In a follow-up to their Emergency Directive, the Cybersecurity and Infrastructure Security Agency (CISA) issued a comprehensive alert on December 17 – Alert AA20-352A – “Advance Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Security Organizations.” The alert minces no words, “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.” CISA cautions that the alert does not supersede the Emergency Directive issued on December 13 for SolarWinds.
This alert confirms the compromise began “at least as early as March 2020″ and based on initial review the “threat actor has demonstrated sophistication and complex tradecraft in these intrusions.” CISA notes that it is probable that additional “initial access vectors and tactics, techniques, and procedures (TTPs) have not yet been discovered.” CISA cautions how they expect “removing the threat actor from compromised environments will be highly complex and challenging” given the adversary’s ability to exploit software supply chains and “significant knowledge of Windows network.”
The alert does not name the nation-state, though comments from Senator Richard Blumenthal (D-CT), who received a classified briefing on the SolarWinds compromise, identified the nation state as Russia.
Four key takeaways concerning the SolarWinds compromise contained in the alert:
- This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
- The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
- Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
- Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans
As noted in Pull the Plug: CISA’s Emergency Directive on the SolarWinds Compromise, the SolarWinds SEC 8K filing alluded to Microsoft products being manipulated and a part of the greater comprise. Microsoft’s president Brad Smith in a blog post provides an update from the company’s perspective concerning “the recent exposure of the world’s latest serious nation-state cyberattack.” He notes this is “not ‘espionage’ as usual, even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the United States and the world.”
SolarWinds noted in their SEC 8K that less than 18,000 customers are believed to have been possibly affected; Microsoft tells us their telemetry reading from customers using “Microsoft’s Defender Anti-Virus” software that the cyberattack is global and not limited to the United States.
The distribution, based on Microsoft’s analysis, indicates that of those compromised 18% are government targets (finance, national security, health and telecommunications), 9% are government contractors (those focused on defense and national security), 18% are non-governmental organizations and think tanks, 44% fall under the rubric of Information Technology (software firms, IT services and equipment providers), and 11% are captioned as “other.”
The CISA alert highlights how not all compromised organizations have been exploited (or will be), indicative of targeting triage taking place by the Russia. Microsoft notes that 40 of their customers have been identified as being “targeted more precisely and compromised through additional sophisticated measures.” Of those, 80% are within the United States and the remainder within seven other countries – Canada, Mexico, United Kingdom, Belgium, Spain, Israel and the United Arab Emirates. Smith cautions, “It’s certain that the number and location of victims will keep growing.”
FireEye’s CEO, Kevin Mandia noted, “Based on my 25 years in cyber security and responding to incidents, I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities.” He continued, “They are highly trained in operational security and executed with discipline and focus. They operated clandestinely, using methods that counter security tools and forensic examination. They used a novel combination of techniques not witnessed by us or our partners in the past.”
What FireEye also discovered is that the attacker made off with the company’s “Red Team” tools which the company uses to assess their own customer’s security. In revealing this theft, FireEye confirms to all that the attackers are not just conducting surveillance but are exploiting their access with care using “novel techniques” to purloin data.
The discovery by FireEye of the SolarWinds compromise set in motion the mitigation. The fact that it was the company and not U.S. government entities, including DHS/CISA, NSA and CyberCommand who made the discovery has no doubt caused many candles to be lit past the midnight hour as to determine why the nation’s cybersecurity defenses were not up to the task.
While we learn with each morn of additional agencies or companies being included in the SolarWinds compromise, we should brace ourselves for this to continue for the forthcoming days and weeks. Microsoft and CISA both note how additional entities will be identified as compromised. At this moment, SolarWinds knows who the 17,000-plus customers are who have been affected, as does the nation-state adversary, Russia.