The United States Department of Commerce, Treasury, State Department, National Institutes of Health, Homeland Security, and Pentagon have had their networks compromised in what appears to have been a massive supply-chain attack on American government systems.
At the centre of the attack is enterprise monitoring software company SolarWinds, which has more than 300,000 customers around the world. In a regulatory disclosure issued yesterday, SolarWinds shared limited details of what happened.
According to the company, hackers “inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”
The vulnerability was present within the Orion products and existed in updates to the product released between March and June 2020, after the attackers compromised the software build system for Orion.
SolarWinds said that it believed the security breach was likely the result of “a highly sophisticated, targeted and manual supply chain attack by an outside nation state.”
Already many have pointed the finger of blame in the direction of the APT29 hacking group (also known as “the Dukes” or “Cozy Bear”), who have close ties to Russian intelligence, but SolarWinds says it has not confirmed the identity of its attackers.
The breach, which was made public in the wake of the high profile state-sponsored compromise of cybersecurity vendor FireEye, is said to have resulted in some 18,000 customers of SolarWinds downloading malicious versions of Orion that could have been exploited by the hackers to gain backdoor access to networks.
Presently it appears, however, that not all companies who were running the poisoned software did experience a security breach – but high profile victims did include US government organisations.
This inevitably plays into the theory that a state-sponsored attacker is responsible for the attack, perhaps focusing their attention on the highest value targets inside the US government.
The United States Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive urging all federal agencies to check their networks for evidence that they might have been compromised, and disable SolarWinds Orion products immediately.
In a security advisory, SolarWinds has told at-risk customers to upgrade to Orion Platform version 2020.2.1 HF 1 “as soon as possible to ensure the security of your environment.”
Further reading:
- Customer Guidance on Recent Nation-State Cyber Attacks – Microsoft Security Response Center.
- Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor – FireEye.
- Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise – Dept of Homeland Security.
Have you hear the news, Microsoft is one of those 18,000 customers. I truly wonder whether their Windows Update servers were compromised during the last 6 months…its a scary thought.