Government Agencies Hacked Using SolarWinds Devices and Software

This past weekend, the U.S. Commerce Department, the Information Administration (NTIA), and U.S. Treasury admitted to an attack by a state-backed hacker group APT29, aka Cozy Bear, who attacked top cybersecurity firm FireEye last week stealing Red pen resources.

What Happened?

The Washington Post and Reuters first reported the incidents and named Russia-backed Cozy Bear as the culprit. FireEye discovered that as of March, software updates on a SolarWinds’ product called Orion had been intercepted by APT29 and replaced by malware they dubbed “Sunburst.” The elusive malware has the ability to steal profiles and files, reboot services, and disable systems. 

There are more than 300,000 SolarWinds customers worldwide; some of them are educational institutions, government agencies, and corporations. FireEye commented that “the actors behind this campaign gained access to numerous public and private organizations around the world.”

After the recent attack on government agencies, the Commerce Department made a public statement “We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”

DataBreachToday assured the public that “The U.S. Cybersecurity and Infrastructure Agency, or CISA, on Sunday, issued an emergency directive “in response to a known or reasonably suspected information security threat,” noting that the affected Orion products are versions are 2019.4 through 2020.2.1 HF1.”

Brandon Wales, Acting Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said, “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”

Microsoft chimed in with the results of their own investigation “A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.”

How Did SolarWinds React?

SolarWinds released a security advisory on December 14 stating that “SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions **2019.4 HF 5**and**2020.2 ~with no hotfix~** or **2020.2 HF 1**. We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack instead of a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.” SolarWinds is working closely with FireEye to complete their investigation and work on the next steps. 

They also urged customers using outdated software to upgrade immediately to mitigate the threat. The notice also includes instructions on how to check your version and a guidelines link to secure your devices.

They also said to “Additionally, we recommend customers scan their environment for the affected file: **SolarWinds.Orion.Core.BusinessLayer.dll**. If you locate this .dll, you should immediately upgrade to remove the affected file and follow security protocols to protect your environment.”

They anticipate releasing new files on December 15, to patch all susceptible devices. They listed the affected platforms:

• “Application Centric Monitor (ACM).
• Database Performance Analyzer Integration Module (DPAIM).
• Enterprise Operations Console (EOC).
• High Availability (H.A.).
• I.P. Address Manager (IPAM).
• Log Analyzer (L.A.).
• Network Automation Manager (NAM).
• Network Configuration Manager (NCM).
• Network Operations Manager (NOM).
• Network Performance Monitor (NPM).
• Network Traffic Analyzer (NTA).
• Server & Application Monitor (SAM).
• Server Configuration Monitor (SCM).
• Storage Resource Monitor (SCM).
• User Device Tracker (UDT).
• Virtualization Manager (VMAN).
• VoIP & Network Quality Manager (VNQM).
• Web Performance Monitor (WPM).”

They apologized and stressed that “Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures, and standards designed to protect our customers.”

How to Keep Your Devices Safe

Along with always updating device firmware and software whenever there is an available security release, some other tips to keep devices safe from hackers include:

• Install network monitoring software or use a router with a firewall, which includes these tools to keep an eye on traffic, activity logs, and unwanted intrusions.
• Never visit unsecured URLs. Keep a close eye on sites you visit and watch out for any drive-by downloads or free software.
• Never install any browser add-ons or software from untrusted sources.
• Routinely check the device manufacturer’s website for updates on security, patches, and warnings.
• Install robust antivirus/anti-malware software on all your devices and run deep scans frequently. 
• Keep good backups in case you need to restore systems. 

The best way to stay safe is constant monitoring and vigilant awareness of anything suspicious. Report all incidents to the authorities and the device vendor. Using common-sense even if you are the victim of an attack, you can mitigate it quicker and recoup your losses.