Agency Says Nation-State Hackers Used Other Methods as Well
An advanced persistent threat actor used other attack vectors besides the compromised SolarWinds’ Orion nework monitoring software to gain a foothold into the networks of government agencies and others, according to a Thursday alert from the U.S. Cybersecurity and Infrastructure Security Agency.
The CISA alert does not identify the nation where the APT group is based. But individuals with knowledge of the investigation, speaking on background with news outlets, have suggested that Russia’s foreign intelligence service, the SVR, may have been responsible for this apparent cyberespionage operation. The Russian government has denied those assertions (see: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel).
On Wednesday, the New York Times reported that the Department of Homeland Security’s intrusion detection system, known as Einstein, failed to detect the attack against government agencies.
CISA says that in addition to federal agencies, this hacking campaign poses a threat to state, local, tribal and territorial governments as well as critical infrastructure entities and other private sector organizations.
On Wednesday, Politico reported that the Department of Energy and the National Nuclear Security Administration, which maintains the nation’s nuclear weapons, were targeted in the SolarWinds attack. And Reuters reported Microsoft was affected as well.
About 18,000 SolarWinds’ customers are believed to be using infected software. According to reports earlier this week, victims include the U.S. Commerce, Homeland Security, State and Treasury departments as well as the National Institutes of Health. In the private sector FireEye, Intel and Cisco have been affected (see: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel).
“As the incident response activities and historical hunting continue, more details will trickle out to the public,” says Rick Holland, CISO of security firm Digital Shadows and a former Army intelligence analyst. “However, the general public is unlikely to ever know the complete scope and implications of these intrusions.”
“Additional Access Vectors”
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform,” the alert notes. “CISA is investigating incidents that exhibit adversary [tactics, techniques and procedures] consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”
Review @CISAgov‘s new Alert on the #APT campaign against federal agencies & critical infrastructure, providing updated affected product versions, IOCs, ATT&CK® techniques, and mitigation steps. https://t.co/ZgzAbUNKjL #Cyber #Cybersecurity #Infosec pic.twitter.com/QnntuVhUXb
— US-CERT (@USCERT_gov) December 17, 2020
CISA did not describe the other attack vectors. But it notes the incident response firm Volexity has found tactics, techniques and procedures used against SolarWinds that are associated with other vectors.
Volexity has reported the APT group linked to the SolarWinds attack is using a secret key that it previously stole to generate a cookie to bypass the Duo multifactor authentication protecting access to the Outlook Web app.
“Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the [tactics, techniques and procedures] are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known,” according to the CISA alert
Previously, Volexity had found the APT group showed interest in accessing the email systems of its other victims (see: SolarWinds: The Hunt to Figure Out Who Was Breached).
Biden Issues Statement
President-elect Joe Biden issued a statement pledging to make dealing with the Solarwinds-related breach and cybersecurity, in general, a top priority for his administration.
“We will elevate cybersecurity as an imperative across the government, further strengthen partnerships with the private sector, and expand our investment in the infrastructure and people we need to defend against malicious cyberattacks,” Biden says.
Attackers’ Techniques Described
In Thursday’s alert, CISA describes how the attackers used anti-forensic techniques to hide their activities and used spoofed tokens for lateral movement.
“The adversary is using virtual private servers, often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic,” CISA says. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.
Spoofed, but valid, tokens are being heavily leveraged to help circumvent commonly used detection techniques, which will require a victim to have the ability to identify actions inside their network that are outside a user’s normal scope, the alert says.
“Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain a covert presence,” CISA says.
Initial SolarWinds Attack
On Sunday, FireEye revealed that SolarWinds had been hit with a supply chain attack as far back as March, with attackers adding a backdoor to the company’s Orion network monitoring software, apparently by having infiltrated its software development pipeline.
Also on Sunday, CISA issued an emergency directive to federal agencies to disconnect any devices that are infected. (see: 5 US Government Agencies Hit So Far in SolarWinds Hack).
The hackers used their access to SolarWinds to infiltrate the company’s Orion platform adding a backdoor that was then delivered to customers when the software was updated. The malicious software updates were signed using valid digital signatures and could steal files, profile systems and disable system services, FireEye said Sunday.
CISA notes that not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary for follow-on actions.
Managing Editor Scott Ferguson contributed to this story.