This means that there are actually three subgroups among the potential victims of these attacks: Orion users who installed the backdoor but were never otherwise exploited; victims who had malicious activity on their networks, but who ultimately were not attractive targets for attackers; and victims who were in fact deeply compromised because they held valuable data.
“If they didn’t exfiltrate the data, it’s because they didn’t want it,” said Jake Williams, former NSA hacker and founder of security firm Rendition Infosec. “If they don’t have access to it, it’s because they didn’t care.”
Even so, this first and second group still have to neutralize the backdoor to prevent future access. Because it was able to analyze indicators of its own breach, FireEye led an effort that other companies have since joined to publish information on the anatomy of the attacks. Some of the “indicators of compromise” include IP addresses and Domain Name Service registration responses associated with attackers’ malicious infrastructure. Responders and victims can use this information to verify whether any servers or other devices on their networks have contacted hacker systems. Microsoft has also worked with FireEye and GoDaddy to develop a sort of backdoor “kill switch” by taking control of the IP addresses the malware communicates with, so that it can no longer receive commands.
Eliminating the backdoor is crucial, especially since attackers are still actively exploiting it. And now that the technical details of their infrastructure are public, there is also a risk that other hackers could also take advantage of malicious access if it is not locked down.
In the House
For victims who have suffered a deeper compromise, however, it is not enough to close the door, as the attackers have already settled inside.
For clear targets like US government agencies, the question is what exactly the attackers had access to and what a more holistic picture this information can paint in terms of geopolitics, US defensive and offensive capabilities across the Department of Defense. , critical infrastructure, etc.
Identifying exactly what has been taken is difficult and time consuming. For example, some reports have indicated that hackers breached critical systems of the Department of Energy’s National Nuclear Security Administration, which is responsible for America’s arsenal of nuclear weapons. But DOE spokeswoman Shaylyn Hynes said in a statement Thursday night that while the attackers gained access to DOE “business networks”, they did not violate “mission-critical national security functions. of the Department “.
“The investigation is ongoing and the response to this incident is taking place in real time,” Hynes said.
This is the situation for all victims at this point. Some targets will continue to discover that they have been hit more deeply than they initially believed; others may find that the pirates kicked the tires but did not go any further. This is the main danger of a supply chain attack such as the SolarWinds breach. Attackers get huge access at the same time and can pick victims while responders have to catch up.
While it is difficult to establish the full extent of the situation, researchers have made a concerted effort to determine who has been affected and to what extent. By tracking and linking IP addresses, DNS records, and other attacker indicators, security analysts even develop methods to proactively identify targets. Kaspersky Labs, for example, published a tool Friday, which decodes attackers ‘command and control infrastructure DNS queries that could help point to hackers’ priority targets.
News of the hacking frenzy will likely continue for weeks on end, as more organizations identify their place under the rubric of potential targets. Microsoft President Brad Smith wrote Thursday that the company notified more than 40 customers of signs of deep intrusion into their networks. And Microsoft says that while the vast majority of these victims are in the United States, some are in seven other countries: Canada, Mexico, Belgium, Spain, United Kingdom, Israel and the United Arab Emirates. . “It is certain that the number and location of victims will continue to increase,” Smith added.
Later that night, Microsoft confirmed that it was also compromised in the campaign.
More WIRED stories