Cybersecurity Threat Advisory 0073-20: December 2020 Global Intrusion Campaign
On December 8th, 2020, an extremely pervasive and serious global intrusion campaign was detected and communicated to the broader cybersecurity community and the media. The actors behind this campaign gained access to numerous public and private organizations around the world and are suspected to be foreign state related. Evidence of this campaign can be traced back as far as Spring of 2020 or even earlier.
This campaign is considered extremely serious for multiple reasons:
- The targets of the attack are government and military entities with the potential to affect the national security of the United States and potentially other governments
- At least one of the methods used to gain access created a backdoor in commonly used software, SolarWinds Orion, impacting potentially 18,000 organizations
- Other pervasively used software companies from companies like Microsoft, Cisco, VMware may be affected leading to potential secondary data breaches.
- The actors have had significant time to infiltrate and maintain persistent access to their targets
- Follow on actors may use these vulnerabilities to steal information or executive destructive actions beyond the original objectives of the campaign
Technical detail and additional information
The core of the campaign is a “supply chain” attack. In a supply chain attack, the attacker’s ultimate target is indirectly penetrated by first compromising third party software used by the target. This is done when the actual target of the attack is strongly defended but is using third party software that can be more easily attacked.
In this case, the primary known point of penetration was via the software developer SolarWinds and their infrastructure monitoring and management product Orion. The SolarWinds organization was compromised, allowing the attacker to add malicious code to the Orion product. The updated code was hidden and sent to all customers of SolarWinds Orion through Orion’s normal update process. Once updated the attacker then had a remote access “backdoor” into any organization using the updated SolarWinds Orion product. The end result is depicted in the figure below. The details of this attack have been detailed in SKOUT’s advisories (Advisory 0069-20 and Advisory 0068-20)).
Additional supply chain attacks related to this campaign or discovered in the course of investigating this campaign are known to have occurred in companies such as Microsoft, Cisco and AT&T. Security researchers expect to find additional vulnerabilities as their investigation progresses, but they may not all be directly related to this campaign. An example is a recent disclosure of a vulnerability in the SolarWinds N-Central product (MS-ISAC: 2020-170).
Who has been impacted?
At this time, the nation state attack has affected US government agencies, public and private organizations across the globe and is one of the largest attacks ever carried out. From what we know, the following agencies and private companies have been impacted by this breach.
|Department of Homeland Security||NSA|
|National Institutes of Health||NASA|
|Department of Energy||The Department of Justice|
|Department of Commerce||The State Department|
|State and local governments||Department of Defense|
|The Office of the President of the United States||The US Army, Marine, Navy, Air Force, Coast Guard|
|The Secret Service||The Federal Reserve|
Major Private Organizations:
|Credit Suisse||Time Warner|
|Lockheed Martin||The New York Times|
Should I be worried?
The SolarWinds breach is serious and if an organization uses the impacted product, it needs to take immediate mitigating action by removing SolarWinds Orion from their network until the network can be closely monitored for potential compromise. Additional detailed instructions are provided in Advisory 0069-20.
Additionally, the SolarWinds breach enabled the attacker to compromise secondary supply chain targets such as Cisco and Microsoft. By those organizations being compromised, there is a risk of secondary supply chain attacks being executed to their trust networks. For this reason, even if an organization does not use SolarWinds products, there is a possibility that they may affected via the larger incident by using products from these other organizations. As a starting point the following is a list of key software to be looking at and related actions to take:
SolarWinds Orion: Advisory 0069-20
Microsoft: Advisory 0070-20
SolarWinds N-Central: Advisory 0071-20
Cisco: Advisory 0072-20
It is important to be on the lookout for further affected software. Updates on the situation will likely continue for some time. As part of those updates, we will likely hear of more and more organizations having been compromised.
What can I do Proactively?
We recommend that even if the impacted tools are not used in your network environment, that standard hardening measures are taken, email and endpoint protection is being used, and user accounts are audited. In addition, it’s important to classify your assets based on the impact it can have on your environment both in confidentiality as well as availability (for example if you had to shut down the product).
If your organization has vendor owned devices in your network, we recommend the following:
• Auditing these systems for vulnerabilities and methods for hardening the system around these weaknesses.
• Review accounts granted to trusted third parties to ensure that an appropriate level of access has been granted.
• If possible, update the credentials used by these accounts as soon as possible due to the risk of authentication tokens being compromised in the vendor’s network.
What can I say to my clients, leadership, employees or other non-security focused individuals who ask me about this attack?
A popular network monitoring application SolarWinds Orion that is used by many companies and government agencies is now known to have been compromised. The perpetrator of the attack is extremely sophisticated and were able to operate through-out much of 2020 without detection. It is likely the perpetrator is funded by a government (known as a foreign state actor) for the purpose of international espionage. However, the potential impact of the compromise goes well beyond the SolarWinds software and United States national security as an extensive number of government, military, and private organizations may have been compromised as part of this campaign. This means that even organizations that do not use SolarWinds Orion product may be at risk through second-hand stolen data or secondary breaches that are discovered.
Due to the large impact of this event, it is likely that it will influence cybersecurity legislation and compliance as the investigation details are released. This incident is still in its infancy and the focus is on containment. Organizations should be made aware of the magnitude of the attack and remain up to date on security related legal matters as they develop.
As new information is released SKOUT CYBERSECURITY will continue to update this advisory on our website and our Customer Security Dashboard.
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.