The March 2020 SolarWinds hack, which went undiscovered for months, has been formally blamed on Russian hackers by a coalition of US intelligence agencies calling themselves the Cyber Unified Coordination Group. The Office of the Director of National Intelligence along with the Cybersecurity and Infrastructure Security Agency (CISA), the FBI and the NSA have determined that the breach was “likely” the work of the advanced persistent threat (APT) group “Cozy Bear” .
Cozy Bear, a thorn in the side of the US government, has been active since at least 2010, but became a household name in 2016 with the violation of the Democratic National Committee and the leak of internal emails before the presidential elections.
SolarWinds hack undiscovered for most of 2020, hit more than 200 organizations
First appearing in federal systems in March 2020, the SolarWinds hack was not revealed to the public until mid-December and it is still unclear exactly how long the breach window was open. Microsoft and VMWare were also breached by Russian hackers around this time, although the focus is on SolarWinds in this case, as it has contracts with a wide range of federal agencies. The attackers compromised Orion software, which is used in enterprise-level IT management to manage logins and monitor traffic across multiple locations.
Although federal agencies were thought to have been first breached in March, Russian hackers appear to have compromised SolarWinds in October 2019. That initial attack by SolarWinds appears to have been a test, with the attackers entrenching their positions and setting up the command. and control architecture from December to February. March is the first point that Russian hackers started inserting backdoor-building malware into Orion updates, which were sent to a variety of government agencies. These tainted updates appear to have affected some 18,000 organizations in total, including many private companies, but the Russian hackers were very selective on which of the installed backdoors they were actively exploiting and appeared to be interested only in very high-value spy targets. .
The joint statement by the intelligence agencies clarified that the SolarWinds hack is believed to be an “intelligence gathering effort” backed by Russia’s Foreign Intelligence Service (SVR RF). Rosa Smothers, a former CIA cyber threat analyst / technical intelligence officer and current senior vice president at KnowBe4, suggested that SolarWinds software was originally compromised from within: “As recently reported at the NYT, SolarWinds moved much of its engineering to satellite offices in the Czech Republic, Poland and Belarus, where engineers had extensive access to the Orion network management software that the Russian agents compromised. As a former CIA officer who was intrinsically involved in HUMINT-enabled cyber operations, there is a huge window of opportunity – we call it ‘detect, assess and recruit’ – in areas where there is amplified geopolitical tension. For example, Belarus is currently fighting overt Russian influence. “
Russian hackers turn up the heat
Some observers have characterized the SolarWinds hack as the most damaging to the US in the history of cyber espionage, given the number of agencies it compromised and the length of time it was active prior to discovery. US cybersecurity experts acknowledged releasing the joint statement in part due to rumors that the SolarWinds hack had compromised voting systems, seeking to quell growing unrest over the election results.
Although the software update violation does not appear to be linked to any kind of electoral fraud, it certainly gave Russian hackers access to the high-value information they were looking for. The Commerce Department reported that the email accounts of some high-ranking government officials had been compromised. The Defense Department said “parts” of the Pentagon were violated. The Department of Energy reported that the National Nuclear Safety Administration (responsible for the nuclear arsenal) and the Sandia and Los Alamos national laboratories were violated among other agencies, although the department claims that only “business functions” were affected without any violations. of national security. . Some email accounts in the Departments of Justice and the Treasury were thought to have been breached, and the National Institutes of Health are alleged to have been raided for information on Covid-19. The Wall Street Journal is also now reporting that the federal court system has been breached and highly sensitive court documents are being moved to a separate system as a precaution.
Although it does not appear to have had any related influence, the attack comes during one of the most controversial presidential elections in US history. President Trump has persisted with allegations of voter fraud to the point where nearly every major social media platform banned it out of fear of continued political violence; In the wake of the discovery of the SolarWinds hack, he initially blamed China and was criticized for failing to appoint a new cyber chief to the Department of Homeland Security in a timely manner.
The March 2020 SolarWinds hack, which went undiscovered for months, has been formally blamed on Russian #hackers by a coalition of American intelligence agencies. #cybersecurity #respectdata
Although Russian hackers may have installed backdoors in up to 18,000 private companies, intelligence agencies declined to indicate how many (if any) of them were actually exploited. SolarWinds patched and updated its Orion update processes on December 14. Rick Holland, director of information security at Digital Shadows, offered the following advice to organizations potentially affected by the SolarWinds hack: “The focus should be on investigating your environment and looking for evidence of an intrusion. The various FireEye and Microsoft blogs continue to be helpful resources for this. Companies should look for other suppliers in the supply chain that could centrally manage the environment and look for anomalous activities. Set up Google alerts to monitor your supply chain for announcements of non-compliance. Microsoft revealed that more than 40 other organizations have likely been compromised as well; SolarWinds is not the only goal of this campaign… The best defense against nation-state adversaries is to recognize that they can’t be stopped, but then focus on making life as difficult as possible for them. Make sure you have your vendor hardening guidelines in place. Take a risk-based approach to vulnerability management. Do not deploy administrative consoles on public networks. Enforce multi-factor authentication to prevent account hijacking. “