What we know
An advanced hacking group, used a popular Network Management Software, SolarWinds Orion, to comprimise organizations around the world. It appears to have started back in March 2020. SolarWinds has issued patches but you should be remove the software if at all possible. Read the FireEye post then follow the Emergency Directive.
Summary from FireEye:
FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
An oversimplified and preliminary explanation
Some very advanced attackers, likely Russia, put out an SolarWinds update back in the spring that looked like it came from SolarWinds but also included their hacking tools. Once installed it stayed quiet for a bit and then very discretely started to investigate the network and called home for further instructions. It could steal credentials and data if so instructed. Lots of organizations run this software so its big and bad.
If you are running Solarwinds Orion you need to follow the Emergency Directive from CISA.link I always recommend that clients follow the ED if at all possible, if you can’t follow their advice in the ED you need to document your business justification and additional mitigation actions. Yes, a Federal Directive is only binding for federal agencies but unless your Security Team gave you better intel by Sunday Night you should start here. If you aren’t running SolarWinds then use this as a crucial reminder of the importance of Supply Chain Risk Management and maybe even run a Tabletop exercise (TTX).
Read these 2 first:
- FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
- CISA Emergency Directive 21-01:Mitigate SolarWinds Orion Code Compromise
- SolarWinds Security Advisory
- CISA Advisory: Active Exploitation of SolarWinds Software
- Detection Rules from FireEye
In the News
- NYT: Russian Hackers Broke Into Federal Agencies, U.S. Officials Suspect
- WaPo: Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce
- Reuters: Suspected Russian hackers spied on U.S. Treasury emails – sources
For more info follow me on Twitter where I’ll try to share more information and analysis in the coming days. Also put FireEye on you Christmas card list. We owe them a big Thank you.