Investigators Reportedly Finding Many More Victims Suffered Serious Intrusions
Mathew J. Schwartz (euroinfosec) • January 5, 2021
As investigators probe the SolarWinds hack, they’re finding that the supply chain campaign appears to have reached farther than they first suspected.
The New York Times reports that investigators now believe that up to 250 organizations may have been subjected to more advanced hacking as part of the campaign.
The supply chain attack installed a backdoor in Orion – a widely used security tool developed by Texas-based SolarWinds – that shipped beginning in March. For nine months, the backdoor, known as Sunburst, phoned home from about 18,000 customers’ systems to attackers’ command-and-control servers. For a subset of infected endpoints, attackers dropped second-stage malware called Teardrop that could exfiltrate data, install additional malware and backdoors, and help hackers reach other systems
On Tuesday, the federal Cyber Unified Coordination Group, formed to investigate the breach, noted in a statement: “An advanced persistent threat actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly.”
The group, which comprises the U.S. Cybersecurity and Infrastructure Security Agency, the FBI, the National Security Agency and the Office of the Director of National Intelligence, said that the investigation so far has revealed that “fewer than 10” federal agencies have been affected by follow-on activities tied to the attack.
The alleged Russian intelligence campaign was discovered and brought to light on Dec. 13 – not by the U.S. intelligence establishment, but rather by California-based cybersecurity firm FireEye – a victim that investigated the theft of some of its own penetration testing tools. FireEye CEO Kevin Mandia subsequently estimated that perhaps 50 organizations had been subjected to second-stage attacks that involved not just systems phoning home, but being infected with the Teardrop malware
Microsoft on Dec. 17 reported that at least 40 of its customers had fallen victim to second-stage attacks. Subsequently, however, the technology giant revealed that both it and its resellers had also been breached. On Thursday, Microsoft warned in a blog post that attackers even accessed source code for undisclosed products, although it said the risk posed to customers was low.
Confirmed Sunburst victims include the U.S. Commerce, Homeland Security, State and Energy departments, as well as some branches of the Pentagon. Other targeted organizations include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations, among many others.
Feds Issue Emergency Alert
The risk posed by Sunburst is considered to be so severe that, on Thursday, CISA issued an emergency directive requiring that all federal organizations still running vulnerable SolarWinds Orion software update to the latest version by the end of the day, or else “disconnect or power down” the software.
The latest estimate that up to 250 organizations may have been compromised as part of the supply chain attack comes via Amazon’s intelligence team, The New York Times reports, adding that unnamed officials have cautioned that some victims may have been counted twice.
SolarWinds has issued patches for Orion against Sunburst, as well as for malware called Supernova – aka CosmicGale – that targeted flaws in Orion.
Some security experts say it now appears that Sunburst is not connected to Supernova. Microsoft security engineer Nick Carr reports in a post to GitHub that Supernova and Sunburst “have not been conclusively tied to the same threat actor.” While both used malicious DLL files, unlike Sunburst, the Supernova web shell was not signed using the SolarWinds digital certificate, but rather appears to have been installed by attackers exploiting a zero-day flaw that was already present in the software.
Experts say the campaign to install backdoors on valuable systems has all the hallmarks of an intelligence gathering operation.
“The real objective it to gain information – what Treasury is thinking, what Commerce is thinking, what Homeland Security is thinking, what the State Department does. They want insights into what’s going on in our country,” retired Gen. Keith Alexander, who previously directed the National Security Agency and U.S. Cyber Command, said on the “CBS Sunday Morning” TV program.
Alexander, who’s now president of IronNet Cybersecurity, says government hackers having backdoor access to key systems is dangerous not just from an intelligence standpoint, but because it would also have allowed Moscow to unleash attack code – for example, to disrupt systems or delete data – if it chose to do so.
Expect Code Updates From Microsoft
Incident response efforts at organizations affected by Sunburst are continuing.
What’s the risk posed by victims that are suppliers to other organizations? Multiple organizations, including the U.S. Treasury, appear to have had their Microsoft 365 environments breached after attackers subverted infrastructure used by their Microsoft reseller.
Attackers also viewed – but reportedly would not have been able to alter – the source code for several, as yet unnamed, Microsoft products. But the company says it has designed its source code repositories with an “assume breach” mindset. “We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code,” Microsoft says in a Thursday blog post about the SolarWinds supply chain attack, which it calls Solorigate instead of Sunburst.
The technology giant likely is already putting in place specific defenses to counter any potential flaws that attackers might attempt to exploit, says Jake Williams, a former member of the NSA’s offensive hacking team who’s now president of Atlanta-based consultancy Rendition Infosec.
Microsoft already has some of the industry’s most advanced security processes in place, nearly two decades after it “practically invented the ‘secure software development lifecycle,'” he says. “The attackers are unlikely to find some secret engineering backdoor in the code,” he tweets. “So is this still a big deal? Perhaps. Source code access makes a lot of things way easier. If you need to write rootkits … then source code access really helps.”
Despite Microsoft’s assurances, developers may also have inadvertently left details in the code that attackers could exploit.
“Whether usernames/passwords, API keys or tokens, modern applications are built as a mesh network of microservices, libraries, APIs and software development kits that often require authentication to deliver the core service,” says Andrew Fife, vice president of marketing at source code control vendor Cycode, in a blog post. “It’s common for developers to write these secrets directly into the source code on the assumption that only insiders can view them.”
Attackers could also reverse-engineer Microsoft code to find new ways to exploit it.
“Math lesson: View source code and nation-state reverse-engineering resources equals a strong possibility of endless zero days and remote-code exploitation against vulnerabilities found in that source code,” tweets Ian Thornton-Trump, CISO at London-based threat intelligence firm Cyjax.
“Strap in,” he adds. “It’s going to be a wild next couple of months.”
From 2014 to 2017, Thornton-Trump served as a cybersecurity adviser to SolarWinds. He tells The New York Times that he departed after the company failed to heed his warnings to take a more proactive approach to internal security controls.
Thornton-Trump declined to comment further.
The New York Times cites former employees saying that SolarWinds, driven by the need to comply with the EU’s General Data Protection Regulation that came into full effect in May 2018, hired its first-ever CIO in 2017 and created a new vice president of “security architecture” role.
SolarWinds Investigation Continues
SolarWinds says that, in the wake of the attack campaign being uncovered, it has moved to improve its security processes. “We have reviewed our environment, giving an initial focus on ensuring the security of our build environment, including our source code repositories,” the company says in a security advisory FAQ. “We have reviewed the architecture of the build environment, the privileged and non-privileged users that have access to the build environment and the network surrounding the build environment.”
The company says it has also brought in outside digital forensics experts to help it identify where and when the vulnerabilities were exploited and to protect future software builds. SolarWinds says that, so far, it appears that its software build system was compromised to add the backdoor.
The New York Times reports that SolarWinds’ engineering operations are now largely based in Eastern Europe – the Czech Republic, Poland and Belarus – and investigators are exploring whether those operations may have been subverted by Russian intelligence to sneak Sunburst into the Orion software development pipeline.