Russian foreign intelligence is believed to be behind the attack and has left “hundreds of thousands of government and corporate networks,” at risk.
The U.S. Department of Homeland Security and the Treasury and Commerce departments have been hacked already by using a supply-chain attack targeting a SolarWinds network-management platform.
The attack on FireEye that occurred that week prior was a precursor. On December 8th an attacker was able to access Red Team assessment tools that FireEye uses to test customer security. The Cybersecurity and Infrastructure Security Agency (CISA) said that by using trojanised updates to SolarWind’s Orion IT monitoring and management system, attackers were able to infiltrate FireEye and government agencies.
SolarWinds acknowledged the bug over the weekend and in an advisory said that exploiting the issue must be done in a “narrow, extremely targeted, and manually executed attack.” They concluded it must be the work of a nation-state and urged users to upgrade to Orion Platform version 2020.2.1 HF 1 to mitigate the attack.
The scope of the attack is currently unknown but could be wide reaching especially considering SolarWinds’ high profile customers including most of the Fortune 500, the Secret Service and the Defence Department to name a few.
FireEye said the attackers were able to use SolarWinds.Orion.Core.BusinessLayer.dll which is a SolarWinds digitally signed component of the Orion software framework. It is a plugin that communicates via HTTP to third-party servers and the attackers were able to trojanise it to inject a backdoor. Then, once the malicious update has been installed, the DLL will be loaded by the legitimate SolarWinds process which will make it difficult to detect.
The company expanded on how the attack works, “After an initial dormant period of up to two weeks, it retrieves and executes commands, called ‘Jobs,’ that include the ability to transfer files, execute files, profile the system, reboot the machine and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and antivirus tools running as processes, services and drivers.”
Chris Krebs, former leader of CISA has said that companies using SolarWinds should assume they have been compromised. He tweeted, “hacks of this type take exceptional tradecraft and time,” he also noted that if the attack is a supply chain attack that uses trusted relationships, it would be hard to stop.
Brandon Hoffman, CISO at Netenrich said via email about the attack, “It’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce department. However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this.”