Government Agencies Hacked Using SolarWinds Devices and Software

Posted on by Dawna M. Roberts in News December 15, 2020

This past weekend, the U.S. Commerce Department, the Information Administration (NTIA), and U.S. Treasury admitted to an attack by a state-backed hacker group APT29, aka Cozy Bear, who attacked top cybersecurity firm FireEye last week stealing Red pen resources.

What Happened?

The Washington Post and Reuters first reported the incidents and named Russia-backed Cozy Bear as the culprit. FireEye discovered that as of March, software updates on a SolarWinds’ product called Orion had been intercepted by APT29 and replaced by malware they dubbed “Sunburst.” The elusive malware has the ability to steal profiles and files, reboot services, and disable systems. 

There are more than 300,000 SolarWinds customers worldwide; some of them are educational institutions, government agencies, and corporations. FireEye commented that “the actors behind this campaign gained access to numerous public and private organizations around the world.”

After the recent attack on government agencies, the Commerce Department made a public statement “We can confirm there has been a breach in one of our bureaus. We have asked CISA and the FBI to investigate, and we cannot comment further at this time.”

DataBreachToday assured the public that “The U.S. Cybersecurity and Infrastructure Agency, or CISA, on Sunday, issued an emergency directive “in response to a known or reasonably suspected information security threat,” noting that the affected Orion products are versions are 2019.4 through 2020.2.1 HF1.”

Brandon Wales, Acting Director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA), said, “The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks.”

Microsoft chimed in with the results of their own investigation “A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations.”

How Did SolarWinds React?

SolarWinds released a security advisory on December 14 stating that “SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions **2019.4 HF 5**and**2020.2 ~with no hotfix~** or **2020.2 HF 1**. We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack instead of a broad, system-wide attack. We recommend taking the following steps related to your use of the SolarWinds Orion Platform.” SolarWinds is working closely with FireEye to complete their investigation and work on the next steps. 

They also urged customers using outdated software to upgrade immediately to mitigate the threat. The notice also includes instructions on how to check your version and a guidelines link to secure your devices.

They also said to “Additionally, we recommend customers scan their environment for the affected file: **SolarWinds.Orion.Core.BusinessLayer.dll**. If you locate this .dll, you should immediately upgrade to remove the affected file and follow security protocols to protect your environment.”

They anticipate releasing new files on December 15, to patch all susceptible devices. They listed the affected platforms:

  • “Application Centric Monitor (ACM).
  • Database Performance Analyzer Integration Module (DPAIM).
  • Enterprise Operations Console (EOC).
  • High Availability (H.A.).
  • I.P. Address Manager (IPAM).
  • Log Analyzer (L.A.).
  • Network Automation Manager (NAM).
  • Network Configuration Manager (NCM).
  • Network Operations Manager (NOM).
  • Network Performance Monitor (NPM).
  • Network Traffic Analyzer (NTA).
  • Server & Application Monitor (SAM).
  • Server Configuration Monitor (SCM).
  • Storage Resource Monitor (SCM).
  • User Device Tracker (UDT).
  • Virtualization Manager (VMAN).
  • VoIP & Network Quality Manager (VNQM).
  • Web Performance Monitor (WPM).”

They apologized and stressed that “Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security process, procedures, and standards designed to protect our customers.”

How to Keep Your Devices Safe

Along with always updating device firmware and software whenever there is an available security release, some other tips to keep devices safe from hackers include:

  • Install network monitoring software or use a router with a firewall, which includes these tools to keep an eye on traffic, activity logs, and unwanted intrusions.
  • Never visit unsecured URLs. Keep a close eye on sites you visit and watch out for any drive-by downloads or free software.
  • Never install any browser add-ons or software from untrusted sources.
  • Routinely check the device manufacturer’s website for updates on security, patches, and warnings.
  • Install robust antivirus/anti-malware software on all your devices and run deep scans frequently. 
  • Keep good backups in case you need to restore systems. 

The best way to stay safe is constant monitoring and vigilant awareness of anything suspicious. Report all incidents to the authorities and the device vendor. Using common-sense even if you are the victim of an attack, you can mitigate it quicker and recoup your losses.

About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagram’s c... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “Alien” is ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the country, ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% of the... Read More

Scan Your Records for Breaches, Leaks & Exposures!