Details: Cozy Bear, Solarwinds, FireEye And The Hack Of The US Govt

By: Denise Simon | Founders Code

Cozy Bear (also called APT29, a known unit of Russia’s SVR foreign intelligence service) appears to have been behind the attack, the Wall Street Journal reports. Moscow denies any involvement in the incident. Reuters adds that the Kremlin thinks the Americans should have been more mutual, more cooperative.

FireEye calls the backdoor “Sunburst.” Microsoft’s Security Response Center has a detailed account of how the malware functions. Both FireEye and Microsoft have upgraded their security products to include measures for detecting and protecting against the attack. SolarWinds urges its customers to “upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.”

When FireEye Inc. discovered that it was hacked this month, the cybersecurity firm’s investigators immediately set about trying to figure out how attackers got past its defenses.

It wasn’t just FireEye that got attacked, they quickly found out. Investigators discovered a vulnerability in a product made by one of its software providers, Texas-based SolarWinds Corp.

“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm.

After discovering the backdoor, FireEye contacted SolarWinds and law enforcement, Carmakal said.

In part: Washington — U.S. government agencies were ordered to scour their networks for malware and disconnect potentially compromised servers after authorities learned that the Treasury and Commerce departments had been hacked in a months-long global cyberespionage campaign. The campaign was discovered when a prominent cybersecurity firm learned it had been breached.

In a rare emergency directive issued late Sunday, the Department of Homeland Security’s cybersecurity arm warned of an “unacceptable risk” to the executive branch from a feared large-scale penetration of U.S. government agencies that could date back to mid-year or earlier.

“This can turn into one of the most impactful espionage campaigns on record,” said cybersecurity expert Dmitri Alperovitch.

The apparent conduit for the Treasury and Commerce Department hacks – and the FireEye compromise – is a hugely popular piece of server software called SolarWinds. It’s used by hundreds of thousands of organizations globally, including most Fortune 500 companies and multiple U.S. federal agencies that will now be scrambling to patch up their networks, said Alperovitch, the former chief technical officer of the cybersecurity firm CrowdStrike.

On its website, SolarWinds says it has 300,000 customers worldwide, including all five branches of the U.S. military, the Pentagon, the State Department, NASA, the National Security Agency, the Department of Justice, and the White House. It says the 10 leading U.S. telecommunications companies and top five U.S. accounting firms are also among customers.

The DHS directive – only the fifth since such directives were created in 2015 – said U.S. agencies should immediately disconnect or power down any machines running the impacted SolarWinds software.

“We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation-state,” said SolarWinds CEO Kevin Thompson said in a statement. He said it was working with the FBI, FireEye, and intelligence community. More here.

SolarWinds of Austin posts sharp rise in revenue - Austin ...

Many more details on consequences –>

It turns out that the attackers also compromised the Department of Homeland Security. SolarWinds revealed to the Securities and Exchange Commission that the breach may affect 18,000 customers.

It appears that, in March 2020, someone managed to modify the SolarWinds Orion software during the build process—that is, the process that translates the human-readable code and merges it into a form that a computer can execute. This timing is based on both the Microsoft and FireEye analyses, as well as the reported versions affected by SolarWinds.

This modification included a sophisticated and stealthy Trojan program, designed to remotely control any computer that installed SolarWinds Orion. When customers installed the latest update, the Trojan program would start running on the victims’ computers. This is considered a software “supply chain attack”: The intended victims received a polluted copy of the Orion software directly or indirectly from SolarWinds.

What Now?

Christmas is now officially canceled for three groups. The first is for the IT staff working for the perhaps 18,000 SolarWinds customers affected by the breach, who are going to have to spend the next weeks rebuilding their networks and going over everything with a fine-toothed comb looking for various backdoors. This is going to be a lot of work to sort out. The only good thing is that most of the customers don’t have secondary backdoors to worry about because the biggest problem faced by the attacker was simply the target-rich environment. Each effort at exploitation increases the risk of discovery, and in the end, there are only so many people who can conduct these attacks.

The second group is the U.S. intelligence community. This attack started in March with the first exploitation starting in April. Either they didn’t know about it—a failure in the “defend forward” philosophy—or they did know about it, in which case they also failed to defend forward. There are going to be tough questions that the intelligence community will need to answer internally.

The final group is the Russian government. This was an amazingly valuable intelligence feed, capturing U.S. government communication leading up to the transition as well as critical insights into U.S. financial controls. Now the feed has gone dark and Russia has lost a hugely powerful asset. But then again, these are a bunch of Russian spies, so in the immortal words of every sysadmin: “fsck those guys”.

More here.


Related Articles

1 thought on “Details: Cozy Bear, Solarwinds, FireEye And The Hack Of The US Govt

  1. I am puzzled how you made the jump from “Cozy Bear [Russia] . . . appears [sic] to have been behind the attack” to “someone [sic] managed to modify the SolarWinds Orion software” to “Russia [sic] has lost a hugely powerful asset.”

    Even if it eventually is shown that Russia engineered this please don’t pretend that this isn’t exactly what US cyberwarriors — the exact same people as “Cozy Bear” — try to accomplish inside Russian, Chinese and other computers and networks.

    The real story here is the incompetence of SolarWinds that had system in place to compare code written with code distributed and detect, gasp, that the distributed code magically grew in size by a few thousand bytes. And how hard is it to do a bit-by-bit comparison of two files? It’s certainly not a problem of lack of processor power when any reasonably fast microprocessor available to consumers can hit 3.9gHz without breaking sweat.

    And where were and cyber defense components of the federal government? Are they unaware of what are and what are not critical systems in the civilian and military worlds?

Leave a Reply

Your email address will not be published. Required fields are marked *