Five Things to Know about the Nation-State Cyberattack on The US and West’s Top Entities
On December 13, 2020, news reports began pouring in about a far-reaching and particularly sensitive security breach. An “active exploitation” was cited by authorities of the US Government, including those in the intelligence community. An outside party, a nation-state, had for some time been surreptitiously monitoring the internal networks of some of the largest and most sensitive private and public organizations.
An FBI investigation on the type of scope of the attack commenced immediately, as did inquiries by the security and investigative arms of household names in enterprise software providers. For many people, the familiarity with the names and logos of the cyberattack victims was offset by a complete lack of knowledge about SolarWinds, the company whose software served as the unwitting conduit for the attack on notable entities.
Here’s what you need to know about the state-sponsored SolarWinds cyberattack on the US and West's top entities.
1. SolarWinds is an unrecognized but big target.
Most people outside of the marge-enterprise software market are familiar with the entities breached in the SolarWinds cyberattack, but they are unacquainted with SolarWinds itself. The Austin, Texas-based firm SolarWinds company was founded in 1999, and today it is a publicly traded technology company that serves government across agencies of the US Executive Branch. It also serves the US and foreign military, the intelligence services, multinational corporations such as Fortune 500 companies, and many more such domestic and foreign customers. SolarWinds claims around 3,200 employees as of 2020. Two months prior to the breach revelation, it had announced to shareholders and analysts that it had dominated the large-enterprise market, saying its products were “everywhere”.
2. Not the main target, SolarWinds unknowingly deployed malware to its customer roster.
Those responsible for hacking SolarWinds as a way to gain access to its customers did so through the company’s Orian software, a product that helps enterprises manage their complex IT environments. The category of such an event — a “supply chain attack” — is carried out by inserting malicious code into the software that is deployed to others. Specifically, the hackers hid their malicious code into Orion software updates made between March and June 2020, versions 2019.4 through 2020.2.1. The malware sent via these updates created backdoors into a SolarWinds library, allowing remote access into the enterprises through which more malware was installed at the enterprise customers. That malware was used to surveil the enterprises’ IT infrastructure such as email traffic. The malware was designed to surveil and conceal itself by obtaining administrative or superuser (e.g. root, admin, supervisor) access to SAML token-signing certificates. Security researchers cited Microsoft Office365 as an an attack vector since the malware enabled abuses of its authentication processes so that the hackers could monitor email conversations.
3. SolarWinds’s known, reported or acknowledged victims already make this hack serious.
News of the incident quickly generated a National Security Council meeting at the White House on Saturday, December 12, 2020. That’s unsurprising considering the profile of entities that were already announced or divulged to have been affected by the unlawful access. Email was said to have been monitored at the U.S. Treasury and Commerce departments. What’s more, the attack is being talked about as being tied to a similar, recent cyberattack. SolarWinds could very well have been another stage of a recent attack on the Tier 1 cybersecurity provider FireEye, the Homeland Security and Treasury departments. Put into this broader context, the attack announced on December 13th could be one involving not only the aforementioned but also the departments of States and Energy, the Pentagon, and the National Nuclear Security Administration as well as Microsoft, Cisco, Intel, and Deloitte, the state of California’s hospital system, and Kent State University.
4. SolarWinds’s potential victim roster could make this a growing, even more serious incident.
The mild silver lining of the attack is that of SolarWinds’s 33,000 customers that could have updated their Orion software, around 18,000 did so. But even a sliver of the potential unidentified victims would still add a great deal of pain to severe damage the intrusion has caused. On its website, SolarWinds claims its customers are most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, all five branches of the US military, the State Department, the National Security Agency, and the Office of President of the United States. Across the pond and on the European continent, a number of entities are investigating their exposure: the North Atlantic Treaty Organization (NATO), the European Parliament, and the UK Government, for instance. Microsoft reported that it notified 40 victims in the UK, Canada, Mexico, Belgium, Spain, Israel and the United Arab Emirates. Others cited as likely or unconfirmed include the UK Ministry of Defence, the UK National Health Service (NHS), the UK Home Office, and AstraZeneca. FireEye has noted the victim profile likely to be or include government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East.
5. Hackers working for Russia are said to have launched the attack.
News of the breach included the statements from US officials that hackers working for the Russian Foreign Intelligence Service (SVR) were, or were likely, behind the attack. Mentioned among these is APT29, aka Cozy Bear, a known SVR-affiliated threat actor. The same Russian group hacked the State Department and the White House email servers during the Obama administration. In 2014-15, Cozy Bear targeted thousands of organizations, including government agencies, foreign embassies, energy companies, telecoms, and higher education campuses. Thet Moscow-based cybersecurity firm Kaspersky said the SolarWinds backdoor to 18,000 enterprise victims mirrors the toolkit that a hacking group called “Turla” uses. Authorities in Estonia have tied Turla to Russia’s Federal Security Service (FSB). Kaspersky said the “Kazuar” hacking tool is a Turla weapon, and that Kazuar and the SolarWinds malware share “distinct similarities”. Other reasons to implicate Russia include notes on the tradecraft in use, a “supply-chain” delivery method similar to the Russia-linked NotPetya, classified US intelligence that may directly link Russia, and the fact that the US and Western European countries were hardest hit.
Security researchers, policymakers, and intelligence leaders agree that it will take months or years to fully understand the damage caused by the SolarWinds breach. Some have added that we may never know the extent since it is hard to quantify the damage caused by long-term surveillance, and that a good practice is to simply assume the worst. Today the body of affected governments and other large consumers of Orion software are shoring up defenses in the hopes that a heightened state of vigilance could detect the next SolarWinds-style attack. It’s a posture that, while seemingly inadequate, doesn’t seem to have an alternative other than a vague retaliatory “response” to those responsible.
That’s five things you now know about the SolarWinds nation-state cyberattack. To learn more, watch the SANS Institute emergency webcast that aired just after the breach was reported.