DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later

from the holy-shit-this-is-bad dept

Welp. Everything is compromised. Again.

Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.

[...]

The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick - often referred to as a “supply chain attack” - works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.

Here's how the backdoor works, according to FireEye:

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.

According to SolarWinds' post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.

On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.

The attack is serious and widespread enough that the DHS's cybersecurity arm has issued a warning -- one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat -- one not easily patched away.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

  • Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;

  • High potential for a compromise of agency information systems;

  • Grave impact of a successful compromise.

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here's what was reported in the early hours of December 14:

US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.

CNN learned Monday that DHS' cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.

In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.

The Russian government is denying involvement, but the evidence seems to point to "Cozy Bear," the offensive hacking wing of Russia's intelligence services. Unfortunately, SolarWinds' dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government's attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: cisa, commerce department, hacking, russia, treasury, vulnerability
Companies: fireeye, solarwinds


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    That One Guy (profile), 15 Dec 2020 @ 11:10am

    If you can't secure you own house...

    As bad as this is, and it's really bad, imagine how much worse it could have been had the anti-encryption idiots gotten their way and broken encryption was mandatory. Suddenly hacking a given agency doesn't just give you that agency's information but would also grant you access to countless other platforms and companies via the golden key they want, magnifying the damage enormously.

    link to this | view in thread ]

  2. icon
    Designerfx (profile), 15 Dec 2020 @ 11:15am

    probably would be good to link their security advisory

    https://www.solarwinds.com/securityadvisory

    For people who are solarwinds users, such as myself. Our install is also cut off from the internet until the patch is released. There's a whole reddit discussion and alternative channels if people look around.

    link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
    identicon
    Faber Schnidejoch, 15 Dec 2020 @ 11:22am

    Alternate speculation: NSA broke into Dominion, got the goods!

    The company that made the faulty-by-design ballot counting machines by which The Establisment has thus far edged out Trump was perhaps the real target.

    It's reasonable speculation, which for me seems credible because this affected nearly every gov't server with extreme remedy: TAKE OUT the software. -- Perhaps we'll get a more solid "story" later, not necessarily the truth.

    Of course Techdirt sees "Russia" and that's far as you want to go.

    link to this | view in thread ]

  4. icon
    Designerfx (profile), 15 Dec 2020 @ 11:26am

    Re: If you can't secure you own house...

    This is what they want, you can just nerd harder to fix it! /facepalm

    link to this | view in thread ]

  5. This comment has been flagged by the community. Click here to show it
    identicon
    Faber Schnidejoch, 15 Dec 2020 @ 11:30am

    Re: Alternate speculation: NSA broke into Dominion, got the good

    Clarification: by "edged out" I mean was definitely STOLEN but outcome is still on the edge undecided, regardless of Electoral College vote. The polls were entirely wrong about "the Blue wave", the steal was utterly blatant, the machines corrupt by design, so They are still antsy. -- Yes, I know that all I have is possibly disinfo to stall and weary, but your "side" thought the 2016 election was stolen, and now says this one is perfect! We'll see.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 15 Dec 2020 @ 11:49am

    Re: Re: Alternate speculation: NSA broke into Dominion, got the

    Do you have more credible evidence of a "stolen" election than what Trump and his crack(-smoking) team of lawyers have offered to courts?

    link to this | view in thread ]

  7. identicon
    Anonymous Coward, 15 Dec 2020 @ 11:59am

    Re: Re: Alternate speculation: NSA broke into Dominion, got the

    The person trying to steal the election currently resides in the white house. That attempt stated to ramp up with his attack on postal voting.

    link to this | view in thread ]

  8. icon
    ECA (profile), 15 Dec 2020 @ 12:59pm

    Soo.

    All these corps/agencies and such.
    Are leaning on a 3rd party to do WHAT?
    But then they are GIVEN a .DLL, that they DIDNT OPEN AND ANALISE before Installing on Customer computers?

    So we have a 1st, 2nd, 3rd party situation, where NO ONE Evaluated the original data in a REQUIRED PROGRAM?

    This Really sounds like a setup.

    "Orion Platform products monitor the health and performance of your network through ICMP, SNMP, WMI, API, and Syslog communication and data collection."

    Ok, this is interesting. This program is to Monitor hardware and Watch for failure? Also it monitors other small programs that are traps and data transfer?

    God help us. Why are we paying for this IF' this company allows a 3rd party program, that HASNT been checked and evaluated.
    Also, NOW we know the problem with AUTOMATED SECURITY.

    There Should only be 1 way this could work. IF it wasnt Augmenting programs/data(ya, it was a security program), it could stay hidden along time just by reading/copying Data and shipping it out, Probably in small batches.
    Otherwise if DATA changes/erases/added SHOULD created a Log file of what happened. and if this DID happen, and it took THIS LONG? we need better Network People. GET away from the corps.

    link to this | view in thread ]

  9. icon
    ECA (profile), 15 Dec 2020 @ 1:02pm

    Re: Re: Alternate speculation: NSA broke into Dominion, got the

    FS.
    Can you guess the fault in that?
    That Both parties evaluated the Hardware and software.
    And unless they Paid off the Evaluator(another corp, probably)
    They should have closed and sealed EACH machine. And at the end, checked that nothing has changed.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 15 Dec 2020 @ 1:17pm

    Re: Soo.

    That's the point of the supply-side attack was to add malicious code to real code, so SolarWinds would sign off on it because it was doing as intended.

    Software is tested and scanned, validated as good. Feds have been running the software for years. Patches come out, are tested again, and as noted by FireEye, the malicious code waits two weeks before activating. Patches are almost never stress tested for that long before going live.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 15 Dec 2020 @ 1:41pm

    Re: Soo.

    But then they are GIVEN a .DLL, that they DIDNT OPEN AND ANALISE

    That is the same as demanding that someone open and analyse a .exe file before it is used. A DLL is an executable code file. Also, a two weeks delay before activating the nasty stuff kept it hidden from pre-release testing inside any organization.

    link to this | view in thread ]

  12. icon
    ECA (profile), 15 Dec 2020 @ 5:20pm

    Re: Soo.

    Please.
    If A file can be compiled to a Machine language format, it CAN be de-compiled.
    They know who they got it from, OR SHOULD.
    They are a security and monitoring agency. ITS NOT HARD, as they should have the programmers to Figure out whats IN THE CODE.

    Fine, let the automated machine test it. The problem is HOW to compare to the LAST .DLL that is in use, and Look at the changes.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 15 Dec 2020 @ 5:58pm

    Re: Re: Soo.

    If A file can be compiled to a Machine language format, it CAN be de-compiled.

    That can work for microcontroller code, but is much much more difficult for P.C. application code, largely due to the difference in code size, a few 10's of kb, as opposed to 100s of kb upwards. The lack of meaningful names for variables and routines, other than external references makes it difficult to understand the decompiled code.

    The problem is HOW to compare to the LAST .DLL that is in use, and Look at the changes.

    That works if you have the source code, but runs into problems with changes in the file position of code, resulting in trivial changes of call addresses and variable address, so that routine boundaries have to be identified before any comparison can take place.

    Also, the evil code has a two week delay before activating, allowing it to pass pre-release checks, where it behaved as expected.

    link to this | view in thread ]

  14. icon
    BernardoVerda (profile), 15 Dec 2020 @ 7:56pm

    Re: Re: Re: Alternate speculation: NSA broke into Dominion, got

    Guess which party strenuously opposed and successfully killed any and all measures proposed to ensure ballot device/system integrity?

    Whinging now (without a shred of actual evidence) that the other party must have been somehow actively engaged in covertly subverting these systems, is remarkably inconsistent reasoning.

    link to this | view in thread ]

  15. icon
    ECA (profile), 15 Dec 2020 @ 11:05pm

    Re: Re: Re: Soo.

    But its a DLL, that the program needs and they SHOULD already understand how its supposed to work,
    THIS IS SECURITY. The DLL had to come from 1 place, and if nothing else the company that made it, SHOULD have a copy of the program, at least to verify it. And comparing should NOT be a problem AS they Should have the previous version.
    I know compile and decomp are a PAIN in the but and can take hours or days. But how high END ARE we paying for?
    The Customer Can now CHARGE the company for a 3rd party mistake/screw up/Sabotage.

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 16 Dec 2020 @ 8:33am

    how's that go?

    'location, location, location'

    link to this | view in thread ]

  17. icon
    nasch (profile), 16 Dec 2020 @ 7:02pm

    Re: Re: Re: Re: Soo.

    I have never heard of a standard practice of decompiling and analyzing software updates from trusted vendors. Does your company do this? Does anyone?

    link to this | view in thread ]

  18. icon
    Tanner Andrews (profile), 17 Dec 2020 @ 1:09am

    Re: Re: Soo.

    If A file can be compiled to a Machine language format, it CAN be de-compiled

    Generally true, but not useful. The decompiled result will be a dog's breakfast because the optimizer shuffles and eliminates things with no regard for human readability. The structure intended to aid human comprehension turns into a bunch of ``if condition goto location'' code with labels. Trying to un-do that is not much easier than re-writing the code yourself.

    Even disassembling assembly suffers from loss of symbolic names and identification of data areas. We can generally handle that, though we still do not have the original author commentary, for assembled code. Compiled code is much, much worse.

    Have you ever read compiler output? Well, imagine trying to do that as an automated process of decompilation.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.