Cybercrime , Cyberwarfare / Nation-State Attacks , Forensics

SolarWinds Attack: Pointing a Finger at Russia

Trump Administration Issues First Official Hack Attribution
SolarWinds Attack: Pointing a Finger at Russia

Mounting evidence points to the "serious compromise" of SolarWinds' Orion software having been an intelligence gathering operation that was "likely" run by Russia, according to a joint U.S. intelligence assessment. It's the first public attribution to be issued by the Trump administration for the massive supply chain attack against SolarWinds.

See Also: Top 50 Security Threats

The attack campaign compromised systems at thousands of organizations for up to nine months. It was discovered not by the National Security Agency, but rather by FireEye, a private cybersecurity firm based in California that was one of the supply chain attack victims.

Since FireEye on Dec. 13 issued an alert about the attack campaign, government investigators have been scrambling to ascertain what happened and how best to mitigate the damage.

"At this time, we believe this was, and continues to be, an intelligence-gathering effort" that traces to "an advanced persistent threat actor" that is "likely Russian in origin," according to the joint assessment issued on Tuesday by the Cyber Unified Coordination Group task force set up by the government to investigate the attack.

"We are taking all necessary steps to understand the full scope of this campaign and respond accordingly," the UCG says.

DOJ Affected

Meanwhile, on Wednesday, the Justice Department joined the list government agencies hit by the SolarWinds hack. But the department reports it has “no indication” that any classified systems were impacted.

In a statement, DOJ says it discovered on Dec. 24 malicious activity involving access to its Microsoft Office 365 email environment. “At this point, the number of potentially accessed O365 mailboxes appears limited to around 3%,” according to the statement.

Other U.S. government victims include the Commerce, Homeland Security, State, Energy and Treasury departments as well as some branches of the Pentagon (see: US Treasury Suffered 'Significant' SolarWinds Breach).

Last month, both Secretary of State Mike Pompeo and former Attorney General Bill Barr said Russia appeared to be behind the campaign.

Other unnamed government officials, speaking on background to multiple media outlets, had previously suggested that the attack appeared to trace to Russia's SVR foreign intelligence service.

But the Tuesday assessment represents the first time the U.S. government has officially pointed a finger at Moscow.

President Donald Trump has yet to comment on the joint attribution. He previously suggested that, rather than Russia, China might have been responsible.

Moscow has denied any involvement.

Supply Chain Attack

Beginning in March, attackers snuck a backdoor into Orion, a network monitoring tool developed by Texas-based SolarWinds that is widely used both across the private sector and in U.S. government agencies. For up to nine months, about 18,000 organizations installed versions of Orion containing the backdoor, known as "Sunburst," which enabled them to remotely access some infected systems, as well as push more malware and exfiltrate data.

The government's UCG task force reports that "of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems." The UCG says this includes fewer than 10 U.S. government agencies.

FireEye says such follow-on activity - or second-stage attack moves - typically included attackers pushing Teardrop malware, which enabled them to drop more malware on systems, potentially facilitating further reconnaissance, eavesdropping and the ability to leave in place other methods for accessing compromised systems in the future.

Amazon's intelligence team estimates that up to 250 organizations may have been compromised as part of the second-stage supply chain attacks, The New York Times reports.

The breach at SolarWinds is now the focus of an investor-filed lawsuit seeking class action status.

Cyber Unified Coordination Group

The UCG warns that the supply-chain attack "is a serious compromise that will require a sustained and dedicated effort to remediate." The group comprises the FBI, which is leading the investigation, gathering evidence and handling attribution; the Cybersecurity and Infrastructure Security Agency, which has been coordinating incident response; and the Office of the Director of National Intelligence, which is coordinating the intelligence agency response. Officials say the NSA is providing support.

In recent weeks, investigators had said numerous signs pointed to Russia's SVR being behind the campaign. They also said it appeared to be focused on gathering intelligence, with no apparent destructive intent - at least so far.

Christopher Krebs, the former director of CISA, told CNN last month that the SVR is staffed by "intelligence collectors" who were likely engaged in reconnaissance.

"They're looking for policy decisions. They're looking for diplomatic negotiations in federal agencies," Krebs said. "They're typically not the ones to run the destructive types of attacks. That doesn't mean they can't hand off access, but for now I think this is more of an intelligence collection operation."

Regular Alerts

CISA has been issuing emergency alerts to federal agencies and also disseminating findings inside the government as well as to the private sector.

After FireEye discovered the attack and made it public on Dec. 13, CISA on Dec. 14 ordered all federal government CIOs to immediately disconnect SolarWinds' Orion software from the internet or else power it down. Later, CISA warned victims that their incident response efforts may be lengthy, and affected systems may have to be wiped and entirely rebuilt.

On Thursday, CISA issued updated guidance ordering all federal agencies running Orion to immediately update to new versions that eliminate Sunburst, as well as to block separate malware called Supernova, aka CosmicGale.

Supernova - a web shell - was discovered during the course of the investigation into Sunburst. Investigators say it's unclear if it was used by the same attack group, but that it appears to have been installed on systems by targeting a zero-day flaw in Orion.

CISA says it will continue to issue fresh indicators of compromise as new details of the attack come to light.

Pressing to Speed Investigation

Lawmakers have been pressing investigators for details of the attack, including which agencies were hit and how badly (see: SolarWinds Hack: Lawmakers Demand Answers).

Some Democratic lawmakers have urged the Trump administration to move more quickly. "Unfortunately, it has taken three weeks after discovering an intrusion this significant for this administration to issue a tentative attribution," says Sen. Mark Warner, D-Va. "I hope we'll begin to see a public declaration of U.S. policy towards indiscriminate supply chain infiltrations like this in the future."

The UCG task force set up to investigate the attack says it has been "working nonstop," including through the holidays, to investigate.

But those efforts appear to have been hobbled by a series of layoffs. Before this attack came to light, Krebs - the director of CISA - was fired by Trump in November after saying that month's election had been the most secure one in history.

On Monday, Sara Sendek, CISA's spokeswoman and director of public affairs, was told by the White House's personnel office to not report for work on Tuesday, CyberScoop reported.

While Sendek, as a political appointee, would have stepped down on Jan. 20 when Joe Biden becomes president, she was reportedly instrumental in helping to run CISA's response to the SolarWinds attack.

In recent weeks, some CISA officials - including Sendek - wanted to release more details about the attack, but were overruled by the White House, The Wall Street Journal reports, citing unnamed "people familiar with the matter."

Lawmakers Seek Consequences

Espionage is a fact of life - all nations do it. Despite the apparent brazenness of the SolarWinds campaign, some former U.S. officials say that American intelligence agencies wouldn't have hesitated to do the same to the country's adversaries (see: SolarWinds Hack: Is NSA Doing the Same to Russia?).

Even so, some lawmakers have already called for Moscow to be held to account.

"We need to make clear to Russia that any misuse of compromised networks to produce destructive or harmful effects is unacceptable and will prompt an appropriately strong response," Warner says.

Determining what that response might be likely will be up to Biden (see: How Will Biden Administration Tackle Cybersecurity?).

One previous director of the NSA and U.S. Cyber Command, retired Gen. Keith Alexander, warns that the U.S. must respond, but in a manner that won't lead to escalation.

"We need to send a message," Alexander, who's now president of IronNet Cybersecurity, said in an interview with the "CBS Sunday Morning" TV program. "Now that can be done outside of cyber - diplomatically, politically, economically. It could be done in cyber. It can be done overtly or covertly."

But it must be done carefully. "Because imagine if we did attack and then they attack back. Who has more to lose?" he said. "We do."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.co.uk, you agree to our use of cookies.