Industrial organizations did not face escalation from SolarWinds attackers, Kaspersky says

Cybersecurity company Kaspersky revealed that its researchers found no evidence that any of the industrial organizations in its telemetry had an escalation from the SolarWinds supply chain cyber attackers. The cybersecurity company surveyed data of the attack on a number of industrial organizations that used the backdoored SolarWinds versions and fell victim to the supply chain attack in December.

The SolarWinds software is highly integrated into many systems around the globe in different industries, the Russian company said in a report. Thus, “we shouldn’t rule out the possibility of wider activity in some of the industrial networks if it is in line with the actor’s interests,” it added.

Truesec, a Swedish based company that focuses on cyber security, IT infrastructure, and secure development, provided a list of possible second-stage victims, which included several industrial organizations headquartered in different countries, based on responses received from a server used by the threat actor.

The target organizations, the threat actor sophistication and the amount of time between the initial breach and the discovery strongly indicates an impact of gigantic proportions, wrote Fabio Viggiani, a technical lead of Truesec Security Team, in a blog post.

“It is highly likely that a massive amount of highly confidential information belonging to government organizations, medical institutions, cybersecurity, the financial industry, etc. has been leaked. It is also highly likely that software and systems have been compromised and that the modus operandi of the Solarwinds breach can be repeated in future campaigns,” he added.

Kaspersky researchers analyzed all available decoded internal domain names obtained from DNS names generated by the SunBurst DomainName Generation Algorithm using some publicly available lists and third-party lists. The final list of readable and attributable domains consisted of nearly 2000 domain names and information on the industries in which possibly compromised industrial organizations operate, it added.

The overall percentage of industrial organizations among all organizations on the list is estimated at about 32.4 percent, Kaspersky revealed. The company analysed user information from its telemetry where the backdoored SolarWinds applications were installed and distinguished over 20 organizations in the industrial sector. The manufacturing sector recorded the highest number with eight affected enterprises, while transportation and logistics, and utilities segments registered six impacted organizations each.

The geographical distribution of the industrial organizations is broad and includes various countries and territories, including Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda, and the USA, according to Kaspersky.

The supply chain attack, over the few months, involved an advanced persistent threat (APT) actor compromising the SolarWinds Orion platform and engaging in widespread abuse of commonly used authentication mechanisms of both government and non-governmental networks. U.S. government agencies indicated that the APT actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing supply chain cyber compromises.

Operational technology (OT) security vendor Nozomi Networks is of the opinion that the best defense against nation state APTs is to incorporate layers, using several technology barriers within each layer. “Employ independent and highly secure monitoring tools that aren’t vulnerable to the same cyberthreats and your critical OT systems will be much more secure,” wrote Chris Grove, in a company blog post.

Technology can be used to create more layers, even layers within layers, without additional infrastructure, Grove added. When attackers hit a technological boundary, they need to adjust their tactics accordingly. In addition to serving as hurdles for attackers to overcome, boundaries provide for ‘choke-points’ where monitoring and signaling can occur. “Each technology boundary put in front of the attacker serves as an opportunity to better defend your network,” wrote Grove.

While technical details of the SunBurst backdoor embedded into SolarWinds have already been described and second-stage tools are being discovered, the scale of the attack and the interest of the actor behind the attack are still being investigated, Kaspersky said in its report. It has been officially confirmed that about 18,000 users may have installed backdoored versions of SolarWinds.

Still, there is limited information on the number of organizations where the attack has evolved and second-stage tools may have been deployed, though there are some speculations on the actor’s interest based on an analysis of the historical C2 DNS response, Kaspersky added.

ICS cybersecurity vendor Dragos revealed in December that out of 18,000 organizations affected by the SolarWinds Orion platform exposure, it was likely that some of the nearly 2,000 North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) regulated power utilities may have been impacted—if not directly, then indirectly through their supply chain.

Government and industry standards already mandate security safeguards for IT as well as OT systems, wrote Joe Weiss and Bob Hunter, in a blog post for The Lawfare Institute. “Now is the time to revisit these standards to ensure the appropriate security measures are being employed for all IT and OT systems. OT devices have largely been overlooked or simply ignored when it comes to network security, but a closer examination of SNMP reveals this approach is unsustainable,” they said.

Government and industry must work together to develop a next-generation IT and OT management protocol that provides confidentiality, integrity and availability, and safety for control system devices, to meet modern security challenges, the post added.

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.