DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later

from the holy-shit-this-is-bad dept

Welp. Everything is compromised. Again.

Reuters was the first to report suspected Russian hackers had gained access to hundreds of SolarWinds customers, including US government agencies.

Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments, according to people familiar with the matter, adding they feared the hacks uncovered so far may be the tip of the iceberg.


The cyber spies are believed to have gotten in by surreptitiously tampering with updates released by IT company SolarWinds, which serves government customers across the executive branch, the military, and the intelligence services, according to two people familiar with the matter. The trick – often referred to as a “supply chain attack” – works by hiding malicious code in the body of legitimate software updates provided to targets by third parties.

A full report by FireEye (which was also a victim of this hacking) details the process used to gain illicit access, which involved leveraging bogus signed components crafted by the hackers and distributed by an unaware SolarWinds. The widespread hacking campaign may have begun as early as March of this year. That it was only discovered now means the fallout from this will continue for months to come.

Here’s how the backdoor works, according to FireEye:

SolarWinds.Orion.Core.BusinessLayer.dll is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. We are tracking the trojanized version of this SolarWinds Orion plug-in as SUNBURST.

After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.

SolarWinds boasts over 300,000 customers, including 425 Fortune 500 companies, all ten of the top ten telcos, the Pentagon, State Department, NSA, DOJ, and the White House. Its long list of customers (which now returns a 404 error) all but ensures every passing hour will add another victim to the list.

According to SolarWinds’ post-attack-discovery SEC filing, it believes only a small percentage of its customers are affected. But even a fraction of its users is still a gobsmacking number of potential victims.

On December 13, 2020, SolarWinds delivered a communication to approximately 33,000 Orion product customers that were active maintenance customers during and after the Relevant Period. SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000.

The attack is serious and widespread enough that the DHS’s cybersecurity arm has issued a warning — one that says the only proven way to mitigate damage at this point is to disconnect affected hardware from the internet and pull the plug on Orion software. The CISA (Cybersecurity and Infrastructure Security Agency) Emergency Directive says this is a persistent threat — one not easily patched away.

CISA has determined that this exploitation of SolarWinds products poses an unacceptable risk to Federal Civilian Executive Branch agencies and requires emergency action. This determination is based on:

  • Current exploitation of affected products and their widespread use to monitor traffic on major federal network systems;

  • High potential for a compromise of agency information systems;

  • Grave impact of a successful compromise.

CISA understands that the vendor is working to provide updated software patches. However, agencies must wait until CISA provides further guidance before using any forthcoming patches to reinstall the SolarWinds Orion software in their enterprise.

The directive goes on to mandate reporting on infected systems and for affected agencies to assume the system remains compromised until CISA gives the all-clear. Unfortunately, this grave warning comes from an agency that is also compromised. CISA issued the directive on December 13. Here’s what was reported in the early hours of December 14:

US officials suspect that Russian-linked hackers were behind the recent data breach of multiple federal agencies, including the Departments of Homeland Security, Agriculture and Commerce, but are continuing to investigate the incident, multiple sources told CNN Monday.

CNN learned Monday that DHS’ cyber arm, which is tasked with helping safeguard the nation from attacks by malicious foreign actors, is among at least three US government agencies compromised in the hack.

In addition to CISA, government officials also suspect breaches at the US Postal Service and the Department of Agriculture. And the Defense Department is in the process of assessing its own exposure, if any. If any of its components have been breached, it has yet to be publicly reported.

The Russian government is denying involvement, but the evidence seems to point to “Cozy Bear,” the offensive hacking wing of Russia’s intelligence services. Unfortunately, SolarWinds’ dominance in the network management field made it that much easier for the attack to scale. And with CISA compromised, the government’s attempts to mitigate damage will be slowed as its own cybersecurity wing attempts to rid itself of a persistent threat.

Filed Under: , , , , ,
Companies: fireeye, solarwinds

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DHS Cyber Warriors Issue Warning About Massive Hacking Campaign, Disclose They've Been Hacked A Day Later”

Subscribe: RSS Leave a comment
This comment has been deemed insightful by the community.
That One Guy (profile) says:

If you can't secure you own house...

As bad as this is, and it’s really bad, imagine how much worse it could have been had the anti-encryption idiots gotten their way and broken encryption was mandatory. Suddenly hacking a given agency doesn’t just give you that agency’s information but would also grant you access to countless other platforms and companies via the golden key they want, magnifying the damage enormously.

This comment has been flagged by the community. Click here to show it.

Faber Schnidejoch says:

Alternate speculation: NSA broke into Dominion, got the goods!

The company that made the faulty-by-design ballot counting machines by which The Establisment has thus far edged out Trump was perhaps the real target.

It’s reasonable speculation, which for me seems credible because this affected nearly every gov’t server with extreme remedy: TAKE OUT the software. — Perhaps we’ll get a more solid "story" later, not necessarily the truth.

Of course Techdirt sees "Russia" and that’s far as you want to go.

This comment has been flagged by the community. Click here to show it.

Faber Schnidejoch says:

Re: Alternate speculation: NSA broke into Dominion, got the good

Clarification: by "edged out" I mean was definitely STOLEN but outcome is still on the edge undecided, regardless of Electoral College vote. The polls were entirely wrong about "the Blue wave", the steal was utterly blatant, the machines corrupt by design, so They are still antsy. — Yes, I know that all I have is possibly disinfo to stall and weary, but your "side" thought the 2016 election was stolen, and now says this one is perfect! We’ll see.

BernardoVerda (profile) says:

Re: Re: Re: Alternate speculation: NSA broke into Dominion, got

Guess which party strenuously opposed and successfully killed any and all measures proposed to ensure ballot device/system integrity?

Whinging now (without a shred of actual evidence) that the other party must have been somehow actively engaged in covertly subverting these systems, is remarkably inconsistent reasoning.

ECA (profile) says:


All these corps/agencies and such.
Are leaning on a 3rd party to do WHAT?
But then they are GIVEN a .DLL, that they DIDNT OPEN AND ANALISE before Installing on Customer computers?

So we have a 1st, 2nd, 3rd party situation, where NO ONE Evaluated the original data in a REQUIRED PROGRAM?

This Really sounds like a setup.

"Orion Platform products monitor the health and performance of your network through ICMP, SNMP, WMI, API, and Syslog communication and data collection."

Ok, this is interesting. This program is to Monitor hardware and Watch for failure? Also it monitors other small programs that are traps and data transfer?

God help us. Why are we paying for this IF’ this company allows a 3rd party program, that HASNT been checked and evaluated.
Also, NOW we know the problem with AUTOMATED SECURITY.

There Should only be 1 way this could work. IF it wasnt Augmenting programs/data(ya, it was a security program), it could stay hidden along time just by reading/copying Data and shipping it out, Probably in small batches.
Otherwise if DATA changes/erases/added SHOULD created a Log file of what happened. and if this DID happen, and it took THIS LONG? we need better Network People. GET away from the corps.

Anonymous Coward says:

Re: Soo.

That’s the point of the supply-side attack was to add malicious code to real code, so SolarWinds would sign off on it because it was doing as intended.

Software is tested and scanned, validated as good. Feds have been running the software for years. Patches come out, are tested again, and as noted by FireEye, the malicious code waits two weeks before activating. Patches are almost never stress tested for that long before going live.

ECA (profile) says:

Re: Soo.

If A file can be compiled to a Machine language format, it CAN be de-compiled.
They know who they got it from, OR SHOULD.
They are a security and monitoring agency. ITS NOT HARD, as they should have the programmers to Figure out whats IN THE CODE.

Fine, let the automated machine test it. The problem is HOW to compare to the LAST .DLL that is in use, and Look at the changes.

Anonymous Coward says:

Re: Re: Soo.

If A file can be compiled to a Machine language format, it CAN be de-compiled.

That can work for microcontroller code, but is much much more difficult for P.C. application code, largely due to the difference in code size, a few 10’s of kb, as opposed to 100s of kb upwards. The lack of meaningful names for variables and routines, other than external references makes it difficult to understand the decompiled code.

The problem is HOW to compare to the LAST .DLL that is in use, and Look at the changes.

That works if you have the source code, but runs into problems with changes in the file position of code, resulting in trivial changes of call addresses and variable address, so that routine boundaries have to be identified before any comparison can take place.

Also, the evil code has a two week delay before activating, allowing it to pass pre-release checks, where it behaved as expected.

ECA (profile) says:

Re: Re: Re: Soo.

But its a DLL, that the program needs and they SHOULD already understand how its supposed to work,
THIS IS SECURITY. The DLL had to come from 1 place, and if nothing else the company that made it, SHOULD have a copy of the program, at least to verify it. And comparing should NOT be a problem AS they Should have the previous version.
I know compile and decomp are a PAIN in the but and can take hours or days. But how high END ARE we paying for?
The Customer Can now CHARGE the company for a 3rd party mistake/screw up/Sabotage.

Tanner Andrews (profile) says:

Re: Re: Soo.

If A file can be compiled to a Machine language format, it CAN be de-compiled

Generally true, but not useful. The decompiled result will be a dog’s breakfast because the optimizer shuffles and eliminates things with no regard for human readability. The structure intended to aid human comprehension turns into a bunch of “if condition goto location” code with labels. Trying to un-do that is not much easier than re-writing the code yourself.

Even disassembling assembly suffers from loss of symbolic names and identification of data areas. We can generally handle that, though we still do not have the original author commentary, for assembled code. Compiled code is much, much worse.

Have you ever read compiler output? Well, imagine trying to do that as an automated process of decompilation.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...