An advisory was published by the Cybersecurity and Infrastructure Security Agency on Sunday that stated hackers had penetrated a US Federal Agency. The method of hacking used was a new and unique form of malware that likely hid in the network monitoring software for months. The full scope of the hack remains unknown, but it could be one of the largest espionage attacks by a nation state in years.
Who Was Hacked?
It was first reported that the Treasury and Commerce Departments were breached. The scope has continued to grow as the investigation continues. It is now been acknowledged that other federal agencies – the State Department, the Department of Homeland Security, the National Institute of Health and parts of the Pentagon – had been compromised. It is likely that about 18,000 private and government users downloaded the tainted software update that gave the hackers access to the systems according to SolarWinds.
Who are SolarWinds and FireEye?
SolarWinds makes the Orion network monitoring software in which the malicious code was embedded. They are a company based in Austin, Texas and are used by nearly all Fortune 500 companies to monitor their networks. However, out of their 300,000 customers about 33,000 used Orion, and only about half had downloaded the malign update. While that still seems like pretty widespread access it is believed that the hackers were only interested in very valuable targets.
FireEye is a private cybersecurity firm who alerted American intelligence that the hackers had evaded layers of defense. The company disclosed that the SolarWinds supply chain hack was how hackers gained access to FireEye’s own network.
Who Was Behind the Hacking?
As of now it has not been established who was behind the attack. It is believed that the hackers were operating on behalf of a foreign government. Many news reports have cited Russia as the engineers of the attack although this has not been confirmed. In an official statement the State Department has said there had “been a consistent effort of the Russians to try and get into American servers, not only those of government agencies, but of businesses. We see this even more strongly from the Chinese Communist Party, from the North Koreans, as well.”
The Actual Hacking
SolarWinds published a press release on Sunday that admitted to the breach of Orion. This software platform was used for centralized monitoring and management, usually employed in large networks to keep track of all IT resources. These include servers, workstations, mobiles and IoT devices.
The malware that was responsible for this breach was included in update versions 2019.4 through 2020.2.1 which were released between March 2020 through June 2020. The updates are not automatic, therefore not every Orion user has been exposed.
They used novel bits of malicious code that made it possible to slip past the governments detection system, Einstein. Einstein is focused on finding well known uses of malware and detecting connections to of the internet used in previous hacks. It is likely that the hackers had access to the information for months communicating through IP addresses in the U.S. to avoid detection.
The extent of the hacking will probably never be made public knowledge but the investigation into who was responsible and what they know continues. This latest hacking incident only continues to highlight the importance of IT and cybersecurity for every organization. While you may think your information is not as important as the U.S. Government it still needs to be protected. Give the experts at Sierra a call at 412.722.0707 to make sure your company doesn’t fall victim to cybercrime.