This means there are really three subgroups within the potential victims of these attacks: Orion users who installed the backdoor but were never otherwise exploited; victims who had some malicious activity on their networks, but who ultimately weren’t appealing targets for attackers; and victims who were actually deeply compromised because they held valuable data.
“If they didn’t exfiltrate data, it’s because they didn’t want it,” says Jake Williams, a former NSA hacker and founder of the security firm Rendition Infosec. “If they didn’t take access, it’s because they weren’t interested in it.”
Even so, that first and second group still need to neuter the backdoor to prevent future access. Since it was able to analyze indicators from its own breach, FireEye led an effort that other firms have since joined to publish information about the anatomy of the attacks. Some of the “indicators of compromise” include IP addresses and Domain Name Service record responses associated with the attackers’ malicious infrastructure. Responders and victims can use this information to check whether servers or other devices on their networks have been communicating with the hackers’ systems. Microsoft also worked with FireEye and GoDaddy to develop a sort of “kill switch” for the backdoor by seizing control of IP addresses the malware communicates with, so it can’t receive commands anymore.
Eliminating the backdoor is crucial, especially since the attackers have still been actively exploiting it. And now that the technical details about their infrastructure are public, there’s also a risk that other hackers could piggyback on the malicious access as well if it’s not locked down.
In the House
For victims who suffered deeper compromise, though, simply closing the door is not enough, because attackers have already established themselves inside.
For clear targets like US government agencies, the question is what exactly attackers got access to and what bigger picture that information can paint in terms of geopolitics, US defensive and offensive capabilities across the Department of Defense, critical infrastructure, and more.
Identifying exactly what was taken is challenging and time consuming. For example, some reports have indicated that hackers breached critical systems of the Department of Energy’s National Nuclear Security Administration, which is responsible for the US nuclear weapons arsenal. But DOE spokesperson Shaylyn Hynes said in a statement late Thursday that while attackers did access DOE “business networks,” they did not breach “the mission-essential national security functions of the Department.”
“The investigation is ongoing, and the response to this incident is happening in real time,” Hynes said.
This is the situation for all victims at this point. Some targets will go on to discover that they were impacted more deeply than they initially believed; others may find that hackers kicked the tires but didn’t go any further. This is the core danger of a supply chain attack such as the SolarWinds breach. Attackers get a huge amount of access all at once and can have their pick of the victims while responders are left playing catch up.
Though it’s difficult to establish the full scope of the situation, researchers have been making a concerted effort to sort out who was hit and how badly. By tracking and linking IP addresses, DNS records, and other attacker flags, security analysts are even developing methods to proactively identify targets. Kaspersky Labs, for example, released a tool on Friday that decodes DNS requests from the attackers’ command-and-control infrastructure that could help indicate which targets the hackers prioritized.
The news about the hacking spree will likely continue for weeks as more organizations identify where they fit in the rubric of potential targets. Microsoft president Brad Smith wrote on Thursday that the company has notified more than 40 customers about signs of deep intrusion on their networks. And Microsoft says that while the vast majority of these victims are in the US, some are in seven other countries: Canada, Mexico, Belgium, Spain, the United Kingdom, Israel, and the United Arab Emirates. “It’s certain that the number and location of victims will keep growing,” Smith added.
Later that night, Microsoft confirmed that it had been compromised in the campaign as well.
More Great WIRED Stories