(credit: Getty Images ) The supply chain attack used to breach federal agencies and at least one private company poses a “grave risk” to the United States, in part because the attackers likely used means other than just the SolarWinds backdoor to penetrate networks of interest, federal officials said on Thursday.
The attackers, whom CISA said began their operation no later than March, managed to remain undetected until last week when security firm FireEye reported that hackers backed by a nation-state had penetrated deep into its network. Early this week, FireEye said that the hackers were infecting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.
CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTShttps://www.cisa.gov/news/2020/12/13/cisa-issues-emergency-directive-mitigate-compromise-solarwinds-orion-network
Sunday(12/13) was also when multiple news outlets, citing unnamed people, reported that the hackers had used the backdoor in Orion to breach networks belonging to the Departments of Commerce, Treasury, and possibly other agencies. The Department of Homeland Security and the National Institutes of Health were later added to the list.
Thursday’s CISA alert provided an unusually bleak assessment of the hack; the threat it poses to government agencies at the national, state, and local levels; and the skill, persistence, and time that will be required to expel the attackers from networks they had penetrated for months undetected.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” officials wrote in Thursday’s alert. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
The officials went on to provide another bleak assessment: “CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available.”
The advisory didn’t say what the additional vectors might be, but the officials went on to note the skill required to infect the SolarWinds software build platform, distribute backdoors to 18,000 customers, and then remain undetected in infected networks for months.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” they wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
That is why there is such a focus on Space Force leading the way to secure Cyberspace. You can read more about that here in a previous posting….