SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks

Orion networking monitoring users need to take action as we summarize what the hell is going on


Analysis As the debris from the explosive SolarWinds hack continues to fly, it has been a busy 48 hours as everyone scrambles to find out if, like various US government bodies, they've been caught in the blast. So, where are we at?

In terms of the news flow, it started in the middle of last week with FireEye. The specialist IT security firm brought in by multinationals when they suffer high-profile hacks found itself admitting last week it had itself been hacked.

Not only that but miscreants, strongly suspected to be Kremlin-backed Russian hackers, had penetrated FireEye's servers and made off with its crown jewels: the tools it uses to test other companies’ defenses. Armed with those penetration tools, hackers could potentially identify which of their methods will pass FireEye's gaze undetected.

Anticipating the stolen tools leaking into the wrong hands, FireEye put out a range of materials to help others detect if its testing software is being used in the wild. It then investigated how its network defenses were breached.

Fast forward to the weekend, and various US government organizations discovered they too had been hacked, with Russia's APT29 aka Cozy Bear team suspected by officials. The Department of Commerce, Treasury, Pentagon, State Department, National Institutes of Health, and Homeland Security's systems, including email, have been compromised to some degree in what may well be the most massive and consequential publicly known hack of American government data networks in history.

russia

Backdoored SolarWinds software, linked to US govt hacks, in wide use throughout the British public sector

READ MORE

It was quickly suspected that the computers were infected via SolarWinds Orion, a network monitoring tool for Microsoft Windows. It appears someone – again, Moscow is in the firing line – altered downloads from the SolarWinds website so that the code contained a remote-controlled backdoor. Once on a box, the backdoor could be used by miscreants from afar to run commands, hijack the computer, steal data, and so on. That's likely how the US government networks were compromised: by installing tainted downloads – which are, we're told, still available from the SolarWinds website at time of writing though it is no longer linked-to. The dodgy updates were said to have been slipped onto the site between March and June this year.

America's Cybersecurity and Infrastructure Security Agency (CISA) put out an emergency directive on Sunday night calling on all federal civilian agencies to review their networks immediately and pull the plug if they are running the Orion software. Everyone using the product is urged to upgrade to a fixed version, assume compromise, and work from there.

FireEye, meanwhile, probed the backdoor smuggled into the SolarWinds code, and documented its findings in detail, here.

It's not clear whether the FireEye intrusion and exfiltration stemmed directly from a bad installation of Orion. Cryptically, FireEye has glued together its early-December public statements that it was hacked, and its investigation into what it says is "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain."

The campaign demonstrates top-tier operational tradecraft

"This compromise is delivered through updates to a widely used IT infrastructure management software — the Orion network monitoring product from SolarWinds," added FireEye CEO Kevin Mandia. "The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.

"Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."

We asked FireEye straight up if it was hacked via a SolarWinds update, and a spokesperson told us simply: "Our investigation is still ongoing."

Who are the hackers and how did they get in?

Orion is a network monitoring platform that is particularly popular with the US and UK public sector as well as the world’s largest corporations. It has a long history and pedigree, it was established and remains based in the US, and it has slowly grown through careful acquisition and a gradual build-out of its platforms, continually adding to and updating its system. It boasts of more than 300,000 customers.

In hindsight, it was the perfect target for spies: providing just the right spot to insert a backdoor into trusted, confidential systems, with high visibility of network traffic, and the plot to do so appears to have been extremely well organized, sophisticated, and gone for months undetected. The hackers crafted their malicious code specifically for SolarWinds’ platform, and created a .dll file containing it all.

Russian bear hackers

US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack

READ MORE

As customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The malicious code was itself cleverly designed, would execute commands, and provided remote admin access. The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.

Once that process was complete, the hackers had free rein to rove the networks of any organization that had installed the Orion platform. “Because the SAML tokens are signed with their own trusted certificate, the anomalies might be missed by the organization,” Microsoft noted in a technical analysis of the operation. In other words, no or next to no alarms went off.

Once the intruders gained access to the most protected accounts, it was possible for them to use any provided interfaces to basically do whatever they wanted. It was a very clever, multi-stage process though the end result is that the Russian government has likely been reading the emails of the US government’s most powerful bodies for some time. As for who did it: it was almost certainly pulled off by a group dubbed Cozy Bear, who work for Russia's foreign intelligence. The Kremlin has, as usual, denied any involvement.

How long have the hackers been inside?

Judging from the timeline, the hackers may have had access to Orion customer networks for nearly nine months since the code was tampered with during the spring. In reality, it is likely to be less than that: many organizations won’t have downloaded and installed the backdoored update immediately. With such high-profile targets in mind, it is likely the snoops were extremely cautious as they proceeded so that they didn’t trigger any alarms, and would have carefully selected the high-value organizations they infiltrated.

Regardless, that is an extremely long time to have had access to critical information flowing over private networks.

What did they find out?

We don’t know what was snatched, and it is very unlikely that the US government is going to make much of that information public. But it is worth noting that for several months, the intelligence agencies have been warning about active efforts by other nations, almost always Russia, to dig into systems, with some advisories built around the US presidential election in November and more recently around COVID-19 virus vaccine efforts.

It is likely that those warnings were the result of intelligence agencies picking up chatter that indicated the Russians had managed to glean information from networks somewhere. It’s possible those hacks may have been purposefully noisy efforts to draw attention away from the Orion hack. Or it’s possible that they attacked everything they could and the SolarWinds hack was the one that paid off.

Either way, only the hackers really know what they got away with and what they were caught doing. And neither they, nor the targets of the hacking attempts, are going to give any information for now at least beyond vague overviews.

Was it just government departments?

No, it was not just government departments. SolarWinds said in a securities filing [PDF] “fewer than 18,000” customers downloaded the update and so were potentially compromised. You have to love the downplaying of a compromise of nightmarish proportions.

That same filing also noted that SolarWinds' Office 365 account was hacked and its emails accessed, possibly leading to the dodgy downloads:

SolarWinds uses Microsoft Office 365 for its email and office productivity tools. SolarWinds was made aware of an attack vector that was used to compromise the Company’s emails and may have provided access to other data contained in the Company’s office productivity tools. SolarWinds, in collaboration with Microsoft, has taken remediation steps to address the compromise and is investigating whether further remediation steps are required, over what period of time this compromise existed and whether this compromise is associated with the attack on its Orion software build system.

Assuming this was a state-sponsored attack, and almost everyone assumes it was given the sophistication and determination, then government departments would have been the natural target and focus. But with nine months to play with, it is all but certain that the hackers also dug around in thousands of other networks, including, most likely, a large number of Fortune 500 companies.

EU Medicines Agency hacked, BioNTech-Pfizer coronavirus vaccine paperwork stolen, probe launched

READ MORE

It wasn’t just Uncle Sam in the cross-hairs, either: as we noted earlier, the UK government has also been a big fan of Orion, and it would have been a very attractive target for the Russians, too.

It will be interesting to see which companies and government departments admit to having been compromised, and which decide to pretend it never happened. It’s a safe bet that those who feel obliged to reveal they were hacked will do so as quietly as possible over the Christmas period in vague language in the hope no one notices.

What’s the potential damage?

God alone knows what the true fallout will be, and knowledge is power.

If you ever wondered how Putin’s Russia was having a disproportionate impact on global affairs given its actual resources and power, you need to look no further than this extraordinary hacking effort. It is arguable the release of emails from the Democratic National Committee in 2016 was behind the election of Donald Trump as president, shifting possibly just enough voters against Hillary Clinton to make the difference. There were a good many other variables in that election, though; it wasn't solely Moscow's doing. And we note all these latest shenanigans emerged just before the electoral college confirmed on Monday Joe Biden will be the next US President come January 20.

What will Putin’s Russia do with months of emails and other information apparently swiped from US government departments and huge corporations? Unfortunately, we are likely to find out over the next year. ®


Biting the hand that feeds IT © 1998–2021