidential election was secure, noted that companies using SolarWinds should assume that they have been compromised.
If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this. https://t.co/YvSGTv926a https://t.co/WFe89831Dj
— Chris Krebs (@C_C_Krebs) December 13, 2020
“Hacks of this type take exceptional tradecraft and time,” Krebs tweeted. “If this is a supply-chain attack using trusted relationships, really hard to stop.”
“It’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce department,” Hoffman said. “However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this.”
Further coverage:
- Sunburst’s C2 Secrets Reveal Second-Stage SolarWinds Victims
- Microsoft Caught Up in SolarWinds Spy Effort, Joining Federal Agencies
- Nuclear Weapons Agency Hacked in Widening Cyberattack
- The SolarWinds Perfect Storm: Default Password, Access Sales and More
- FireEye Cyberattack Compromises Red-Team Security Tools
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows; Limor Kessem, Executive Security Advisor, IBM Security; and Israel Barak, CISO at Cybereason, on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.