Ride the Lightning

COMPROMISED: U.S. Dept. of Commerce, Treasury, State Department, NIH, Homeland Security and the Pentagon

December 15, 2020

Graham Cluley reported on December 15 that the United States Department of Commerce, Treasury, State Department, National Institutes of Health, Homeland Security, and the Pentagon have had their networks compromised in what seems to have been a massive supply-chain attack on American government systems.

The unwitting source seems to be enterprise monitoring software company SolarWinds, which has more than 300,000 customers worldwide. In a regulatory disclosure issued yesterday, SolarWinds offered limited details of what happened.

According to the company, hackers "inserted a vulnerability within its Orion monitoring products which, if present and activated, could potentially allow an attacker to compromise the server on which the Orion products run."

The vulnerability was present within the Orion products and existed in updates to the product released between March and June 2020, after the attackers compromised the software build system for Orion.

SolarWinds said that it believed the security breach was likely the result of "a highly sophisticated, targeted and manual supply chain attack by an outside nation state."

Some experts are already blaming the APT29 hacking group (also known as "the Dukes" or "Cozy Bear"), which has close ties to Russian intelligence, but SolarWinds says it has not confirmed the identity of its attackers.

The breaches, which were made public after the high-profile state-sponsored compromise of cybersecurity company FireEye, is said to have resulted in some 18,000 customers of SolarWinds downloading malicious versions of Orion that could have been exploited by the hackers to gain backdoor access to networks.

Currently, we don't know how many of those customers have actually experienced a data breach.

The prevailing theory seems to be that a state-sponsored attacker is responsible for the attack, perhaps focusing their attention on the highest value targets inside the US government.

The United States Cybersecurity & Infrastructure Security Agency (CISA) has issued an emergency directive urging all federal agencies to check their networks for evidence that they might have been compromised and disable SolarWinds Orion products immediately.

In a security advisory, SolarWinds has told at-risk customers to upgrade to Orion Platform version 2020.2.1 HF 1 "as soon as possible to ensure the security of your environment."

This is one heck of a disturbing story. I sure hope the President-elect is working hard on plans to shore up the cybersecurity of federal government entities.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson