Russian hackers suspected of months-long Sunburst campaign that compromised government agencies and private firms in U.S. and abroad
The U.S. government is directing federal civilian agencies to power down their use of SolarWinds’ business software and the company itself is advising customers to update the solution after Russian hackers allegedly used the software to attack government entities and private businesses in the United States and around the world.
The Lowdown: The moves come after cybersecurity vendor FireEye said over the weekend that a sophisticated and ongoing campaign, dubbed Sunburst, had weaponized updates to SolarWinds Orion to spread malware that’s enabled the attackers to monitor e-mail communications and steal data.
The Details: FireEye researchers did not name the perpetrators of the attacks – which may have started as early as March – but wrote that “the campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”
Reuters and other news outlets citing sources reported that government officials and security researchers suspect Russian hackers are behind the attacks.
They also said that the anonymous sources said the wide-ranging campaign also included the recent hack of FireEye itself, which the company revealed last week.
Russia’s foreign ministry in a Facebook post denied the country was behind the attacks.
The U.S. Treasury and Commerce departments were among the victims of the Sunburst campaigns. Researchers believe the attackers were able to access the agencies and monitor e-mail traffic.
The response has been swift. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued its emergency directive soon after the FireEye blog was posted, noting that it was only the fifth such directive it has issued since Congress passed the Cybersecurity Act of 2015. Agencies using SolarWinds products were ordered to provide a report to CISA by noon ET Monday.
In addition, the National Security Council met at the White House on Dec. 12 to discuss the situation, Reuters reported.
SolarWinds in a security advisory noted that the “highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds [are] for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”
The Austin, Texas-based vendor recommended that organizations upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible – the latest version is available in the company’s customer portal – and said that an additional “hotfix release,” 2020.2.1 HF 2, likely will be made available Dec. 15, replacing the compromised component and including additional security enhancements.
The Orion platform is part of SolarWinds’ IT infrastructure management unit and is used to monitor corporate and government networks. The platform is separate from the company’s MSP business, and executives reportedly said that none of the tools used by MSPs – such as its remote monitoring and management (RMM) solution – were compromised as part of the Sunburst campaign.
MSPs in recent years have become a target of attackers who see RMM products as ways to quickly access the corporate networks and data of the managed service providers’ customers. The FBI and Department of Homeland Security (DHS) in 2018 issued a warning notice to MSPs about an increase in attacks.
SolarWinds counts 499 of the Fortune 500 companies as customers, as well as a range of government agencies. Those include the Pentagon and the Department of Veterans Affairs, as well as the National Institutes of Health, DHS, and the FBI, Forbes said in a report.
The Impact: The sophisticated nature and long life of the attack have government officials and cybersecurity researchers worried that the breach at such agencies as Treasury and Commerce are only part of a much wider campaign and that further compromises in other parts of the government or in the private sector will be found.
It also comes at a time of change for SolarWinds. Pulse Secure CEO Sudhakar Ramakrishna is scheduled to take over the top position at the company next month, replacing Kevin Thompson, who has been president and CEO for almost 11 years. At the same time, SolarWinds is mulling spinning off its MSP business, a decision that Ramakrishna will have to make.
The Buzz: “The actors behind this campaign gained access to numerous public and private organizations around the world,” FireEye researchers wrote in a blog post. “They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post-compromise activity following this supply chain compromise has included lateral movement and data theft.”
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products,” Thompson said in a statement. “We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordinate with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters.”
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” CISA Acting Director Brandon Wales said. Sunday night’s “directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners – in the public and private sectors – to assess their exposure to this compromise and to secure their networks against any exploitation.”
“If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team,” former CISA Director Chris Krebs wrote on Twitter. “Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this.”