According to the recently compromised global cybersecurity firm, FireEye, suspected state-sponsored hackers have breached the networks of the US Treasury and Commerce departments as part of a global cyberespionage campaign. They accomplished this after the Solarwinds Breach via injecting malware into a SolarWinds software update.

Introduction

On a regular basis, we are all encouraged to complete regular software updates to bolster our applications by improving cybersecurity and removing any identified software glitches.

In the spring of 2020, amid the early days of the coronavirus pandemic, a pop-up message displayed across the screens of IT staff, around the globe, using a prevalent software known as Orion, developed by security software firm, SolarWinds’. It is estimated that 18,000 organizations and governments were impacted by the malicious update. Unfortunately, what they were unaware of was the fact that the update was compromised by an intentionally introduced vulnerability known as ‘SUNBURST’.

As we have noted in previous Packetlabs articles, cyber-espionage often involves an element of stealth and equally often, apparent dormancy. As mentioned, the first phases of this cyber-espionage campaign commenced in the spring of 2020. The downloaded malware gave the hackers remote access to victims’ networks. Based on the expert opinions from the FBI and the Department of Homeland Security, investigations up to this point appear to be directed at grand-scale penetration of the United States Government. Past the initial phase of dormancy, the undetected digital software “called home” to notify its creator that it had gained access, and was ready to provide access.

SolarWinds Breach Background

As cybersecurity researchers are still trying to understand the full scope of the damage done, whit has become clear that it will be quite some time before we know. Unfortunately, it gets worse. Much worse. Through early investigations into the attack, it seems clear that (as highlighted in our previous article), initial access brokers have offered access to SolarWinds, in exploit forums, as far back as 2017.

Security researcher Vinoth Kumar told Reuters that, last year, he alerted the company that anyone could access SolarWinds’ update server by using the password “solarwinds123”.

The Target

For a period of months, the hackers, who are suspected to be a state-sponsored team, moved about in secret, spying, stealing information, and perusing thousands of organizations.

Of these, the most high-profile target so far is the United States government. Multiple office networks reported compromise including that of the treasury and commerce departments and Homeland Security. In direct response, both private and Government organization, across the globe, find themselves furiously rushing to disable their affected SolarWinds server software, which acted as the conduit for the US Treasury and Commerce and FireEye compromises.

SolarWinds Response

SolarWinds has declared that the vulnerability was linked to updates they released somewhere between March and June for its “Orion” software, a software that is ironically designed to help organizations supervise their online networks for suspicious activity. The software compromise is of critical nature due to the fact that SolarWinds access would provide a hacker with complete access to the victim’s network, providing full visibility.

Although believed to have affected fewer than 18,000 customers, on Sunday December 13th, SolarWinds advised nearly 33,000 Orion product customers of the compromise.

SolarWinds Breach: Global Impact

The impacts of this compromise may well prove to be one of the most significant espionage efforts to date sending shockwaves across global economies and government agencies. As noted on its website, SolarWinds mentions it has some 300,000 customers worldwide, including all five branches of the U.S. military, the Pentagon, the State Department, NASA, the NSA, the Department of Justice and the White House. In addition, they state the 10 leading United States telecommunications companies and top five United States accounting firms are also among their listed customers.

“We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,”
Kevin Thompson
SolarWinds, Chief Executive

Unfortunately, dominance became a liability. The customers put at risk in this attack form key factors in our national and economic welfare. To translate, the protection afforded by SolarWinds customers have global significance as they essentially allow all affected parties to function with a degree of safety in our digital world.

Breaking: Microsoft a Victim or a Conduit?
As of December 17th, Reuters reports that Microsoft too, which has had its own products used to leverage the attacks, has found SolarWinds Binaries in their environment, which have reportedly been isolated and removed. In an obvious effort to save face, Microsoft has since added that, at this time, there is currently no evidence that their systems have been used to attack others.

Summary

The long and short of it is, when a global security vendor can’t be bothered to develop a secure password, multinational organizations, including government agencies become trivial targets for malicious hackers and that does not bode well for anyone.

If you have any questions about anything you have read here, or would like to learn how Packetlabs’ services can help secure your organization from cyberthreats, please contact us for more information!