US government agencies compromised by foreign nation-state

Foreign adversaries have launched a series of cyberattacks against key government agencies by exploiting a flaw in software used by many of them. Affecting the networks and email systems of the targeted agencies, the malicious campaign dubbed UNC2452 by security firm FireEye took advantage of a vulnerability in the way updates are delivered to the Orion networking monitor platform made by SolarWinds.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic) 

Reporting that the campaign might have started as early as spring of 2020 and may still be active, FireEye said that the attackers gained access to victims through trojanized updates to the Orion software. Specifically, the tactic works by hiding malicious code inside a legitimate software update in what is known as a supply chain compromise.

As a result of the breach, the hackers have been able to monitor internal email traffic at the US Treasury and Commerce departments, sources told Reuters. However, FireEye said the victims have also included government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia and the Middle East, and there are likely even more victims in other regions and sectors.

SolarWind’s customers include Fortune 500 companies, the top 10 US telecommunications providers, all five branches of the US military, the State Department, the National Security Agency, and the Executive Office of the President of the United States. As such, the concern is that other critical organizations and government agencies may be at risk of compromise.

In response, the National Security Council called an emergency meeting on Saturday. The following day, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive asking all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

FireEye, SolarWinds, Microsoft, and other sources all have pointed to a foreign nation-state as the source of this prolonged attack.

“SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020,” SolarWindows said in a security advisory. “We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.”

Though FireEye hasn’t yet confirmed or identified the source of the compromise, many are pointing the finger directly at Russia. Sources told the Washington Post that the Russian hackers responsible are known by the nicknames APT29 or Cozy Bear and are part of Russia’s SVR foreign intelligence service. The same group has been tagged as the source behind a recent attack against FireEye itself.

“APT29, the group attributed to this past week’s FireEye breach—a company known for its due diligence—is now known to have compromised both the Departments of Treasury and Commerce,” Rosa Smothers, former CIA cyber threat analyst and now an senior VP with KnowBe4, told TechRepublic. “APT29 most successfully uses spear phishing to gain access to a network; from there they escalate permissions to expand into the network.”

In a post shared on Facebook, the Russian government denied any culpability in the attack, calling the claims unfounded attempts by the US media to blame Russia for attacks against US government bodies.

In its blog post, FireEye said that the attacks launched as part of this campaign have the following elements in common:

• Use of malicious SolarWinds update. Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.
• Light malware footprint. Using limited malware to accomplish the mission while avoiding detection.
• Prioritization of stealth. Going to significant lengths to observe and blend into normal network activity.
• High OPSEC. Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.

“It’s natural to think that just after the FireEye breach, adversaries turned their tools to use and perpetrated this breach of the Commerce Department,” said Brandon Hoffman, chief information security officer at security provider NetEnrich. “However, careful examination of this seems to lead us to the conclusion that this has been going on much longer. The type of attack described to date involves several low and slow techniques. The very term advanced persistent threat (APT) was coined to describe an attack just like this.”

SolarWind is advising customers to upgrade their Orion Platform to version 2020.2.1 HF 1 as soon as possible. This latest version is available in the SolarWinds Customer Portal. An additional hotfix release called 2020.2.1 HF 2 is expected to roll out on Tuesday, Dec. 15. The company is urging customers to apply that hotfix as it will replace the compromised component and add other security enhancements.

In a blog post, Microsoft also offered several tips on how organizations can protect themselves against this type of exploit.

1. Run up-to-date antivirus or EDR products that detect compromised SolarWinds libraries and potentially anomalous process behavior by these binaries. Consider disabling SolarWinds in your environment entirely until you are confident that you have a trustworthy build free of injected code. For more details, consult SolarWinds’ Security Advisory.
2. Block known C2 endpoints listed below in IOCs using your network infrastructure.
3. Follow the best practices of your identity federation technology provider in securing your SAML token signing keys. Consider hardware security for your SAML token signing certificates if your identity federation technology provider supports it. Consult your identity federation technology provider for specifics. For Active Directory Federation Services, review Microsoft’s recommendations here: Best Practices for Securing ADFS
4. Ensure that user accounts with administrative rights follow best practices, including use of privileged access workstations, JIT/JEA, and strong authentication. Reduce the number of users that are members of highly privileged Directory Roles, like Global Administrator, Application Administrator, and Cloud Application Administrator.
5. Ensure that service accounts and service principals with administrative rights use high entropy secrets, like certificates, stored securely. Monitor for changes to secrets used for service accounts and service principals as part of your security monitoring program. Monitor for anomalous use of service accounts. Monitor your sign ins. Microsoft Azure AD indicates session anomalies, as does Microsoft Cloud App Security if in use.
6. Reduce surface area by removing/disabling unused or unnecessary applications and service principals. Reduce permissions on active applications and service principals, especially application (AppOnly) permissions.
7. See Secure your Azure AD identity infrastructure for more recommendations.

“In a broader scope, this breach again highlights the need to focus on security processes that have been in place for decades,” Hoffman said. “Patching these systems is as critical, if not more so, as patching the crown jewels. Similar to many or most of the major breaches in recent memory, these attacks almost always take advantage of a flaw or defect in a provider that leads to the main target.”

Cybersecurity Insider Newsletter

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.
Delivered Tuesdays and Thursdays

Sign up today

Also see