The week before last we wrote about the announcement from FireEye claiming that a nation-state with ‘top-tier offensive capabilities’ had stolen its stash of ‘Red Team assessment tools’.
The announcement raised more questions than it answered, however, we were sure that with the impressive forensic capabilities of the former Mandiant part of FireEye, they would be right on it. We were also fairly sure that at the time they knew more than they were letting on and this appears to have been the case.
We all knew that an emergency meeting of the White House’s National Security Council, reported here in the South China Morning Post (and obviously elsewhere), we also knew that FireEye was in talks with Microsoft, so something big was going down.
Earlier last week, the big news hit. FireEye was breached by a supply chain attack via the Solarwinds network monitoring solution, Orion, after hackers breached Solarwinds, edited the Orion code to include a backdoor, waited for automatic updates to infect Solarwinds customers, and then ride the backchannel in and laterally spread to steal important data and intellectual property.
The attack was in March 2020 and has infected 18000 SolarWinds customers including (only a small portion were impacted), but not limited to:
- Multiple US Government departments including Homeland Security, The US Treasury, Nuclear Agencies, the whole bit. ‘Unprecedented scale’.
- The majority of Fortune 500 Companies.
- Possibly Microsoft
The current word on the street is that the attackers may have used multiple initial vectors (in addition to SolarWinds) to breach more targets. This of course is the subject of grand debate (and possibly lawsuits) but is being touted by none other than Reuters.
Immediately after the breach, SolarWinds removed its customer list from its website, but the Internet being what it is, this was futile with copies of the prior site on multiple archives like the way back machine archive.org.
Supply chain attacks are not new news. In 2019 multiple outsourcers such as Wipro were compromised and then used to breach customers.
The prior attacks were pinned on the Chinese APT-10 (and more latterly APT-41) , and we can confirm that we saw their Modus Operandi first hand at a number of customers way back in the day. The FBI has repeatedly indicted Chinese nationals.
The tradecraft, patience, planning, and execution of these (let’s just say it), Nation-State hacks is simply incredible. To us security specialists, a work sublime.
In the 2019 attacks, the operation mandate appeared to be the theft of IP used in manufacturing, presumably to accelerate the production of ‘similar’ products by China. This work appears to be focussed more on Government and financial institutions. A small subset of the 18000 infected has reported execution/lateral infection if that means anything. We are sure the truth will out. It will take time.
The technique in all these attacks is similar:
- Find a way to breach the target (supply chain, phishing email, direct through the perimeter etc.)
- Drop a Remote Access Trojan
- Activate the Trojan via a Command and Control infrastructure
- Laterally move through the network
- Exfiltrate interesting data
- Clear up (how many organisations were compromised and will never be able to quantify the exfiltration?)
It is interesting that the only Anti-Virus software that would have detected this Trojan is Made In China, 360 Safeguard.
The technical details of the infection chain, detection and clean up are way beyond the scope of this blog, however, Tiberium has been studying it in detail and is actively assisting customers.
We can help you understand if you were breached, were further exploited and advise you how to improve your cybersecurity maturity. We can also help you prevent or detect further incidents using our suite of managed security services together with hardening your environment and improving your security processes.
If you would like a full walkthrough of the attack and see how Tiberium can assist please contact us.
In the New Year we are planning to run a breach workshop with real live hackers (they will be in T-Shirts and Hoodies), watch this space.
In breaking news, Arizona county and cable firm Cox Communications (wonder who their customers might be?) have revealed breaches, thank you Jack Stubbs from Reuters.