Since as far back as March, Russian hackers have been on a sinister tear. By slipping tainted updates into a widely used IT management platform, they were able to hit the United States Commerce, Treasury, and Homeland Security departments, as well as the security firm FireEye. In truth, no one knows where the damage ends; given the nature of the attack, literally thousands of companies and organizations have been at risk for months. It only gets worse from here.
The attacks, first reported by Reuters on Sunday, were apparently carried out by hackers from the SVR, Russia’s foreign intelligence service. These actors are often classified as APT 29 or “Cozy Bear,” but incident responders are still attempting to piece together the exact origin of the attacks within Russia’s military hacking apparatus. The compromises all trace back to SolarWinds, an IT infrastructure and network management company whose products are used across the US government, by many defense contractors, and by most Fortune 500 companies. SolarWinds said in a statement on Sunday that hackers had managed to alter the versions of a network monitoring tool called Orion that the company released between March and June.
“We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” the company wrote.
SolarWinds has hundreds of thousands of clients in all; it said in a Securities and Exchange Commission disclosure on Monday that as many as 18,000 of them were potentially vulnerable to the attack.
Both FireEye and Microsoft detailed the flow of the attack. First the hackers compromised SolarWinds’ Orion update mechanism so that its systems could distribute tainted software to thousands of organizations. The attackers could then use manipulated Orion software as a backdoor into victims’ networks. From there, they could fan out within target systems, often by stealing administrative access tokens. Finally, with the keys to the kingdom—or large portions of each kingdom—the hackers were free to conduct reconnaissance and exfiltrate data.
This sort of so-called supply chain attack can have dire consequences. By compromising one entity or manufacturer, hackers can undermine target security efficiently and at scale.
This wouldn’t be the first time Russia relied on a supply chain attack for widespread impact. In 2017, the country’s GRU military intelligence used access to the Ukrainian accounting software MeDoc to unleash its destructive NotPetya malware around the world. The attack on SolarWinds and its customers seems to have focused on targeted reconnaissance rather than destruction. But with quiet and nuanced operations there is still a very real risk that the full extent of the damage won’t be immediately clear. Once attackers have embedded themselves in target networks—often called “establishing persistence”—simply updating the compromised software isn’t enough to flush the attackers out. Just because Cozy Bear was caught doesn’t mean the problem is resolved.
In fact, FireEye emphasized on Sunday that the attack is currently ongoing. The process of identifying potential infections and tracing their source will be time-consuming.
“The attackers in question have been especially discrete in using network infrastructure,” says Joe Slowik, a researcher at the threat intelligence firm DomainTools. “Particularly, they appear to have largely relied upon renewing or re-registering existing domains rather than creating completely new items, and using a variety of cloud hosting services for network infrastructure.” These techniques help attackers mask clues about their identity, cover their tracks, and generally blend in with legitimate traffic.
The extent of the damage is also difficult to get a handle on because Orion is itself a monitoring tool, setting up a bit of a “who watches the watchers” issue. For that same reason, systems also grant Orion trust and privileges on user networks that have value for attackers. Victims and potential targets must consider the possibility that these attacks also compromised much of their other infrastructure and authentication mechanisms using Orion’s pervasive access. The extent of the exposure at US government agencies is still unknown; the revelation that DHS was impacted as well didn’t come until Monday afternoon.