A major breach at US network software company SolarWinds opened the door for Russian hackers to monitor US government departments and some of the country’s biggest businesses for months.
Earlier this year, bad actors conducted a supply chain attack targeting SolarWinds, successfully planting malware in updates for its enterprise-level network monitoring platform, Orion.
The malware was discovered by security firm FireEye, which was recently hit by a potentially related breach.
Once in a host system, the backdoor would lay dormant for over week before communicating with a command and control server that would tell it to begin profiling the host machine and disabling system services.
Because it was digitally-signed and hid its network traffic through another Orion protocol, the malware had long gone undetected.
News of the breach triggered an emergency National Security Council meeting at the White House, Reuters reported, and no doubt caused alarm among SolarWinds’ clients which, according to the company, contained most of the Fortune 500 along with the US major telcos, accountants, and military and security agencies.
An emergency directive from the US Cybersecurity and Infrastructure Security Agency (CISA) said the SolarWinds breach “poses unacceptable risks” to the nation’s networks.
CISA told federal agencies to begin scanning for signs of compromise and try to hunt down new user accounts that might have been created by the attackers.
They were also told to kill the dodgy versions of Orion, block network traffic, and stay off the enterprise domain until they rebuilt their Windows OS across the agency.
Microsoft published its own advisory about what it called “nation-state activity at significant scale” in which the tech giant warned of techniques it spotted during the ongoing attacks.
It’s an alarming document that warns attackers have been found forging SAML tokens that can be used to create fake privileged user accounts to compromise on-premises or cloud assets.
In a filing to the US Securities and Exchange Commission, SolarWinds estimated that “fewer than 18,000” customers were running a version of Orion that contained the backdoor.
But with a months-long head start it will be difficult for affected parties to know the extent of intrusions that stemmed from a piece of trusted enterprise software.
Though officially referred to as a vague ‘nation-state actor’, US media outlets quickly named the culprit of the ongoing mass espionage campaign: Russian intelligence.
Mere months ago, Russian President Vladimir Putin issued a statement calling for the Cold War rivals to “reboot” their relations in cyberspace.
Citing that statement, the Russian US embassy denied any involvement in the SolarWinds breach.
“Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the embassy said.
“Russia does not conduct offensive operations in the cyber domain.”
The US, UK, and Canada jointly condemned Russian intelligence for a spate of attacks targeting COVID-19 vaccine research earlier this year.