With organizations using SolarWinds’ Orion network management platform still assessing the potential damage to their systems, one U.S. expert estimates it could cost organizations around the world as much as $100 billion to investigate and fix. Everyone is trying to figure out how far the hackers penetrated computer networks and how to get rid of them, says Jake Williams, a former National Security Agency hacker who’s now the founder of Rendition Infosec LLC, a cybersecurity firm.
“The reality is everybody is spending resources right now,” Williams told Roll Call, a site that reports on American federal politics, and the global price tag is likely to be in the billions. “The true cost could be hundreds of billions of dollars.”
U.S. federal departments that have publicly acknowledged being affected by Orion vulnerabilities include the Treasury, Commerce, Health, Homeland Security, Energy, Cybersecurity and Infrastructure Agency, State and the National Nuclear Security Administration. The Cybersecurity and Intelligence Security Agency (CISA) has told federal agencies with affected versions to conduct a forensic analysis. Those that accept the risk of running SolarWinds Orion have to comply with hardening requirements.
In Canada, one expert doubts the $100 billion estimate. Ed Dubrovsky, managing director of the incident response firm Cytelligence, estimates up to 2,000 organizations in Canada may have downloaded the infected version of Orion. However, he believes only “a tiny fraction (0.1 per cent)” of them “were actually exploited in some sort of fashion.”
“Just because an organization was attacked, it does not mean that every digital asset was compromised and hence, the investigation and remediation does not mean that every single system has to be investigated, replaced or rebuilt,” he said in an email. “Therefore, I think the $100 billion figure does not make sense.
“I estimate, that it will cost anywhere from $500,000 to $5 million for most mid-sized organizations and that there will be a max of 1 per cent of the organizations, or about 200 [world-wide], actually breached. A more logical figure would be about $1 billion.”
Related:
Second vulnerability found in Orion
Orion is used by 33,000 customers including a number of U.S. government departments as well as major corporations around the world. Of those, 18,000 downloaded a compromised version of the suite with a backdoor installed by an attacker that infected Orion updates last spring. U.S. law enforcement and intelligence agencies last week said the attacker was “likely Russian in origin.” Russia has denied charges it was involved in the attacks.
Odd similarities
Meanwhile, this morning Kaspersky said it has found some similarities between that backdoor, dubbed Sunburst, and another backdoor found several years ago dubbed Kazuar. Kazuar has been tentatively linked by researchers at Palo Alto Networks to a threat group it calls Turla (others call it Uroburos or Snake).
Kaspersky is cautious, saying there could be several explanations for the code similarities, including the creators trying to mislead investigators — what infosec experts call a ‘false flag’. But, the report’s authors add, “one coincidence wouldn’t be that unusual, two coincidences would definitively raise an eyebrow, while three such coincidences are kind of suspicious to us.
“We are NOT saying that DarkHalo / UNC2452, the group using Sunburst, and Kazuar or Turla are the same,” it emphasized. But, it added, “a number of unusual, shared features between Sunburst and Kazuar include the victim UID generation algorithm, the sleeping algorithm and the extensive usage of the FNV-1a hash.”
Kazuar is a .NET backdoor first reported by Palo Alto in 2017. Palo Alto tentatively linked Kazuar to the Turla APT group, although no solid attribution link has been made public.
