The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI) announced a Cyber Unified Coordination Group (UCG) to coordinate a whole-of-government response to the infiltration of U.S. government networks arising from the SolarWinds backdoor hack.
CISA issued an Emergency Directive instructing federal civilian agencies to immediately disconnect or power down affected SolarWinds Orion products from their network.
CISA said the infiltration "poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations."
Some notes from CISA about the attack:
- Compromises began at least as early as March 2020
- This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
- The SolarWinds Orion supply chain compromise is not the only initial infection vector this APT actor leveraged.
- Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
- Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.
- The adversary is making extensive use of obfuscation to hide their C2 communications.
- CISA has observed the threat actor adding authentication tokens and credentials to highly privileged Active Directory domain accounts as a persistence and escalation mechanism. In many instances, the tokens enable access to both on-premise and hosted resources.
Some recommendations from CISA:
- Out-of-band communications guidance for staff and leadership;
- An outline of what “normal business” is acceptable to be conducted on the suspect network;
- A call tree for critical contacts and decision making; and
- Considerations for external communications to stakeholders and media.
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
Microsoft President Brad Smith stated "this latest cyber-assault is effectively an attack on the United States and its government and other critical institutions, including security firms."
Microsoft also noted that the initial list of victims includes not only government agencies, but security and other technology firms as well as non-governmental organizations.
- On December 13, FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware. The attacker is using multiple techniques to evade detection and obscure their activity, which includes espionage and data theft. FireEye has released signatures to detect this threat actor and supply chain attack in the wild.