The extent of the SolarWinds supply chain attack is only increasing, with the cyber incident now “believed to have affected upward of 250 federal agencies and businesses,” according to a report by the New York Times (NYT) over the weekend.
Initial estimates were that Russia sent its probes only into a few dozen of the 18,000 government and private networks they gained access to when they inserted code into network management software made by SolarWinds, according to the report. But as businesses like Amazon and Microsoft that provide cloud services investigate further, it now appears that Russia exploited multiple layers of the supply chain to gain access to as many as 250 networks.
The hackers orchestrated their intrusion from servers inside the US, taking advantage of legal prohibitions on the National Security Agency (NSA) from engaging in domestic surveillance and eluding cyberdefenses deployed by the Department of Homeland Security, the report said.
The report also highlights how American officials responsible for cybersecurity “are now consumed by what they missed for at least nine months.” The cyber incident by “Russia aimed not at the election system but at the rest of the United States government and many large American corporations,” the NYT added.
Some of the compromised SolarWinds software was engineered in Eastern Europe, and American investigators are now examining whether the incursion originated there, where Russian intelligence operatives are deeply rooted, the newspaper added. “Early warning” sensors placed by Cyber Command and the National Security Agency deep inside foreign networks to detect planned attacks clearly failed, it reported.
Three weeks after the cyber incident became known, American officials are still trying to understand whether it was simply an espionage operation or something that inserted “backdoor” access into government agencies, businesses, the electric grid and laboratories developing and transporting new generations of nuclear weapons.
SolarWinds, the company that the hackers used as a conduit for their attacks, had a history of lackluster security for its products, making it an easy target, according to current and former employees and government investigators, the newspaper said.
On its part, Austin, Texas-based SolarWinds recommended “that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible.”
The Cybersecurity and Infrastructure Security Agency (CISA) had asked US federal agencies to update the SolarWinds Orion software by the end of 2020 in a supplementary guidance that broadens its earlier Emergency Directive (ED). The cyber incident impacts networks across federal, state and local governments, as well as critical infrastructure entities and other private sector organizations.
The security agency had earlier advised all federal civilian agencies to review their networks for indications of compromise, and immediately disconnect or power down SolarWinds Orion products using versions 2019.4 through 2020.2.1 HF1 immediately. It subsequently updated its earlier advisory after finding evidence of initial access vectors other than the SolarWinds Orion software.
Microsoft confirmed that it detected unusual activity with a small number of internal accounts and upon review discovered that one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and further investigation confirmed that no changes were made. These accounts were investigated and remediated, it added.
“Having investigated further, we can now report that we have not found evidence of the common TTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate domains,” it said.
The Redmond, Washington-based company is aware of the sophisticated supply chain attack that utilized malicious SolarWinds files to potentially provide nation-state actors access to some victims’ networks. Microsoft and its industry partners, and the security community continue to investigate the extent of the recent attack on SolarWinds.