From this far In March, Russian hackers broke down. By slipping corrupted updates into a widely used IT management platform, they were able to hit the departments of Commerce, Treasury, and Homeland Security in the United States, as well as the FireEye security company. In truth, no one knows where the damage ends; given the nature of the attack, thousands of businesses and organizations have been at risk for months. It only gets worse from here.
The attacks, first reported by Reuters Sunday, was apparently carried out by hackers from SVR, the Russian foreign intelligence service. These actors are often classified as APT 29 or “Cozy Bear”, but incident responders are still trying to piece together the exact origin of attacks within the Russian military hacking apparatus. The compromises all go back to SolarWinds, an IT infrastructure and networking company whose products are used throughout the United States government, by many defense contractors and by most Fortune 500 companies. SolarWinds said in a statement. declaration On Sunday, hackers managed to change versions of a network monitoring tool called Orion that the company released between March and June.
“We have been advised that this attack was likely carried out by an outside nation-state and is intended to be a narrow, extremely targeted and manually executed attack, as opposed to a general system-wide attack,” the company wrote.
SolarWinds has hundreds of thousands of customers in all; he said in a Securities and Exchange Commission disclosure Monday that up to 18,000 of them were potentially vulnerable to the attack.
Both FireEye and Microsoft detailed the course of the attack. First, hackers compromised SolarWinds’ Orion update mechanism so that its systems could distribute corrupted software to thousands of organizations. Attackers could then use the manipulated Orion software as a backdoor to the victims’ networks. From there, they could deploy to target systems, often by stealing administrative access tokens. Finally, with the keys to the kingdom – or large portions of each kingdom – hackers were free to scout and exfiltrate data.
This type of supply chain attack can have dire consequences. By compromising an entity or manufacturer, hackers can effectively undermine the security of the target on a large scale.
It wouldn’t be the first time that Russia has relied on a supply chain attack for widespread impact. In 2017, the country’s GRU military intelligence used access to Ukrainian accounting software MeDoc to release its NotPetya destructive malware around the world. The attack on SolarWinds and its clients appears to have focused on targeted reconnaissance rather than destruction. But with silent and nuanced operations, there is still a very real risk that the full extent of the damage is not immediately clear. Once attackers integrate into target networks – often referred to as “establishing persistence” – updating compromised software is not enough to eliminate attackers. Just because Cozy Bear got caught doesn’t mean the problem is solved.
In fact, FireEye pointed out on Sunday that the attack is currently underway. The process of identifying potential infections and finding their source will take time.
“The attackers in question have been particularly discreet in their use of the network infrastructure,” said Joe Slowik, researcher at threat intelligence firm DomainTools. “In particular, they appear to have relied heavily on renewing or re-registering existing domains rather than creating completely new ones and using a variety of cloud hosting services for the network infrastructure. . ” These techniques help attackers hide clues about their identity, cover their tracks, and generally blend in with legitimate traffic.
The extent of the damage is also difficult to control as Orion itself is a monitoring tool, setting up a bit of a ‘who watches the watchers’ issue. For this same reason, systems also grant Orion trust and privileges over user networks that are valuable to attackers. Victims and potential targets should consider the possibility that these attacks also compromised much of their other infrastructure and authentication mechanisms using Orion’s ubiquitous access. The extent of exposure in US government agencies is still unknown; the revelation that DHS was also affected did not come until Monday afternoon.