Five days after FireEye detailed the theft of about 300 of its proprietary cybersecurity tools, SolarWinds announced that its Orion IT monitoring platform had also been compromised by hackers believed to be sponsored by the Russian government. Together, the attack that originated with a SolarWinds vulnerability turned over critical cybersecurity infrastructure to the malicious actors, along with potential access to thousands of global entities’ sensitive information. As the cybersecurity world wraps its head around how two top vendors were breached, we examine the organizations involved, details of the attack, and implications for the industry and its customers.
Earlier this month, the U.S. National Security Agency warned that federal agencies were actively being exploited by “Russian state-sponsored actors.” A week later, FireEye’s prized Red Team hacking tools were stolen by a presumed Russian actor. And now we’ve learned that SolarWinds’ Orion platform has been available to intruders since March.
First notification from FireEye
On December 8, FireEye informed the public that “a nation with top-tier offensive capabilities” had infiltrated FireEye’s network and gained access to the company’s suite of Red Team hacking tools. By analyzing these tools, actors can replicate the same software FireEye uses to test its own clients’ computer defenses. In light of the news, FireEye has published detailed analysis of the attacks and steps potentially affected organizations should take.
While FireEye is still in its investigation phase, the hack was identified as an advanced persistent threat (APT) or nation-state attack, with analysts pointing to Russia. FireEye’s targeting might not come as a surprise to some, as the company has actively exposed Russian cyberintelligence operations for years.
SolarWinds news breaks
On December 13, FireEye released a report on the SolarWinds attack dubbed SUNBURST. Through updates to SolarWind’s Orion IT monitoring and management software starting in March, highly skilled actors have potentially gained access to thousands of organizations globally. Victims include government, consulting, technology, and telecom organizations in North America, Europe, Asia, and the Middle East.
News that the U.S. Treasury and Commerce departments were victims of the hack led to some panic and ordered shutdowns of the Orion IT software for government agencies. SolarWinds notified its customers of the need for immediate action and listed the affected software builds.
Also Read: APT Attacks & Prevention
Nature of the attacks
As details emerge, it’s clear that the SolarWinds attack was initiated in March 2020 and went undetected for almost 9 months. As it’s been some time since the intrusion, the highly skilled actors were, by all means, successful in minimizing their presence.
Seamless attacks like the plug-in discovered in the Orion platform can maximize an adversary’s access and insights into critical tools and information.
In an SEC filing earlier this week, SolarWinds noted about 18,000 customers installed the March update impacting organizations. Of the company’s total customer base, that means 6% of SolarWinds’ users have been vulnerable for a large chunk of 2020.
To emphasize the range of entities impacted by the SolarWinds attack, U.S. government agencies attacked include the Federal Reserve, the Department of Justice, the State Department, the Department of Homeland Security, the National Institutes of Health, CDC, NSA, NASA and U.S. nuclear weapons agencies. Just a few of the affected companies include Microsoft, Visa, AT&T, Lockheed Martin, Ernst & Young, Yahoo!, and the New York Times.
Within the SolarWinds Orion platform, a digitally-signed component that communicates via HTTP to third-party servers was the root of the malicious plug-in FireEye dubbed SUNBURST. By compromising SolarWinds’ build servers, hackers could inject a backdoor into their code that went to thousands of customers. After an initial dormant period, the malware retrieves and executes commands that can transfer and execute files, profile the system, reboot the machine, and disable system services. SUNBURST’s network traffic is hidden as Orion Improvement Program (OIP) protocol, and inspection results appear seamlessly in the SolarWinds plug-in configuration files.
Also Read: eSecurity Planet warned about the vulnerability of the software supply chain in a 2017 article.
Cozy Bear strikes again
In the latest chapter of the Cold War, information security is the name of the game. While FireEye was slow to point blame at Russia, indications continue to implicate the SVR, the Russian Foreign Intelligence Service, which serves as Russia’s intelligence and global espionage organization and is frequently referred to as Cozy Bear or APT29.
The SVR previously received attention for their successful hacks of the DNC and the White House in 2014 and 2015 using phishing lures for infiltration. A handful of years later, in the case of the SolarWinds breach, the SRV has gained remote access through the supply chain into thousands of organizations for almost nine months. Unlike its counterpart, the GRU, the SRV is not known for destructive cyber operations, but the theft of intellectual property was substantial.
In a Dec. 17 blog post, Microsoft President Brad Smith said the attacks require “that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector in the United States to spearhead a strong and coordinated global cybersecurity response.”
Implications for the security industry
This week’s news brought with it two significant stories for the cybersecurity industry. In the form of the FireEye attack, the first story informed us that nation-states now have access to hacking tools they didn’t previously have. You can expect these tools to be enabled for malicious reasons soon enough. The second story, news of the Orion platform’s vulnerabilities, informed us of an enduring compromise.
Expect enhanced hacking tools
FireEye’s attack gave malicious actors hacking tools that can simulate what nation-states regularly do in cyberspace–accessing information for millions of individuals, hacking into the global economy, intellectual property theft, and more. While the news continues to evolve, it’s clear this breach will enhance Russia’s ability to see what companies and agencies are doing to defend against APTs.
On a macro-scale, there are little to no rules for these nation-state maneuvers.
Nation-sponsored efforts have occurred with minimal retaliation. On CNBC, former NSA agent and TrustedSec CEO David Kennedy noted a growing population connected to sophisticated organized crime groups makes breaches like this even more dangerous. Sharing these updated hacking capabilities will only lead to their use in ransomware schemes that rake in hundreds of millions of dollars every year, for example.
The optimistic take
CrowdStrike co-founder Dmitri Alperovitch – who earlier this year left the EDR vendor to form a nonprofit focused on geopolitical cybersecurity – offered an optimistic take. In the days after the news broke, FireEye has been transparent about the consequences and the remedies organizations can take to bolster their defenses, he noted. As for the SolarWinds compromise, Alperovitch said no intelligence agency could exploit all of the organizations listed. So instead of thousands exploited, he believes it was likely only hundreds.
In his closing comments to RSA on the news, Alperovitch emphasized recognizing our inherent cyber vulnerabilities as organizations, FireEye’s response to the attacks, and the needed hunt for adversaries in our networks.
“I’ve been saying for 10+ years that intrusions are inevitable, no one is immune, and everyone needs to start thinking about this in terms of we will likely get breached, we will likely get compromised, but how do we stop the damage from being done? And when you have organizations, FireEye, some of the best of the best out there, and I want to commend them for their response, it has been absolutely stellar. When they’re getting hit, it really tells you that no one out there is going to be invulnerable to this. The right way to think about security strategies going forward is to assume breach, hunt continuously for any presence of adversaries on your network, and kick them out as soon as possible.”
How can companies protect themselves?
Alperovitch mentioned continuous threat hunting as one way organizations can find threats as early as possible, which is critical for limiting damage. Other approaches include technologies like zero trust that attempt to limit intrusions, and behavioral technologies that recognize when something is amiss. And seemingly little things like patches are critically important – and would have protected a number of SolarWinds users in this case.
The best approach to cybersecurity, then, is to do the little things right, establish strong defenses – and detect the inevitable breaches as quickly as possible.
How did FireEye detect the breaches?
As FireEye caught both breaches – the SolarWinds vulnerability was how the attackers gained entry in to FireEye’s network – the company clearly did something right. But how did FireEye detect the attacks? The company’s not saying, at least not yet.
“We’re still investigating,” Dan Wire, FireEye’s vice president of global communications, told eSecurity Planet. “No promises but I am hopeful we’ll be able to share some of the attacker TTPs [tactics, techniques and procedures] and how we detected the attack down the line. For the moment we don’t have anything specific to share.”
Asked if tools like patch management, threat hunting, zero trust and UEBA could help, Wire said:
“Certainly patch management, threat hunting and the tools you mention are all critical aspects, but remembering APTs are mission-based groups made up of humans who continually evolve their methods, it’s too simple to say do X to keep APTs out. For example there’s no piece of technology that will stop an attacker from calling an employee and getting them to disclose their credentials – a common APT tactic.
“Down the line I’m hopeful the industry will collect enough information about this supply chain compromise that we can share best practices and specifics about how to defend against the TTPs in this event.”
Guarding against misuse of certificates
Chris Hickman, chief security officer at digital identity security vendor Keyfactor, said the attackers misused X.509 certificates and keys as a part of their toolkit to infiltrate and spread while avoiding detection.
“Code signing is one component of the SolarWinds breach, but not because of a stolen certificate,” Hickman said. “Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates, allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.
“This attack was highly sophisticated and the overarching theme here is not SolarWinds or FireEye. This is endemic of many organization’s broad inability to track certificates within the business, know how those certificates are used and how to manage them effectively when something might be wrong. This kind of breach can happen to anyone and highlights the importance of certificate lifecycle management and having the processes and technology in place for visibility and certificate management.”
Keyfactor outlined some best practices to mitigate misuse of keys and certificates:
- Never store code-signing keys on developer workstations, web servers or build servers. Private keys should be kept in a FIPS 140-2 validated HSM.
- Segregate duties between who is authorized to sign code, who can approve the request, and who can monitor and enforce compliance with signing policies.
- Maintain an active inventory of all certificates, where they are installed, who they were issued from, and who owns them (and your domains).
- Control certificate issuance and approval workflows to ensure that every certificate is trusted, compliant with policy, and up-to-date.
- Test your certificate re-issuance and revocation capabilities to ensure you can respond effectively to a compromise.
eSecurity Planet Editor Paul Shread contributed to this report. This updates a Dec. 16 article.