The U.S. government instructed all of its civilian agencies to immediately shut off various popular network and system management products being exploited as part of an ongoing cyberattack.
Russian government hackers are believed to have poisoned with malware updates of the SolarWinds Orion products used in many government agencies and in over 80% of the Fortune 500, introducing vulnerabilities that the hackers then exploited to conduct espionage and to pilfer extremely sensitive materials. Believed to be among the many victims are the Treasury Department, the Commerce Department, and the cybersecurity firm, FireEye. (Note: Classified networks are not connected to the Internet and their contents are likely to have remained secure.)
While officials are still unsure as to the extent of the cyber-intrusions, initial indications are that whoever was behind the cyberattacks conducted a tremendously successful campaign that has already produced severe repercussions; over a quarter million organizations around the globe use SolarWinds Orion products, and, due to the need for monitoring products to have access to monitored resources, compromised versions likely provided attackers with access to significant portions of the resources on internal networks.
FireEye, for example, reported last week that hackers had stolen tools that the firm’s engineers use to test customer systems for vulnerabilities; in the wrong hands, such tools can easily be weaponized and abused for all sorts of nefarious purposes.
Apparently, during the investigation of the FireEye breach, the firm, along with Microsoft, discovered that hackers were using poisoned updates to SolarWinds’ Orion network monitoring software to penetrate into targets. Poisoning the software supply chain in order to introduce vulnerabilities into organizations down the line requires sophistication, but can deliver tremendous results – I have even described this method of cyberattack as one of my “favorite” from an effectiveness perspective.
After the discovery of the problem, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a rare emergency alert on Sunday night warning that there was an ongoing “active exploitation” of SolarWinds Orion versions released in March and June, and that the agency “encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures.”
While the report does not blame any particular group of hackers, current consensus is that the likely perpetrators are hackers associated with the Russian Intelligence Service (SVR) – attackers sometimes known by the monikers “Cozy Bear” or “APT29.”The Russian Embassy, however, has decried the finger pointing as “baseless,” denying that the country has any ongoing offensive cyber-operations at all.
While the primary audience for the current alert is operators of SolarWinds Orion products, who must take action immediately, this incident should serve as a reminder to all of us that, unless we “change the equation,” highly sophisticated cyberattackers are going to continue launching cyberattacks, and, will, sometimes, be highly successful with those attacks.
Today, attackers know that the benefit of launching cyberattacks is far greater than the likely cost. We need to flip that 180 degrees. Instead of acting in a reactive mode and hoping to fend off 100% of attacks while attackers need to win only once, and instead of filing charges against attackers living overseas who will never be punished for their crimes, we must create strong deterrents so that foreign governments will truly fear the consequences of carrying out acts of cyberwar. The sooner we do so, the safer we will be.