A hacking group backed by a foreign government is conducting a global attack through the software supply chain and widely-used IT infrastructure management software from SolarWinds, according to cybersecurity company FireEye.
The attack method appears to be linked to a compromise of FireEye’s own systems in a breach reported last week in which attackers stole network security testing tools in a highly sophisticated attack.
Now, the attacks are targeting other entities like U.S. government agencies and private companies, and indications of compromise are dating back to this spring.
The disclosure by FireEye and SolarWinds comes after several news outlets including Reuters reported network compromises at two U.S. government agencies. Media reports suggest that the attacks are being carried out by a hacking group affiliated with Russia.
In a Sunday statement, FireEye announced further results of their investigation, saying the attacks are being delivered through updates to the Orion network monitoring product from IT vendor SolarWinds.
Due to the sophistication and high level of skill and resources needed to pull off this attack, FireEye believes state-sponsored threat actors to be behind the effort.
According to FireEye, the attacks being analyzed share these common characteristics:
- Malicious code is inserted into legitimate software updates for the Orion software from SolarWinds, allowing an attacker to remote access into the victim’s environment
- Attackers are using limited malware to accomplish their mission to avoid detection
- Attackers are going to significant lengths to blend into normal network activity to avoid detection
- Threat actors are carefully and meticulously covering their tracks with difficult-to-attribute tools and a high level of operational security
Each victim in the attack was carefully selected and targeted, and each attack required “meticulous planning and manual interaction,” according to FireEye.
The company is working closely with SolarWinds, the FBI and other partners.
In a security advisory, SolarWinds is urging customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible. If an immediate upgrade isn’t possible, there are other guidelines to follow to avoid a compromise, including installing the Orion platform behind firewalls, disabling internet access for the platform and limiting the ports and connections to only what is necessary.
“We are working to investigate the impacts of this incident and will continue to update you as we are made aware of any interruptions or impact to your business specifically,” the company said in the advisory.
The attack even prompted the U.S. Cybersecurity and Infrastructure Agency (CISA) to issue an emergency directive to mitigate the attacks. The order calls on all federal civilian agencies to review networks for indications of a compromise and disconnect or power down the Orion platform immediately.
“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” said CISA Acting Director Brandon Wales.
“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.”