US nuke agency hacked by suspected Russian SolarWinds spies, Microsoft also installed backdoor

Windows giant, nuclear administration play down danger – and kill switch found and activated


America's nuclear weapons agency was hacked by the suspected Russian spies who backdoored SolarWinds' IT monitoring software and compromised several US government bodies, and Microsoft was caught up in the same cyber-storm, too, it was reported Thursday.

The Windows giant uses SolarWinds' network management suite Orion, downloads of which were secretly trojanized earlier this year so that when installed within certain targets – such as the US government departments of State, Treasury, Homeland Security, and Commerce – the malicious code's masterminds could slip into their victims' networks, execute commands, read emails, steal data, and so on.

Reuters said Microsoft's security was "breached" by the same crew, and implied this was achieved either through Orion, or some other means, pointing out Homeland Security warned that the hackers, thought to be the Kremlin's APT29 aka Cozy Bear team, have found multiple ways into various organizations.

While Microsoft's comms veep Frank Shaw confirmed the Redmond mega-corp is a SolarWinds user and had installed the tainted Orion updates, he said no evidence could be found that production systems and customer data was accessed by the suspected Russian foreign intelligence snoops. The PR chief also denied the newswire's claim that Microsoft's platforms were commandeered to hack its own customers.

We detected malicious SolarWinds binaries in our environment, which we isolated and removed

"Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed," Shaw said in a statement. "We have found no evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indicators that our systems were used to attack others."

El Reg hopes that means non-production services – such as internal development and test networks, back offices, and the like – were not accessed by the miscreants, and that the absence of evidence doesn't mean the hackers didn't simply delete their tracks, nor leave any in the first place. In other words, the spirit of this official statement says nothing more than the backdoored Orion updates were installed, and nothing of consequence happened, while the letter of the statement leaves the scope and damage of the intrusion fairly wide open.

For what it's worth, according to one of Reuters' sources, the hackers "made use of Microsoft cloud offerings while avoiding Microsoft’s corporate infrastructure."

Separately, Microsoft president Brad Smith said his staff "has identified and has been working this week to notify more than 40 customers that the attackers targeted more precisely and compromised through additional and sophisticated measures" beyond the tainted Orion updates.

Going nuclear

Meanwhile, Politico reported that the US government's Dept of Energy's National Nuclear Security Administration, which oversees the nation's nuke stockpile, was hacked via the Orion backdoor. Suspicious network activity was, we're told, found at the Federal Energy Regulatory Commission, the Sandia and Los Alamos national laboratories in New Mexico and Washington, the Office of Secure Transportation at the nuclear administration, and the Richland Field Office of the DoE.

A Dept of Energy spokesperson said: "At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department, including the National Nuclear Security Administration."

It also emerged on Thursday that the city of Austin in Texas was hit by suspected Russian hackers, according to The Intercept. This is an interesting one, as tech outfits such as Oracle and HPE lately said they are shifting their corporate HQs to the US state.

SolarWinds' Orion software is used by at least 300,000 customers, ranging from American and British government bodies, to Fortune 500 companies. With some 18,000 clients said to have downloaded and installed the maliciously tampered updates, this hacking campaign has the potential to touch all walks of life, and hand mountains of intelligence, emails, and other data to, as alleged, Moscow.

Killswitch activated

FireEye – which has been investigating the Orion fiasco after it was hacked by some means by, again, allegedly Russia – told us that the infosec giant worked with GoDaddy and Microsoft to activate a remote killswitch within the backdoor smuggled into the Orion updates. Sources familiar with Microsoft's operations confirmed as much.

Basically, we're told, when a backdoored version of the network monitoring software is run, it looks up the IP address of the hard-coded domain avsvmcloud[.]com. Depending on the result, the backdoor malware, dubbed SUNBURST by FireEye, will deactivate. So, with Microsoft taking control of that domain name, with DNS giant GoDaddy's help, the tech trio killed off the malware by ensuring the dotcom resolves to an IP address that deactivates the code. This is similar to the WannaCry killswitch.

"As part of FireEye's analysis of SUNBURST, we identified a killswitch that would prevent SUNBURST from continuing to operate," a spokesperson for FireEye told The Register. "Depending on the IP address returned when the malware resolves avsvmcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections.

"This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult to for the actor to leverage the previously distributed versions of SUNBURST."

Thus, if you installed a trojanized version of Orion, don't assume it's over after updating to a good, clean version and knowing that the killswitch is on. You'll have to hunt through your network for any followup infections or backdoors implanted by the suspected Russian miscreants. Speaking of which...

Time to rip and replace

America's US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday that SolarWinds was not the only way America's servers have been pwned this year by what is believed to be APT29, saying that it has detected multiple intrusions, some persistent, in a campaign that has been ongoing since at least March, not all involving SolarWinds.

Outside the SolarWinds office building

SolarWinds’ shares drop 22 per cent. But what’s this? $286m in stock sales just before hack announced?

READ MORE

"This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks," it warned [PDF].

"It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures (TTPs) that have not yet been discovered. CISA will continue to update this Alert and the corresponding indicators of compromise (IOCs) as new information becomes available."

With regards to the SolarWind disaster, CISA is recommending admins be on the guard for rogue Security Assertion Markup Language (SAML) tokens, which were a primary method for network traversal. Long-duration tokens, up to 24 hours rather than the usual one-hour, are particularly suspect, as are those that were used as soon as they were created. If in doubt, ripping and replacing entire identity systems is recommended.

"Simply mitigating individual issues, systems, servers, or specific user accounts will likely not lead to the adversary’s removal from the network," the advisory states.

"In such cases, organizations should consider the entire identity trust store as compromised. In the event of a total identity compromise, a full reconstitution of identity and trust services is required to successfully remediate. In this reconstitution, it bears repeating that this threat actor is among the most capable, and in many cases, a full rebuild of the environment is the safest action."

The NSA has issued similar advice regarding SAML tokens and Microsoft Azure-based authentication, here. ®


Other stories you might like

Biting the hand that feeds IT © 1998–2021