Hackers working on behalf a foreign government are believed to be behind a highly sophisticated attack into a range of key government networks, including in the Treasury and Commerce Departments, and other agencies. The hackers had free access to their email systems.
According to The New York Times, government officials confirmed the hack and said they were determining what other agencies had been breached. “The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, a spokesman for the National Security Council, said in a statement.
Cybersecurity firm FireEye, who recently disclosed a major security breach, also confirmed the attack, noting they had identified “a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.”
The attacks, according to FireEye, share common elements such as:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment. SolarWinds, in a press release, admitted to the breach of their software platform Orion.
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools
Based on analysis, the compromise dates back to the Spring of 2020, meaning hackers had free access to email systems for months.
Brandon Hoffman, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based provider of IT, cloud, and cybersecurity operations and services, says, it’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce department. “However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this,” he says. “The key takeaway from this, while the damage is being examined, is to determine if your organization is at risk. For any customer of SolarWinds Orion, it is worth digging as deep as possible to understand the implications. It’s not clear whether this is a flaw that SolarWinds totally understands yet. If they do, a fix needs to be issued immediately. If not, it may be worth shutting down that system until there is one. This may seem like overkill, but the risk is obvious, especially for targets considered higher priority. We still don’t know enough to determine if the attackers have been completely rooted out of the breached systems or even if the full extent of their lateral movements are known.”
