The White House on Sunday acknowledged reports that a group backed by a foreign government carried out a cyberattack on the U.S. Department of Treasury and a section of the U.S. Department of Commerce. As per a report from The Washington Post, threat actors are said to belong to the infamous Russian state-sponsored group Cozy Bear or APT 29.
The hack was discovered by the cybersecurity firm FireEye which termed it a “global intrusion campaign.” FireEye’s researchers explained that threat actors successfully compromised the networks of many public and private organizations by providing updates to a widely-used IT infrastructure management software, the Orion network – a product from SolarWinds. The potential vulnerability was related to the updates released between March and June 2020.
CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises.
The SUNBURST Behind the Sudden Burst of Cyberattacks
Researchers further added that this supply chain attack distributed malware called SUNBURST. The specialty of the malware is that, unlike others, the Trojanized code remained dormant for the first few weeks to avoid detection and then executed commands called “Jobs.” Upon execution, SUNBURST gained the ability to transfer and execute files, profile the system, perform system reboot, and disable system services.
After successful data exfiltration and targeted espionage, SUNBURST additionally dropped other malicious payloads like the TEARDROP and BEACON malware and moved laterally. The SUNBURST malware disguises “its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity.” Hence, its detection is extremely difficult.
Chronology of SUNBURST’s Attack
- Threat actors used Orion.Core.BusinessLayer.dll (b91ce2fa41029f6955bff20079468448), a SolarWinds-signed plugin component of the Orion software framework that contains an obfuscated (SUNBURST) backdoor that enables communication via HTTP to third-party servers. The code is hidden in the plain site using fake variable names and by inserting them into legitimate components.
- After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that includes the ability to transfer and execute files, profile the system, and disable system services.
- The data exfiltrated is then sent to a command and control (C2) server for further analysis. However, the traffic between the compromised system and the C2 server is disguised as a legitimate Orion Improvement Program to avoid detection.
- SUNBURST additionally drops other malware payloads and moves laterally to inflict maximum damage.
For additional information about the tactics, techniques, and procedures (TTP) of SUNBURST supply chain attack click here.
What the Government Says
The National Security Council spokesman John Ullyot said, “We can confirm there has been a breach in one of our bureaus. We have asked the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the FBI to investigate.”
On the other hand, CISA, in a statement, was noted saying that the agency has been working closely with its partners regarding recently discovered activity on government networks. “CISA is providing technical assistance to affected entities as they work to identify and mitigate any potential compromises”.
.@CISAgov encourages organizations that use SolarWinds Orion Platform software to review the following advisories for information on publicly identified nation state backed threat actor activity:https://t.co/zcAREzsbAXhttps://t.co/EvIwOsUusVhttps://t.co/fs5Cn40WAI
— US-CERT (@USCERT_gov) December 14, 2020
The latest announcement comes less than a month after President Donald Trump fired Christopher Krebs, the cybersecurity chief of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). He was responsible for leading the effort to protect U.S. elections, but the POTUS said that Krebs gave a “highly inaccurate” statement about the U.S. elections because of which he was shown the exit door.