What We Know
On the 8th of December 2020, FireEye, a US-based Cyber Security company, notified the market that it was attacked by what the company believed was a nation-state actor who gained access to some of FireEye’s Red Team tools.
Five days later, on the 13th of December 2020, reporting in major US news outlets indicated that US government agencies had been breached in what appeared to be a complex Cyber Attack, and on that same day the US Cyber & Infrastructure Security Agency (CISA) issued an emergency directive to all US Federal civilian agencies to “review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
The CISA notification was followed by a SolarWinds filing with the Securities and Exchange Commission (SEC). That filing noted that SolarWinds was made aware of a “cyberattack that inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run.”
Broader Significance
Reports indicate initial supply chain insertions date back to 2019, but they were likely just for testing. While not 100% confirmed, everything that's been found so far implicates Russian state-sponsored hacker group Cozy Bear. Getting to 100% certainty on the identification of the Threat Actor is vitally important because it could include sanctions or other actions. This Threat Actor was very disciplined, working hard to stay undetected and move laterally through infected networks. SolarWinds Orion was just the entry point.
Among the next steps that the attacker took after establishing the initial foothold was to compromise the Security Assertion Markup Language (SAML) signing certificate using escalated Active Directory privileges. Once this was accomplished, the attacker created unauthorized but valid tokens (token id) and presented them to services that trust SAML tokens from the environment which is used by many business applications, including:
- SaaS Applications that requires SAML for single-sign-on (Business Applications, Email Services e.g.)
- File storage services (such as SharePoint, OneDrive for Business)
- Kubernetes and Containers environments that requires Active directory
These types of solutions are important for espionage and data collection efforts. Access to email and file repositories provides visibility into troves of important communications and content.
Free Security CheckUp
Contact Fearing’s today to schedule a FREE Security CheckUp to see if you were one of the tens of thousands, including many government agencies, affected by this next-level sophisticated attack. Our experts will analyze your network and collect comprehensive data on active threats to your complete environment including networks, endpoints and mobile devices. At the end of the analysis period, you will receive a comprehensive report that includes:
- The number of malware infections
- Usage of high risk web applications
- Intrusion attempts and bot attacks
- Loss of sensitive data
- Threats to endpoints and mobile devices
- Key recommendations to protect your network