Cyberwarfare / Nation-State Attacks , Endpoint Security , Fraud Management & Cybercrime

CISA Warns SolarWinds Incident Response May Be Substantial

'All Network Assets' Monitored by Backdoored Orion Software May Need Rebuilding
CISA Warns SolarWinds Incident Response May Be Substantial

Federal, state and local governments are among the many victims of the supply chain attack that backdoored the SolarWinds Orion network-monitoring software, and victims "may need to rebuild all network assets" being monitored by the software, the U.S. Cybersecurity and Infrastructure Security Agency warns.

The U.S. probe into the attack, which is being led by CISA and the FBI, has found that government agencies of all sizes have been impacted.

See Also: Rapid Digitization and Risk: A Roundtable Preview

"CISA is tracking a significant cyber incident impacting enterprise networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations," according to a SolarWinds Orion update CISA issued Wednesday.

The agency has not released any additional information on which government entities appear to have been affected by the apparent cyberespionage campaign that implanted a backdoor in the Orion network monitoring software built by Texas-based SolarWinds.

"This threat actor has the resources, patience and expertise to gain access to and privileges over highly sensitive information if left unchecked," the agency says. "CISA urges organizations to prioritize measures to identify and address this threat."

"Following incident response, your organization may need to rebuild all network assets monitored by SolarWinds Orion; this will be a resource-intensive, highly complex, and lengthy undertaking."
—CISA

The backdoor has been dubbed Sunburst by the security firm FireEye, which discovered the hacking campaign while investigating a breach of its own systems and brought it to light on Dec. 13.

SolarWinds says that nearly 18,000 of its customers may have installed the Trojanized software, which it first began inadvertently issuing in March.

Reflecting the widespread use of Orion, security firm McAfee says it's found backdoored versions of the software running in at least 51 countries and nearly two dozen sectors.

Investigators are now attempting to determine not only which organizations may have been running the Trojanized version of Orion, but especially which organizations were hit with second-stage malware, dubbed Teardrop by FireEye, which gave them additional capabilities.

"This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that could result in kinetic damage or simply implanting additional malicious content throughout the organization to stay in control and maintain access even after the initial threat appears to have passed," says Steve Grobman, CTO at McAfee.

The National Security Agency has warned that the SolarWinds attackers also have the ability to bypass authentication mechanisms, which they may utilize to hack organizations as part of second-stage attacks.

Russia Blamed for Espionage Campaign

Secretary of State Mike Pompeo and outgoing Attorney General Bill Barr have suggested that Russia is responsible for the supply-chain attack, although no evidence has been released to back up that assertion. Unnamed individuals with knowledge of the investigation, speaking on background to reporters, have said that the effort appears to trace to the SVR, which is Moscow's foreign intelligence service.

"The question I think we still don't have all the answers to is: Who was their target group?" says retired Gen. Keith Alexander, president of IronNet Cybersecurity, who previously directed the National Security Agency and U.S. Cyber Command.

"It wasn't all of them - it was some of them, a smaller set," Alexander says. "What were their objectives? And what does that mean for our country in terms of what we do as a nation in response?"

President-elect Joe Biden has promised to respond to the apparent espionage campaign. "There is still so much that we don't know, including the full scope of the breach or the extent of the damage it has caused. But we know this much - this attack constitutes a grave risk to our national security," Biden said Tuesday, according to a transcript of prepared remarks.

"We cannot let this go unanswered," Biden added. "That means making clear publicly who was responsible for this attack and taking meaningful steps to hold them to account."

Second-Stage Attack: At Least 40 Victims

Global prevalence of Sunburst - the Trojanized version of the Orion software from SolarWinds (Source: McAfee)

Microsoft says it has alerted about 40 of its customers that they were victims of the second-stage attack. Kevin Mandia, CEO of FireEye, estimates that attackers likely focused on about 50 extremely high-value targets. Each of these targets would have been infected with second-stage malware, giving attackers the ability to execute code remotely on victims' systems, steal data and potentially hack business partners.

The U.S. government is a large SolarWinds customer, and the National Institutes of Health, as well as the Commerce, Homeland Security, State and Energy departments, reportedly were running Trojanized versions of Orion. So too was the Treasury Department, which was breached as part of the SolarWinds supply chain attack in July.

"The hack of the Treasury Department appears to be significant," said Sen. Ron Wyden, D-Ore., the top Democrat on the Senate Finance Committee, in a statement.

Multiple lawmakers have been seeking more information about what government investigators have been finding. For example, Sen. Bob Menendez, D-N.J., has asked Pompeo to brief the Senate Foreign Relations Committee on how the SolarWinds incident affected the State Department.

Menendez, who is a ranking member of the committee, requested a classified briefing on the extent to which the "Russian-backed SolarWinds" hackers managed to infiltrate the State Department, other U.S. agencies and private entities.

Following the attack coming to light, FireEye, Microsoft and domain registrar GoDaddy were able to seize a malicious domain being used by attackers to disrupt their command-and-control - aka C2 - access to some infected endpoints.

Researchers at Chinese firm RedDrip Team have built a tool that has been able to decrypt some of the C2 information, which has helped to reveal some of the organizations that were running Sunburst. The organizations include technology giants Belkin, Cisco, Intel, NVidia and VMware, as well as Iowa State University, Pima County in Arizona and Hilton Grand Vacations, among many others.

'Burn It to the Ground'

In an incident response guide released on Wednesday, CISA urges all organizations that use Orion to determine if they - or their managed service providers - have been affected by the attack.

"If affected, make incident response and remediation your top priority ... allocate sufficient resources ... and maintain enhanced operational security during the incident response and remediation processes," CISA says. "Following incident response, your organization may need to rebuild all network assets monitored by SolarWinds Orion; this will be a resource-intensive, highly complex and lengthy undertaking."

Doing anything less may fail to fully eject attackers from affected networks, warns retired Brig. Gen. Gregory Touhill, who served as the first CISO for the federal government, in a blog post.

"That will likely force many to conclude that the only way to neutralize the threat is to 'burn down' their existing network and rebuild," he says (see: SolarWinds Breach Response: 'Shields Up').

"Recovering from this attack isn't easy," cybersecurity expert Bruce Schneier writes in a Wednesday opinion piece for the Guardian.

"Because any SVR hackers would establish persistent access, the only way to ensure that your network isn't compromised is to burn it to the ground and rebuild it, similar to reinstalling your computer's operating system to recover from a bad hack," Schneier writes. "This is how a lot of sysadmins are going to spend their Christmas holiday, and even then they can't be sure."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing fraudtoday.io, you agree to our use of cookies.