The supply chain attack used to disrupt federal agencies and at least one private company posed a “serious threat” to the United States, in part because the attackers are likely to means more than just the background of SolarWinds to go through interesting networks, federal officials said Thursday. One of these networks belongs to the National Nuclear Security Administration, which is in charge of the Los Alamos and Sandia laboratories, according to a report from Politico.
“This enemy has demonstrated the ability to take advantage of software supply chains and has demonstrated significant expertise on Windows networks,” officials with the Cybersecurity Infrastructure and Security Agency wrote in a warning. “The enemy seems to have access vectors and tactics, tactics and procedures (TTPn) that have not yet been discovered.” CISA, as the organization is abbreviated, is a branch of the Department of Homeland Security.
Elsewhere, officials wrote: “CISA has identified this threat as a major threat to the Federal Government and state, local, tribal and territorial governments as well as emergency infrastructure agencies and other private sector bodies.”
Reuters, meanwhile, said the attackers were cracking down on a separate key technology provider and using the compromise to access high-value end-to-end targets. News services picked up two people who were briefed on the matter.
The attackers, whose work CISA said no later than March, managed to remain unidentified until last week when security firm FireEye reported hackers with the support of a national state has joined their network. Earlier this week, FireEye reported that the hackers were hitting targets using Orion, a widely used network management tool from SolarWinds. After taking control of the Orion upgrade equipment, the attackers used it to install a backdoor that FireEye researchers call Sunburst.
There was also a Sunday when multiple news outlets, citing anonymous people, reported that the hackers had used the background in Orion to exploit networks belonging to the Commerce Department, the Treasury Department, and possibly break other groups. The Department of Homeland Security and National Institutes of Health were subsequently added to the list.
It was considered grim
CISA’s warning on Thursday provided an unusually grim assessment of the hack, the threat it poses to government agencies at national, state and local levels, and the skill, durability, and time required to crack the attackers. sent out from networks they had gone through. for unknown months.
“This APT actor has shown patience, security of action, and complex craftsmanship in these pressures,” officials wrote in a warning Thursday. “CISA expects that removing this threatening actor from dangerous environments will be very complex and challenging for organizations.”
Officials went on to provide another grim assessment: “CISA has evidence of additional accessibility vectors, with the exception of the Orion SolarWinds platform; however, these are still being studied. CISA will update this warning as new information becomes available. “
The consultant did not say what the additional vectors might be, but officials went on to note the skill needed to capture SolarWinds’ software-building platform, circulating backdoors to 18,000 customers, and then remaining anonymous in infectious networks for months.
“This enemy has demonstrated the ability to take advantage of software supply chains and has demonstrated important knowledge of Windows networks,” they wrote. “The enemy seems to have access vectors and tactics, tactics and procedures (TTPn) that have not yet been discovered.”
Among the many federal agencies that reportedly used SolarWinds Orion was the Revenue Service. On Thursday, Senate Finance Committee Ranking Member Ron Wyden (D-Ore.) And Senate Finance Committee Chairman Chuck Grassley (R-Iowa) sent a letter to IRS Commissioner Chuck Rettig requesting that he prepare for the taxpayer data was damaged.
They wrote:
The IRS appears to have been a purchaser of SolarWinds as far back as 2017. Given the fragility of personal taxpayer information provided to the IRS, and the damage it has to both the privacy of Americans and our national security that may result from theft and exploitation of this. data with our enemies, it is crucial that we understand the extent to which the IRS may be threatened. It is also critical that we understand what actions the IRS is taking to mitigate any potential damage, ensure that hackers do not yet have access to internal IRS systems, and prevent put on future taxpayer data.
IRS representatives did not immediately return a phone call seeking comment for this post.
The CISA warning said the main takeaways from the study so far are:
- This is a well-resourced and focused patient enemy who has maintained long-term activity on victim networks.
- SolarWinds Orion is a supply chain compromise No was the only original infectious vector made by this APT actor.
- Not all organizations with the background delivered through SolarWinds Orion have been targeted by the enemy with ongoing actions.
- Organizations with suspected compromises need to be very sensitive to operational security, including when engaging in incident response activities and designing and implementing treatment plans.
What has emerged so far is that this is an amazing hack that will not experience its full potential and effect for weeks or even months. Extra shoes are prone to falling early and often.