It's all over the press. A wide swath of U.S. Government orgs were hacked by the Russians. They accessed those networks by slipping malware into a SolarWinds software update, according to the global cybersecurity firm FireEye, which was also compromised. The first phases of this monthslong cyberespionage campaign started in the spring. The malware gave the hackers remote access to victims' networks. Here is what CISA said:
WASHINGTON – The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise involving SolarWinds Orion products that are currently being exploited by malicious actors.
This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”
This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.
Solarwinds is aware and advises customers to upgrade to Version 2020.2.1 HF 1 immediately. “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state,” said SolarWinds CEO Kevin Thompson in a statement. The compromise is critical because SolarWinds would give a hacker “God-mode” access to the network, making everything visible,
The company said in its SEC filing that its Microsoft Office 365 email systems had been compromised and that this incident “may have provided access to other data contained in the company’s office productivity tools.” In a Sunday blog post, Microsoft said that it hadn’t identified any vulnerabilities in its products as a result of its investigation into the incident.
The still-unfolding breach may have resulted in malicious code being pushed to nearly 18,000 customers, the
company said, Microsoft should soon have some idea which and how many SolarWinds customers were affected, as it recently took possession of a key domain name used by the intruders to control infected systems.
So, how did the hackers get into Solarwinds? A pretty good guess is a spear phishing attack on their development team so that the bad guys could take over their software dev process. APT29 most successfully uses spear phishing to gain access to a network; from there they escalate permissions to expand into the network.