- The Cybersecurity and Infrastructure Security Agency (CISA) said malicious actors have access to more backdoors than just SolarWinds Orion. The agency found "evidence of additional initial access vectors and tactics, techniques, and procedures," but the new vectors are still under investigation.
- Not all organizations that have a backdoor from Orion were targeted following a "sustained long duration activity" on impacted networks, CISA said. However, bad actors leveraged more than one initial infection vector beyond the Orion supply chain breach.
- The Department of Energy (DOE) and National Nuclear Security Administration are the latest agencies to find evidence of a cyber intrusion, according to a Politico report. The agencies found "suspicious activity" in the Federal Energy Regulatory Commission's networks, Sandia and Los Alamos National Laboratories, the Office of Secure Transportation and the DOE's Richland Field Office.
CISA is acting as the coordinating body between federal agencies and private sector in response to the SolarWinds hack. National security officials said the cyberattack is an "ongoing cybersecurity campaign," and formed a Cyber Unified Coordination Group to unify public and private sector response.
The advanced persistent threat (APT) group didn't act on every backdoor made available by Orion, which makes understanding what they were targeting more difficult. Because impacted organizations don't know exactly what data was compromised, it adds additional complexity to identifying the APT's motivation. What is clear, is the threat actors relied on the supply chain for widespread access.
While the White House has remained quiet on the ongoing investigations, President Donald Trump's former DHS Advisor Thomas Bossert wrote, "Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state," in an opinion piece for The New York Times.
The evidence, said Bossert, puts the Russian intelligence group S.V.R. at the center of the attack. "The magnitude of this ongoing attack is hard to overstate."
The obfuscation of the APT group is forcing organizations to reconsider trust and controls on signing methods, said J.J. Thompson, senior director of Managed Threat Response at Sophos, during a webinar Thursday. The beacon was designed to wait following the dropped payload, and is part of a "patient" and "methodical" deployment package.
SolarWinds said about 18,000 companies were impacted by the compromised Orion update. The companies that did not initiate the update or updated but found no evidence of a dropped malicious payload don't need to perform any immediate actions, said Thompson. Organizations that found a malicious payload executed, even if the APT group never acted on it, still have to take action.
Even if companies are using a network management system (NMS) other than Orion, "don't rest yet," said Jake Williams, SANS analyst and senior SANS instructor, in a SANS Institute webinar Monday. Most network management servers prioritize availability, which gives authorized users access to the system at will.
Identifying or following the lateral movement of attackers has proven difficult, including access to credentials on Microsoft Azure Active Directory. Using legitimate credentials to take stock of the environment allowed the APT actors to tread lightly, undetected for months. Even companies without networking devices configured to SolarWinds with credentials are susceptible to the hack.
On Wednesday Microsoft began using its antivirus solution to block malicious binaries related to the Orion vulnerability, though insisted organizations treat "any drive with the binary" as compromised.
Later that day, FireEye, aided by Microsoft and GoDaddy, identified a killswitch to prevent SUNBURST from operating. The killswitch has limitations because "this actor moved quickly to establish additional persistent mechanisms to access to victim networks beyond the SUNBURST backdoor," according to FireEye.