Four American intelligence and law enforcement agencies say the odds are Russia was behind the hack of SolarWinds’ Orion network management platform that led to the compromise of an unknown number of government and private sector organizations around the world.

In a joint statement Tuesday, the Office of the Director of National Intelligence, the National Security Agency, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) said an advanced persistent threat (APT) actor, “likely Russian in origin,” is responsible for most or all of the recently discovered and ongoing cyber compromises of both government and non-governmental networks.

In an attempt to diffuse worries that the attackers may have placed malware that could in the future shut electrical utilities and other sensitive U.S. critical infrastructure, the statement also says that the attack appears to be, at the moment, an “intelligence-gathering effort” exclusively.

 

Related content:

Cloud deployments of Orion could put APIs at risk

 

“We are taking all necessary steps to understand the full scope of this campaign and respond accordingly,” the statement read.

The four agencies were appointed to a Cyber Unified Coordination Group (UCG) to analyze the attack, which only became publicly-known when FireEye discovered last month that some of its Red Team tools for testing customer networks had been stolen. Upon investigation, FireEye realized the vehicle for the theft was an infected deployment of Orion that allowed the installation of a backdoor. Orion had been compromised through altered security updates that were downloaded by about 18,000 users.

The UCG has so far identified fewer than 10 U.S. government agencies that downloaded the updates, including the Treasury and Energy departments.

A ‘serious compromise’

“This is a serious compromise that will require a sustained and dedicated effort to remediate,” the statement warned.

As the lead agency for threat response, the FBI is still trying to identify victim organizations, collect evidence and nail down attribution. CISA is focused on sharing information quickly with government departments and the private sector to understand the extent of the campaign and the level of exploitation. CISA has also created a free tool for detecting unusual and potentially malicious activity related to this incident. In an Emergency Directive posted December 14 CISA also ordered IT pros to either disconnect or power-down of affected SolarWinds Orion products from federal networks.

The NSA is focused on assessing the scale and scope of the incident, as well as providing technical mitigation measures.

In an email interview Ed Dubrovsky, managing partner of the Toronto-based incident response firm Cytelligence, noted the supply chain attacks are highly planned and take months if not years to bring to fruition.
“While many threat actors are focused on monetary gain, this attack was a long term approach to compromising numerous types of organizations. Monetary attacks are typically short in their “implementation phase” and involve a short reconnaissance phase identifying a possible attack vector and quickly move to implementing the attack, followed by an action e.g. encryption of file in order to push the victim to make a payment (such as a ransomware attack).
The Solarwinds compromise took years to infiltrate the SDLC (software development lifecycle) of the organization, but there must have been an objective even before this step and that objective was likely based on some intelligence collected that identified possible victim organizations as targets of interest.”
As for attribution, an attack that requires many resources and likely very specific access would certainly be contributed to a nation-state, he said.
“Russia as one of the leading countries typically seen behind many of the people involved in threat actor ransomware groups has developed a very advanced approach to cyberattacks and as such, the conclusion that Russia is likely behind the attacks is quite feasible. In my opinion, China, Iran and North Korea would have been other candidates, but they are likely lagging behind the Russian capabilities in this area.”

Would you recommend this article?

+1
0
Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication. Click this link to send me a note →

Jim Love, Chief Content Officer, IT World Canada


Related Download
Cybersecurity Conversations with your Board Sponsor: CanadianCIO
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA
Download Now