7.1 C
New York
Friday, December 1, 2023

No One Knows How Deep Russia's Hacking Rampage Goes

Since as far back as March, Russian hackers have been on a sinister tear. By slipping tainted updates into a widely used IT management platform, they were able to hit the United States Commerce, Treasury, and Homeland Security departments, as well as the security firm FireEye. In truth, no one knows where the damage ends; given the nature of the attack, literally thousands of companies and organizations have been at risk for months. It only gets worse from here.

The attacks, first reported by Reuters on Sunday, were apparently carried out by hackers from the SVR, Russia's foreign intelligence service. These actors are often classified as APT 29 or "Cozy Bear," but incident responders are still attempting to piece together the exact origin of the attacks within Russia's military hacking apparatus. The compromises all trace back to SolarWinds, an IT infrastructure and network management company whose products are used across the US government, by many defense contractors, and by most Fortune 500 companies. SolarWinds said in a statement on Sunday that hackers had managed to alter the versions of a network monitoring tool called Orion that the company released between March and June.

"We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack," the company wrote.

SolarWinds has hundreds of thousands of clients in all; it said in a Securities and Exchange Commission disclosure on Monday that as many as 18,000 of them were potentially vulnerable to the attack.

Both FireEye and Microsoft detailed the flow of the attack. First the hackers compromised SolarWinds' Orion update mechanism so that its systems could distribute tainted software to thousands of organizations. The attackers could then use manipulated Orion software as a backdoor into victims' networks. From there, they could fan out within target systems, often by stealing administrative access tokens. Finally, with the keys to the kingdom—or large portions of each kingdom—the hackers were free to conduct reconnaissance and exfiltrate data.

This sort of so-called supply chain attack can have dire consequences. By compromising one entity or manufacturer, hackers can undermine target security efficiently and at scale.

This wouldn't be the first time Russia relied on a supply chain attack for widespread impact. In 2017, the country's GRU military intelligence used access to the Ukrainian accounting software MeDoc to unleash its destructive NotPetya malware around the world. The attack on SolarWinds and its customers seems to have focused on targeted reconnaissance rather than destruction. But with quiet and nuanced operations there is still a very real risk that the full extent of the damage won't be immediately clear. Once attackers have embedded themselves in target networks—often called "establishing persistence"—simply updating the compromised software isn't enough to flush the attackers out. Just because Cozy Bear was caught doesn't mean the problem is resolved.

In fact, FireEye emphasized on Sunday that the attack is currently ongoing. The process of identifying potential infections and tracing their source will be time-consuming.

"The attackers in question have been especially discrete in using network infrastructure," says Joe Slowik, a researcher at the threat intelligence firm DomainTools. "Particularly, they appear to have largely relied upon renewing or re-registering existing domains rather than creating completely new items, and using a variety of cloud hosting services for network infrastructure." These techniques help attackers mask clues about their identity, cover their tracks, and generally blend in with legitimate traffic.

The extent of the damage is also difficult to get a handle on because Orion is itself a monitoring tool, setting up a bit of a "who watches the watchers" issue. For that same reason, systems also grant Orion trust and privileges on user networks that have value for attackers. Victims and potential targets must consider the possibility that these attacks also compromised much of their other infrastructure and authentication mechanisms using Orion's pervasive access. The extent of the exposure at US government agencies is still unknown; the revelation that DHS was impacted as well didn't come until Monday afternoon.

"We should expect that other organizations in the supply chain are compromised as well," says David Kennedy, CEO of the threat tracking firm Binary Defense Systems, who formerly worked at the NSA and with the Marine Corps' signal intelligence unit. "Nation states typically use these types of attacks for highly targeted efforts, but still the impact you have to assume is huge and has direct impact on national security."

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a series of alerts on Sunday and an Emergency Directive for federal agencies to check for compromise and disconnect SolarWinds Orion products. "We urge all our partners—in the public & private sectors—to assess their exposure to this compromise and to secure their networks," CISA tweeted earlier today. In recent weeks CISA's director, and assistant director have stepped down or been fired by president Donald Trump, and other high-ranking DHS cybersecurity officials have been pushed out as well. The exodus comes at an inopportune time, as CISA helps coordinate a defensive push across government.

The White House National Security Council, which reportedly held an emergency meeting on Saturday, said via spokesperson John Ullyot on Monday that it is collaborating with CISA, the FBI, and the intelligence community to respond with "a swift and effective whole-of-government recovery."

For its part, the Russian embassy denied the country's involvement on Sunday, calling the preliminary attribution "unfounded attempts of the US media to blame Russia for hacker attackes [sic] on US governmental bodies." The embassy statement added that "Russia does not conduct offensive operations in the cyber domain."

Attackers around the world have increasingly leaned on supply chain attacks to gain maximum access or destructive power quickly and effectively. And the security community has warned about their very real, worst-case-scenario danger. The eventual extent of the SolarWinds fallout will likely prove them right.

Related Articles

Latest Articles