AXEL.org

The SolarWinds Beneath Hackers’ Wings

On December 13th, 2020, cybersecurity firm FireEye disclosed news of one of the most comprehensive cyber-espionage campaigns ever carried out against the United States and other global victims[1]. Since then, a significant amount of information has become public. Here, we summarize the attack, a few notable victims, and look into which hacking group could be responsible.

The infiltration

The attack happened due to an exploit in the Orion software from the company SolarWinds. The Orion Platform is an enterprise monitoring program that can manage and analyze information from traditionally separate IT domains, such as infrastructure, networking, and virtualization.

SUNSPOT

First, the hackers gained access to the SolarWinds Orion build environment. This means they could inject malware directly into the program’s source code before the company sent it to customers in the form of regular updates. It also meant they had to be sophisticated enough to conceal their tracks so that the developers didn’t notice anything out of the ordinary.

The malicious agents then used a new malware called SUNSPOT to install a backdoor into the Orion software[2].  Interestingly, the implantation of this malware required extensive knowledge of both Orion and Microsoft exploits. SUNSPOT works by monitoring the Microsoft operating system and searching for running processes involved with Orion source code compilation. It then injects the backdoor code (codename SUNBURST) into one of the Orion source files before the compiler runs and the software officially updates.

SUNBURST

After implantation, the SUNBURST backdoor has a dormancy period of approximately two weeks[3]. Disguised as a legitimate Orion plugin, the trojan payload connects to a third-party server, retrieves various commands, and executes them. These commands allow the plugin to take over the host computer completely. Now the group can:

  • Transfer files. Allows the hackers to retrieve files from the host computer as well as send more infected payloads.
  • Execute files. Allows hackers to install more malware onto the compromised systems.
  • Profile the system. Searches for more vulnerabilities and maps the network’s layout.
  • Reboot the machine. Hackers can reboot systems after malware installations.
  • Disable system services. This makes it easier to conceal activities since monitoring programs and antivirus software can be shutdown.

Analysts continue to find new malware installed by the SolarWinds hackers as they spend more time studying the breach.

The compromised

SolarWinds had over 300,000 customers. That includes 425 FORTUNE 500 companies and all five branches of the United States government[4]. While it’s unlikely the hackers actively infiltrated every organization using the software, the company believes that up to 18,000 of them using their Orion Platform could have malware installed. Full breaches did occur to many high-profile targets. Here is an abbreviated list of victims:

Microsoft

As we’ve seen, the hackers had a deep understanding of Microsoft cloud software. In fact, Microsoft representatives had to admit that the malicious agents viewed their product’s proprietary source code[5]. Although the intruders could not alter any of the code, even viewing it is a significant incident. Large tech corporations such as Microsoft keep their source code under serious security. Their intellectual property is the lifeblood of their businesses, so it goes to show how deep the hackers were in their systems.

FireEye

FireEye is one of the largest, most-respected cybersecurity firms in the world. They initially found the attack, but only because the company itself fell victim. The hackers accessed FireEye’s internal systems and stole security testing tools, but the company insists no customer data was compromised[6]. Regardless, it’s interesting that an organization whose entire business is protecting others from hackers got hacked.

Administrative Office of the U.S. Courts

Federal agencies seem to be the main targets of the perpetrators behind the hack.  The Administrative Office of the U.S. Courts has publicly confirmed being affected by the incident[7]. This is troubling because officials claim the threat actors compromised an electronic document filing system used by the Federal Judiciary. So, highly-sensitive federal court documents have been accessible to hackers since the Spring of 2020!

Department of Energy

A representative for the department confirmed that the SolarWinds malware infected systems within the Department of Energy and the National Nuclear Security Administration. Now that sounds serious! Fortunately, it does not appear that the hackers accessed networks pertaining to national security. On December 18th, DOE spokesperson Shaylyn Hynes said, “At this point, the investigation has found that the malware has been isolated to business networks only..[8]” and there have not been any updates since.

Department of Justice

The U.S. DOJ didn’t get off as easily as others. Here, the hackers moved through their network and accessed the email accounts of thousands of employees[9]. According to a DOJ spokesman, it “only” amounted to approximately 3% of the workforce, and the culprits did not breach any classified information. However, that still means over 3,000 people had their accounts infiltrated.

This is only 5 of the over 250 organizations listed by Bleeping Computer confirmed to be affected[10]. There are hundreds more, including The United States Treasury, The Department of Homeland Security, the United States Department of State, The Department of Health’s National Institutes of Health, Cisco, VMWare, Intel, and so on. It is undoubtedly the most comprehensive and dangerous hack ever known.

The perpetrators

Immediately after FireEye disclosed the attack to the public, Reuters reported that state-sponsored Russian hackers were thought to be behind it[11].  On December 14th -one day after the initial disclosure- the Washington Post went as far as to attribute it specifically to the Russian Advanced Persistent Threat group (APT), Cozy Bear[12]. Typically, the digital forensics necessary to pinpoint attribution of an attack take weeks or months, and many times it is never certain. Dedicated cybersecurity websites such as FireEye have not given direct attribution, showing the gulf of technical knowledge between the mainstream media and those with more experience. Given the geopolitical implications (U.S. politicians immediately began saber-rattling and calling the intrusion an “act of war”[13]), news outlets should wait for more facts to come out before running with the most inflammatory stories possible.

The evidence

So, what are the facts? At the moment, they’re pretty scarce. A joint statement by the FBI, CISA, NSA, and The Office of the Director of National Intelligence says that is “likely” to blame for the massive attack[14]. President Trump says [15]. Neither offer much evidence to back their claims.

The only evidence made public tying any specific group to the incident was recently published by the cybersecurity firm Kaspersky. Their researchers found code overlap between SUNBURST and the malware Kazuar[16]. The Russian-speaking hacker group Turla (note: NOT Cozy Bear) uses Kazuar. They don’t go so far as to provide any degree of certainty for the link, however. There are other potential explanations for the similarities.

The alternative explanations

The SolarWinds hackers may have purchased the Kazuar malware tools. Or, more insidiously, the perps could have purposefully inserted code to make it appear as if it were a Russian operation to conceal its true origin. That may seem too much like a Hollywood movie, but consider the tremendous technical lengths to which the hackers went to stay hidden. Adding another layer of covertness isn’t so far-fetched.

And, there is recent precedent for such tactics. In 2018, the threat actors behind the PyeongChang Olympics attack planted “false flags” within their code to obfuscate the source[17]. The Turla group itself employed deceitful methods in 2019 to pin their activities on Iran[18]. So, if Turla is capable of this, and the SolarWinds attack itself was so sophisticated and obscured, why would they leave such a calling card in their code?

This is not to claim that this attack is definitely not of Russian origin. Indeed, they have the motive and the capabilities. But, we should acknowledge that it is very uncertain at the moment. Kaspersky, FireEye, Crowdstrike, and others have gone out of their way not to blame any particular threat actor with any confidence. The mainstream media should follow suit. Let the forensic investigations continue and see where the evidence leads. At the moment, it points toward Russia, but not conclusively.

Data protection

If enormous breaches like this teach us anything, it’s that your data needs to be protected. Secure your data at rest and in motion with AXEL Go. AXEL Go is a file-sharing and storage platform that offers industry-leading security features. Utilizing technology such as blockchain, the InterPlanetary File System (IPFS), and AES 256 encryption, you can keep your sensitive documents safe from any would-be data thieves.

Sign up for our Basic, full-featured AXEL Go account and receive 2GB of free online storage and plenty of AXEL Tokens to fuel thousands of typical shares. You don’t have to live in fear of when the next breach will happen. You can secure your files with AXEL Go.

 

[1] “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, FireEye, Dec. 13, 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[2] “CrowdStrike Intelligence Team”, “SUNSPOT: An Implant in the Build Process”, CrowdStrike, Jan. 11, 2021, https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

[3] “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, FireEye, Dec. 13, 2020, https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

[4] Gopal Ratnam, “SolarWinds Hack Recovery May Cost Upward of $100B”, Government Technology, Jan. 12, 2021, https://www.govtech.com/security/SolarWinds-Hack-Recovery-May-Cost-Upward-of-100B.html

[5] Maggie Miller, “Microsoft says hackers viewed source code as part of SolarWinds attack”, MSN, Dec. 31, 2020, https://www.msn.com/en-us/news/politics/microsoft-says-hackers-viewed-source-code-as-part-of-solarwinds-attack/ar-BB1co3VF

[6] Mike Lennon, “FireEye Says ‘Sophisticated’ Hacker Stole Red Team Tools”, Security Week, Dec. 8, 2020, https://www.securityweek.com/fireeye-says-sophisticated-hacker-stole-red-team-tools

[7] Dustin Volz, Robert McMillan, “Federal Judiciary’s Systems Likely Breached in SolarWinds Hack”, The Wall Street Journal, Jan. 7, 2021, https://www.wsj.com/articles/federal-judiciarys-systems-likely-breached-in-solarwinds-hack-11610040175

[8] “DOE Update on Cyber Incident Related to Solar Winds Compromise”, Energy.gov, Dec. 18, 2020, https://www.energy.gov/articles/doe-update-cyber-incident-related-solar-winds-compromise

[9] Catalin Cimpanu, “SolarWinds fallout: DOJ says ahckers accessed its Microsoft O365 email server”, ZDNet, Jan. 6, 2021, https://www.zdnet.com/article/solarwinds-fallout-doj-says-hackers-accessed-its-microsoft-o365-email-server/

[10] Sergiu Gatlan, “SolarWinds victims revealed after cracking the Sunburst malware DGA”, Bleeping Computer, Dec. 22, 2020, https://www.bleepingcomputer.com/news/security/solarwinds-victims-revealed-after-cracking-the-sunburst-malware-dga/

[11] Raphael Satter, “IT company SolarWinds says it may have been hit in ‘highly sophisticated’ hack”, Reuters, Dec. 13, 2020, https://www.reuters.com/article/us-usa-solarwinds-cyber/it-company-solarwinds-says-it-may-have-been-hit-in-highly-sophisticated-hack-idUSKBN28N0Y7

[12] Ellen Nakashima, Craig Timberg, “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce”, The Washington Post, Dec. 14, 2020, https://www.washingtonpost.com/national-security/russian-government-spies-are-behind-a-broad-hacking-campaign-that-has-breached-us-agencies-and-a-top-cyber-firm/2020/12/13/d5a53b88-3d7d-11eb-9453-fc36ba051781_story.html

[13] Maggie Miller, “Lawmakers ask whether massive hack amounted to act of war”, The Hill, Dec. 18, 2020, https://thehill.com/policy/cybersecurity/530784-lawmakers-ask-whether-massive-hack-amounted-to-act-of-war

[14] “JOINT STATEMENT BY THE FEDERAL BUREAU OF INVESTIGATION (FBI), THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (CISA), THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE (ODNI), AND THE NATIONAL SECURITY AGENCY (NSA)”, CISA.gov, Jan. 5, 2021, https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

[15] Justin Sink, “Faced with massive suspected Russian cyber-attack on the U.S. government, Trump blames China”, Fortune, Dec. 21, 2020, https://fortune.com/2020/12/21/faced-with-massive-suspected-russian-cyber-attack-on-the-u-s-government-trump-blames-china/

[16] Tara Seals, “SolarWinds Hack Potentially Linked to Turla APT”, threat post, Jan. 11, 2021, https://threatpost.com/solarwinds-hack-linked-turla-apt/162918/

[17] Tom Spring, “Olympic Destroyer: A False Flag Confusion Bomb, threat post, March 8, 2018, https://threatpost.com/olympic-destroyer-a-false-flag-confusion-bomb/130262/

[18] Oscar Williams, “Russia’s Turla hackers used Iranian cyber weapons to “mask identity”, says NCSC”, NS Tech, Oct. 21, 2019, https://tech.newstatesman.com/security/russia-turla-iran-ncsc