SolarWinds, one of the largest cyberattacks targeting US government agencies and private companies, is viewed as a global effort. How was it done and what kind of data was captured? Why did US government officials and politicians choose Russia?
The ‘SolarWinds hack’, a cyberattack recently discovered in the United States, emerged as one of the biggest attacks ever targeted against the US government, its institutions, and some other private companies. On the other hand, it is possible that this is a global cyber attack.
It was first discovered by the US cybersecurity company FireEye, and since then more and more developments have come to light. Although parts of the US Treasury, Department of Homeland Security, Department of Commerce, Pentagon are believed to have been affected, the magnitude of the cyber attack is still unknown.
In an opinion piece for The New York Times, Thomas P. Bossert, President Donald Trump’s Homeland Security Adviser, named Russia for the attack. “Evidence from the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose commercial vehicle is among the most advanced in the world.” The Kremlin denied that it was involved.
So what is the ‘SolarWinds hack’?
The news of cyberattack technically first surfaced on December 8, when FireEye posted a blog that detected an attack on their systems. The firm helps manage the security of several large private companies and federal government agencies.
FireEye CEO Kevin Mandia wrote in a blog post saying that the company was “attacked by an extremely sophisticated threat actor”, calling it a state-sponsored attack, although Russia did not name it. He said the attack was carried out by a country with “high-level attack capabilities” and that “the attacker was primarily looking for information about certain government customers.” He said that the methods used by the attackers are also new.
Later, on December 13, FireEye said that the cyber attack, which it called Campaign UNC2452, was not part of the company, but targeted various “public and private organizations” around the world. The article stated that the attack probably started in March 2020 and has been continuing for months. Even worse, the extent of data stolen or compromised is still unknown as the scale of the attack continues to be discovered. After the systems were compromised, “lateral movement and data theft” occurred.
How were so many US government agencies and companies attacked?
This is called a ‘Supply Chain’ attack: Hackers target a third-party vendor that supplies software to them, rather than directly attacking the federal government or a private organization’s network. In this case, the target was an IT management software called Orion provided by the Texas-based company SolarWinds.
Orion is one of SolarWinds’ largest software with customers including more than 33,000 companies. SolarWinds says 18,000 customers are affected. Meanwhile, the company deleted its client list from their official website.
According to the page cleared from Google’s Web Archives, the list includes 425 companies in the Fortune 500, which are the top 10 telecom operators in the USA. A New York Times report said the Pentagon, Centers for Disease Control and Prevention, the State Department, the Department of Justice and others were all affected.
Although Microsoft added that there was no evidence of “access to production services or customer data” or “being used to attack others”, Microsoft confirmed that it found evidence of malware on their systems. Microsoft president Brad Smith said the company has “started reporting to more than 40 customers that attackers are more vulnerable to target and endangered.”
A Reuters report said that even e-mails sent by Homeland Security officials were “tracked by hackers.”
How did they access it?
According to FireEye, hackers “gained access to victims through trojan-horse updates to SolarWinds’ Orion IT monitoring and management software.” Basically, a software update was exploited to install ‘Sunburst’ malware on Orion and then installed by over 17,000 customers.
FireEye says attackers rely on “multiple techniques” to avoid detection and “hide their activities.” The malware could access system files. According to FireEye, the thing that worked for the malware was its “adaptation to legitimate SolarWinds activity.”
After the malware was installed, it provided hackers a backdoor access to SolarWinds customers’ systems and networks. More importantly, it was also able to block tools that can detect it, such as malware, anti-virus.
Where is Russia on the scene?
Bossert expressed Russia and his agency SVR, possessing such mastery and the ability to carry out the attack on scale, in his NYT opinion letter.
Microsoft notes on its blog that “this aspect of the attack created a supply chain vulnerability of near global significance and reached many major national capitals outside of Russia.” He goes on to add that complex attacks from Russia are becoming widespread.
However, FireEye has not yet named Russia responsible and said it was an ongoing investigation with the FBI, Microsoft and other key unnamed partners.
What did SolarWinds and the US government say about the attack?
Currently SolarWinds is recommending all its customers to immediately update their existing Orion platform, which contains a patch for this malware. “If offensive activity is discovered in an environment, we recommend conducting extensive investigation and design and execute a remediation strategy based on the investigation findings and details of the affected environment,” the company says.
Those who cannot update are told to isolate “SolarWinds servers” and “block all Internet access from SolarWinds servers”. At the very least, it is suggested to “change passwords for accounts that have access to SolarWinds servers / infrastructure”.
The US Cyber Security and Infrastructure Security Agency (CISA) issued the 21-01 Emergency Directive and asked all federal civil agencies to “review their networks for infiltration indicators.” He asked institutions to “immediately cut or shut down SolarWinds Orion products.”
The FBI, CISA, and the Office of the Director of National Intelligence issued a joint statement and announced the so-called ‘Cyber United Coordination Group (UCG)’ to coordinate the government’s response to the crisis. The statement calls this “an important and ongoing cybersecurity campaign.”
The White House and President Donald Trump remained silent. Senator Mitt Romney summed up his views in his comments on SiriusXM radio to journalist Olivier Knox, and compared this attack to Russian bombers flying unnoticed across the country, exposing the US cyber warfare vulnerability. He said the White House’s silence and inaction was inexcusable.
Democrat Senator Richard Blumenthal tweeted: “The cyberattack of Russia deeply worried me, it actually terrified it outright.”
President-elect Joe Biden said in a statement: “A good defense is not enough; We must deter and deter our enemies from carrying out major cyber attacks in the first place. “
Source: The Indian Express