This week, the US government fell victim to a cyber attack — not for the first time. And just one week earlier, a major cybersecurity and forensics company announced they'd been compromised as well. It’s been a busy week in the cybersecurity industry!
On Tuesday, December 8th, 2020, FireEye announced they’d been compromised. A few days later, on December 14th, 2020, the US Department of Homeland Security, the United States Treasury, and the Commerce Department also reported they had been breached. These were among the most significant and high-profile attacks reported in an already very active year for cybercriminals.
These attacks appear to all result from a compromise of the build server for a SolarWinds product called Orion, a software used by networking professionals to manage their networks, systems, and information technology infrastructure. The threat actors embedded malicious code into the software before an update was released to all users, which resulted in malware being deployed to SolarWinds' customers, which led attackers to gain unauthorized access. Early reports suggest this attack began in March 2020. The tactics, techniques, and procedures in this attack (also referred to as “TTPs”) are what we refer to as a “supply chain compromise.” In other words, the bad actor embedded malicious code into software used in the supply chain or network of other companies to very quickly increase a widespread attack. This is the same technique used by the threat group Fancy Bear in the 2017 NotPetya attack. What’s significant about this attack is it appears to be led by a foreign nation state to gather information about the US government. We don’t know the specific objectives or targets of the espionage activity, whether it was related to the election, the coronavirus pandemic, or perhaps other themes entirely. Still, it does suggest there may be an escalation in the use of cyber espionage on behalf of government entities.
The most significant and immediate risk of the attack is business interruption and data exfiltration. Business interruption occurs when normal operations are halted (often due to a ransomware attack), and the organization loses productive time and revenue. Data exfiltration occurs when the attacker exports business-critical data before encrypting it and threatens to expose the data if the ransom isn’t paid. While the attack appeared to be very targeted in nature, any organization that uses SolarWinds Orion or relies on vendors or clients that use SolarWinds may be exposed. SolarWinds provided an advisory on December 15, 2020, and advised organizations that had Orion Platform versions 2019.4 HF 5 and 2020.2 with no hotfix or with 2020.2 HF 1 may have been exposed.
At Coalition, we scan for these types of vulnerabilities regularly with our Attack Surface Monitoring software. Thankfully, only a small number of our customers were impacted (and have already been notified). However, the risk of broader exposure to clients from larger vendors remains a risk. In addition to security alerts from Coalition, you may also refer to the Department of Homeland Security’s Emergency Directive 21-01 in response to this incident.
There are still a lot of unknowns about this attack, and we expect the situation and information available to change over the coming weeks. For example, the compromise of a build system at Solarwinds Orion was likely not the only compromise at SolarWinds.