Lessons Learnt : 'Solarwinds Hack' (2020 United States Federal Government Data Breach) - with the SolarWinds CEO (live)

One of the biggest cyberattacks to have targeted US government agencies and private companies, the 'SolarWinds hack' is being seen as a likely global effort. SolarWinds said that of its 300,000 customers, 33,000 use Orion.Of these, around 18,000 government and private users downloaded compromised versions. We have Solarwinds CEO (live) to understand the breach in depth; why it happened; the to-dos and not to-dos; mitigation and protection and more. Join us to ask your questions directly

Hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide. In this hack, suspected nation-state hackers that have been identified as a group known as Nobelium by Microsoft -- and often simply referred to as the SolarWinds Hackers by other researchers -- gained access to the networks, systems and data of thousands of SolarWinds customers. The breadth of the hack is unprecedented and one of the largest, if not the largest, of its kind ever recorded.

>> Click here to join us in the SolarWind Hack discussion

 

 

 

 

2020 United States Federal Government Data Breach
The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration (eight to nine months) in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others. The attack, which had gone undetected for months, was first publicly reported on December 13, 2020 and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration (NTIA), part of the U.S. Department of Commerce.

 >> Click here to join us in the SolarWind Hack discussion 9113349665?profile=RESIZE_710x

 

 

Breach Discovery

Microsoft

During 2019 and 2020, cybersecurity firm Volexity discovered an attacker making suspicious usage of Microsoft products within the network of a think tank whose identity has not publicly been revealed. The attacker exploited a vulnerability in the organization's Microsoft Exchange Control Panel, and used a novel method to bypass multi-factor authentication. Later, in June and July 2020, Volexity observed the attacker utilising the SolarWinds Orion trojan; i.e. the attacker used Microsoft vulnerabilities (initially) and SolarWinds supply chain attacks (later on) to achieve their goals. Volexity said it was not able to identify the attacker. Also in 2020, Microsoft detected attackers using Microsoft Azure infrastructure in an attempt to access emails belonging to CrowdStrike. That attack failed because - for security reasons - CrowdStrike does not use Office 365 for email.Separately, in or shortly before October 2020, Microsoft Threat Intelligence Center reported that an apparently state-sponsored attacker had been observed exploiting zerologon, a vulnerability in Microsoft's NetLogon protocol

Solarwinds
On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker.FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft. After discovering that attack, FireEye reported it to the U.S. National Security Agency (NSA), a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself. Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.

VmWare
Some time before December 3, 2020, the NSA discovered and notified VMware of vulnerabilities in VMware Access and VMware Identity Manager. VMware released patches on December 3, 2020. On December 7, 2020, the NSA published an advisory warning customers to apply the patches because the vulnerabilities were being actively exploited by Russian state-sponsored attackers.

 >> Click here to join us in the SolarWind Hack discussion

 

 

 

Join Us In The Discussion (Live)

SolarWinds said that of its 300,000 customers, 33,000 use Orion.Of these, around 18,000 government and private users downloaded compromised versions. We have Solarwinds CEO (live) to understand the breach in depth; why it happened; the to-dos and not to-dos; mitigation and protection and more. Join us to ask your questions directly

 >> Click here to join us in the SolarWind Hack discussion 

9113349665?profile=RESIZE_710x

 

 

 

 

The Progress Till Now
December 8, 2020 How the discovery began — FireEye, a prominent cybersecurity firm, announced they were a victim to a nation-state attack. The security team reported their Red Team toolkit, containing applications used by ethical hackers in penetration tests, was stolen.

December 13, 2020 Initial detection — FireEye discovered a supply chain attack while it was investigating the nation-state attack on its own Red Team toolkit. The researchers stumbled across evidence that attackers entered a backdoor in the SolarWinds software “trojanizing SolarWinds Orion business software updates to distribute malware.” FireEye dubbed it “SUNBURST.”

December 13 SolarWinds begins notifying customers, including a post on its Twitter account, "SolarWinds asks all customers to upgrade immediately to Orion Platform version 2020.2.1 HF 1 to address a security vulnerability."

December 14 SolarWinds files an SEC Form 8-K report, stating in part that the company "has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products".On this date and next, the company issued two "hotfix" security patches to address the vulnerability.

December 15, 2020 Victims named and timeline moves back — Wall Street Journal reported that the U.S. Commerce and Treasury Departments, the Department of Homeland Security (DHS), the National Institutes of Health, and the State Department were all affected. Various security officials and vendors expressed serious dismay that the attack was more widespread and began much earlier than expected. The initial attack date was now pegged to sometime in March 2020, which meant the attack had been underway for months before its detection.More technical details also began to emerge, illustrating how well the malicious activity was covered and why it was hard to detect.

December 17, 2020: New victims revealed — The Energy Department (DOE) and National Nuclear Security Administration (NNSA), which maintains the U.S. nuclear weapons stockpile, were publicly named as victims of the attack.

December 19, 2020: 200 more victims listed — Recorded Future, a cybersecurity firm, identified an additional list of government agencies and companies around the world that had also been attacked, but did not publicly reveal their identities.Using Twitter for his first comments on the attack, then-U.S. President Donald Trump publicly suggested that China, not Russia, was the source, and also described the hack as a hoax. U.S. Secretary of State Mike Pompeo and other senior members of the administration disputed these claims the same day, stating that "we can say pretty clearly that it was the Russians that engaged in this activity."

December 31, 2020: Microsoft says the Russian attackers breached some of its source code — The software giant said that the attackers could not modify code, products, or email and they did not use Microsoft goods to attack other victims. By this point, the attacks are largely thought to “have begun as far back as October 2019…when hackers breached the Texas company SolarWinds.”

January 5, 2021: Joint statement by FBI, CISA, ODNI, and NSA released — The Federal Bureau of Investigations (FBI), CISA, The office of the National Director of Intelligence (ODNI), and the National Security Agency (NSA), jointly released a statement on the formation of the Cyber Unified Coordination Group, which “indicates that an advanced persistent threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort.”

January 6, 2021: CISA issues supplemental guidance — CISA’s supplemental guidance required US government agencies that ran affected versions of SolarWinds Orion conduct forensic analysis; those that accept the risk of running the software comply with certain hardening requirements, and new reporting requirements by agency from department-level CIOs. The deadlines for the agency CIO reports were Tuesday, January 19, and Monday, January 25, 2021.

January 27, 2021: CISA releases a report on Supernova, the malware “that was deployed using a vulnerability in the Orion Platform, and after the Orion Platform had been installed.”

January 29, 2021: SolarWinds issues an advisory for both Sunburst and Supernova.

February 19, 2021: Biden Administration declares intent to punish Russia for SolarWinds attack — Jake Sullivan, national security advisor, told CNN's Christiane Amanpour that President Joe Biden's administration would look at a “broad range of responses” after an investigation to further pinpoint the identities of the attackers.

February 23, 2021: First Congressional hearing — Microsoft and FireEye testified before the Senate Intelligence Committee on the SolarWinds attacks. A transcript and a video of the hearing is available on C-Span. Microsoft President Brad Smith said its "researchers believed at least 1,000 very skilled, very capable engineers worked on the SolarWinds hack. This is the largest and most sophisticated sort of operation that we have seen,” Smith told senators. All defended their own actions before and after the attacks, and all fingers pointed at Russia as the attacker.

February 26, 2021: Second Congressional hearing — The U.S. House Committee on Oversight and Reform and the House Committee on Homeland Security held a joint hearing “examining recent cybersecurity incidents affecting government and private sector networks, including the supply chain attack targeting SolarWinds Orion Software and other cyberattacks. On December 17, the Committees launched an investigation into the cyberattacks. On December 18, the Unified Coordination Group provided a classified Member briefing by telephone about the attacks.”

February 24, 2021: SolarWinds issues a FAQ: Security Advisory. This advisory offered further guidance to SolarWinds customers on how to tell if they were affected, what steps to take, and answers to related questions.

March 15, 2021: A Public Affairs spokesperson in the National Press Office of the FBI answered “no comment” to CSOonline.com’s questions on the current status of the SolarWinds attacks, stating that “the investigation is ongoing.”

March 28, 2021: Reports state DHS, cybersecurity leaders' emails compromised — The Associated Press reported that the SolarWinds hackers "gained access to email accounts belonging to the Trump administration’s head of the Department of Homeland Security and members of the department’s cybersecurity staff whose jobs included hunting threats from foreign countries."

May 29, 2021: Microsoft reports a new wave of attacks by the Russia-affiliated Nobelium gang now linked to the SolarWinds hack. This round was launched by "gaining access to the Constant Contact account of USAID," the US Agency for International Development. Using this access, the attack involved phishing emails with a link that leads to insertion of a malicious file and a backdoor that can be used for data theft.

>> Click here to join us in the SolarWind Hack discussion 

 

 

References

CSO Online :The SolarWinds hack timeline: Who knew what, and when?

Wikipedia :2020 United States federal government data breach

Business Insider

Whatis : Solarwind hack explained

 

 

 



Join Us In The Discussion (Live)

SolarWinds said that of its 300,000 customers, 33,000 use Orion.Of these, around 18,000 government and private users downloaded compromised versions. We have Solarwinds CEO (live) to understand the breach in depth; why it happened; the to-dos and not to-dos; mitigation and protection and more. Join us to ask your questions directly

 >> Click here to join us in the SolarWind Hack discussion 

9113349665?profile=RESIZE_710x

E-mail me when people leave their comments –

CISO Platform

You need to be a member of CISO Platform to add comments!

Join CISO Platform

CISO Platform

A global community of 5K+ Senior IT Security executives and 40K+ subscribers with the vision of meaningful collaboration, knowledge, and intelligence sharing to fight the growing cyber security threats.

Join CISO Community Share Your Knowledge (Post A Blog)