SUNBURST: Russia Fingered in ‘Perfect 10’ Supply Chain Attack
Since as early as March, Russian spies have been operating inside countless enterprises and government agencies. This frightening reality is thanks to a hack of IT management vendor SolarWinds.
An update to SolarWinds’ Orion product family contained a back door. And APT29—Cozy Bear—had the key, infiltrating the U.S. Treasury, the National Telecommunications and Information Administration and countless others.
The motive seems to be espionage. In today’s SB Blogwatch, we gather intelligence.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Sorry, Dolly.
FireEye’s Other Shoe Drops
What’s the craic? Pardon our Dustin Volz and Robert McMillan—“U.S. Agencies Hacked in Foreign Cyber Espionage Campaign Linked to Russia”:
Multiple federal government agencies … have had some of their computer systems breached as part of a widespread global cyber espionage campaign … in which some internal communications are believed to have been stolen. [It’s] believed to be the work of the Russian government, according to officials and people familiar with the matter.
The hacking operation exposed as many as hundreds of thousands of government and corporate networks to potential risk and alarmed national-security officials. … One person familiar with the matter said the campaign was a “10” on a scale of one to 10, in terms of its likely severity and national-security implications. [It] is related to a cyber breach disclosed last week of U.S.-based cybersecurity firm FireEye.
The hackers were able to infiltrate the systems of government agencies as well as FireEye through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company. … The company says it has more than 300,000 customers world-wide, including more than 400 of the U.S. Fortune 500 companies. [It] counts Booz Allen Hamilton, the Secret Service, the Defense Department, the Federal Reserve, Lockheed Martin Corp., PricewaterhouseCoopers LLP and the National Security Agency among its customers.
Russia’s foreign-intelligence service, known as the SVR, was seen as the leading suspect of the FireEye breach. … President-elect Joe Biden … has pledged to respond forcefully to Russian aggression.
With their own “people,” Ellen Nakashima, Craig Timberg and Joseph Marks add—“Russian government hackers are behind a broad espionage campaign”:
Officials were scrambling over the weekend to assess the nature and extent of the intrusions and implement effective countermeasures, but initial signs suggested the breach was long-running and significant … according to people familiar with the matter. … “This is looking very, very bad,” said one person.
SolarWinds said … products it released in March and June of this year may have been surreptitiously weaponized in a “highly-sophisticated, targeted … attack by a nation state.”
The Russian hackers, known by the nicknames APT29 or Cozy Bear, are part of that nation’s foreign intelligence service, the SVR. … The Russian Embassy in Washington … called the reports of Russian hacking “baseless.” … “Attacks in the information space contradict” Russian foreign policy and national interests. “Russia does not conduct offensive operations” in the cyber domain.
Yeah, right. Heed aleph_nought:
They’re not even bothering with plausible deniability. They’ve put on the bad actor hat for all to see.
What did FireEye discover? CEO Kevin Mandia writes thuswise—“Campaign Leverages Software Supply Chain Compromise”:
This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. [Attackers] insert[ed] malicious code into legitimate software updates.
We have now identified multiple organizations where we see indications of compromise dating back to the Spring. … As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share.
But phantomfive shoots the messenger:
FireEye is a … crappy security company. … They are better at writing press releases than they are at security. … Can’t keep their own stuff secure, so they blame a “nation state.”
If you’re a security company you better be on point. You can have security that is good enough that an attacker would have an easier time with physical attacks than with remote attacks.
So this has been going on for nine months? Scary. mmccul ratchets up the tension:
Could be scarier than one might expect. Where I’ve seen SolarWinds implemented, the tool was often given administrative credentials to not just the networking gear to pull credentials … but also to perform discovery on Linux systems. … Often I was asking admins to choke down the access and there was surprise that the tool worked with less than full root. So, yes, this is a very scary thing.
This looks bad. Dmitri Alperovitch—@DAlperovitch—shakes his head:
We don’t have a cyber problem, we have a China, Russia, Iran and North Korea problem. … Even when we are not dealing with nation-state activity emanating from these countries, we see how these four states are protecting or even paying cyber criminals operating within their borders.
Supply chain hacks conducted through update channel compromise have been some of the most impactful intrusions/attacks to date. They are notoriously difficult to defend against/uncover. [e.g.,] NotPetya. We are lucky this one was not done by an actor intent on destruction.
We don’t yet know if every customer of SolarWinds who is autoupdating is compromised (likely not given the overall stealthiness of the intrusions to date – adversary most likely down selected to targets of interest). … Very impressive. … Really good tradecraft by the adversary.
SolarWinds is used by hundreds of thousands of organizations. And it has admin access to the network. Monday may be a bad day for lots of security teams.
Or sooner? Such as this Anonymous Coward:
And how stoked am I to be working late on a Sunday night/Monday morning performing a forensic analysis on our SolarWinds servers? If I ever meet the ****holes who subverted SolarWinds, they can have a hearty ****-punching. … I hope they wind up in the gulag being beaten by guards 24/7 and living on half a rice bowl a day.
Meanwhile, Cognac gets cozy:
I thought bears were mostly inactive during the winter?
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.
Image sauce: Russell @russ_jay Ferrer (via Unsplash)