Modified SolarWinds Network Management Tool Suspected to Be Vector for Sophisticated and Widespread Breaches Dating Back to March politico.com

Natasha Bertrand and Andrew Desiderio, Politico:

Foreign hackers who pulled off a stealthy breach of at least a dozen federal agencies got caught after successfully logging in to a top cybersecurity firm’s network, tipping the company off to a broader hacking campaign targeting the U.S. government, according to officials from the firm and congressional aides briefed on the issue.

The suspicious log-in prompted the firm, FireEye, to begin investigating what it ultimately determined to be a highly damaging vulnerability in software used across the government and by many Fortune 500 companies.

It’s not clear how long it took FireEye to notice that it had been hacked, in a scheme that U.S. officials have linked to Russian intelligence. But the vulnerability, found in IT management software developed by a company called SolarWinds, had given the hackers months of access to internal email accounts in at least a dozen U.S. federal agencies, including the Treasury, Homeland Security and Commerce departments.

William Turton, Michael Riley, and Jennifer Jacobs, Bloomberg:

The Energy Department and its National Nuclear Security Administration, which maintains America’s nuclear stockpile, were targeted as part of the larger attack, according to a person familiar with the matter. An ongoing investigation has found the hack didn’t affect “mission-essential national security functions,” Shaylyn Hynes, a Department of Energy spokeswoman, said in a statement.

[…]

In addition, two people familiar with the broader government investigation into the attack said three state governments were breached, though they wouldn’t identify the states. A third person familiar with the probe confirmed that state governments were hacked but didn’t provide a number.

CISA:

CISA is investigating incidents that exhibit adversary [tactics, techniques, and procedures] consistent with this activity, including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed. Volexity has also reported publicly that they observed the APT using a secret key that the APT previously stole in order to generate a cookie to bypass the Duo multi-factor authentication protecting access to Outlook Web App (OWA). Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known.

Joseph Menn of Reuters is reporting that Microsoft’s systems were also breached, according to unnamed sources, and that product-level access was used to spread the attack. Microsoft denies the latter allegation.

David E. Sanger, Nicole Perlroth, and Julian E. Barnes, New York Times:

SolarWinds was a ripe target, former employees and advisers say, not only for the breadth and depth of its software, but for its own dubious security precautions.

The company did not have a chief information security officer, and internal emails shared with The New York Times showed that employees’ passwords were leaking out on GitHub last year. Reuters earlier reported that a researcher informed the company last year that he had uncovered the password to SolarWinds’ update mechanism — the vehicle through which 18,000 of its customers were compromised. The password was “solarwinds123.”

This report carries the headline “Billions Spent on U.S. Defenses Failed to Detect Giant Russian Hack”. It is an embarrassing recitation of multiple layers of negligence and silence from U.S. agencies.

Brian Krebs:

A key malicious domain name used to control potentially thousands of computer systems compromised via the months-long breach at network monitoring software vendor SolarWinds was commandeered by security experts and used as a “killswitch” designed to turn the sprawling cybercrime operation against itself, KrebsOnSecurity has learned.

This is an extraordinary breach with unprecedented scope. Its closest comparison is when files of millions of U.S. federal employees were stolen from the Office of Personnel Management, allegedly by Chinese intelligence. This series of intrusions has hit dozens of institutions at the federal, state, and local levels, as well as private companies, airports, and potentially organizations in Europe and Asia. News of this security compromise is less than a week old and new victims have been found at a steady clip. The consequences of this are going to reverberate for years.