[German]Does anyone remember the supply chain attack on SolarWinds' Orion software in 2020? That sent shockwaves through the IT landscape as masses of IT systems were hacked. Now it comes out that the US Department of Justice noticed the incident in its own networks six months before the whole thing became public, but failed to recognize the explosive nature of it. Even bigwigs like Microsoft, Mandiant and SW, who were called in, looked at the incident at SolarWinds without immediately realizing its explosive nature. This allowed the attackers to inspect the compromised systems for months.
I had reported extensively here on the blog about the SolarWinds hack of the Orion software, see the post FireEye hacked, Red Team tools stolen and the posts linked at the end of the article. Many U.S. government agencies also had their IT systems infiltrated by the Russian attackers (see US Treasury and US NTIA hacked). The whole thing started from a supply chain attack on SolarWinds Orion software, which was used in many companies.
The following tweet reveals now that the US Department of Justice as well as big names like Microsoft, Mandiant or SW looked at the incident without really recognizing its explosive nature. The IT specialists had seen signs of an intrusion into the IT systems. But it wasn't until six months later that there was a disclosure from Mandiant about the attackers' campaign. Wired uncovered this story in the article The DOJ Detected the SolarWinds Hack 6 Months Earlier Than First Disclosed.
Ministry discovers the hack
As early as the end of May 2020, the U.S. Department of Justice noticed Russian hackers on its network, but didn't realize the significance of the find until six months later, Wired writes. The suspicion was triggered when the IT staff of the ministry discovered unusual traffic. That traffic was emanating from one of its servers running a test version of SolarWinds' Orion software package, sources familiar with the incident said. The software, which is used by system administrators to manage and configure networks, was communicating externally with an unknown system on the Internet.
The Justice Department commissioned security firm Mandiant to investigate whether the server had been hacked. In addition, Microsoft was also called in, although it is not clear why they was also included in the investigation. Specialists at the hired firms suspected that the hackers had penetrated the DOJ server directly, possibly by exploiting a vulnerability in the Orion software.
The software specialists asked SolarWinds for assistance in the investigation. But SolarWinds engineers could not find a vulnerability in their code. In July 2020, with the mystery still unsolved, communication between investigators and SolarWinds ended. A month later, the DOJ bought the Orion system, indicating that the agency was convinced that there was no further threat from the Orion suite, the sources said.
In December 2020, the hacks became public
It wasn't until November 2020 that Mandiant realized they had been hacked themselves. Investigation of this incident then revealed that the hack had been via a supply chain attack on SolarWinds Orion software. In December 2020, the whole thing then made huge waves when Mandiant went public. Because now it became known that Russian hackers had hacked the software manufacturer SolarWinds and built a backdoor into the Orion software. The Orion software was used by around 18,000 of the company's customers. The backdoor was installed on the systems via an update of the SolarWinds Orion software.
This compromised Orion software subsequently infected at least nine U.S. federal agencies. These included the U.S. Department of Justice (DOJ), Department of Defense (DoD), Department of Homeland Security, and Department of the Treasury, as well as leading technology and security companies such as Microsoft, Mandiant, Intel, Cisco, and Palo Alto Networks. The hackers were active on these various networks for between four and nine months before the campaign was uncovered by Mandiant.
It's true that detecting such supply chain attacks is complex. But the idea that good anti-virus software, with AI support if necessary, will fend it off is naive under the circumstances. SIEM (Security Information and Event Management) systems may help to detect unusual activities. But the analysis still has to be done by specialists, and then it depends on how quickly they get through the case. And the case shows once again how important it is to exchange information between security specialists and to inform the specialist public at an early stage.
Similar articles:
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents
Accusation: Microsoft failed with security in the SolarWinds hack
SolarWinds: Update for Orion software; attackers had access to top DHS accounts
SolarWinds patches critical Serv-U vulnerability (July 2021)
27 U.S. Attorney's Offices Affected by SolarWinds Hack
SolarWinds attackers target Microsoft partners – lack of basic cyber-security
SolarWinds customers should remove Web Help Desk