CISA aware of compromises of U.S Government agencies and critical infrastructure after SolarWinds hack

You likely haven’t heard about this, but we will do our best to explain what has happened and what it means for those agencies that have the software installed.

What is SolarWinds?

According to the SolarWinds website, the SolarWinds Orion platform is a “powerful platform” that “makes it easy to monitor, analyze, and manage the complete IT stack in one place.” The appeal of the SolarWinds Orion platform is that it allows for IT specialists to have access to an entire IT stack through one “single pane of glass.”

Why is the hack of SolarWinds Orion Platform important?

Simply put, the Orion platform is used in government agencies, critical infrastructure, and private sector organizations. The hack gave access to the following information;

Orion Platform versions 2019.4 HF 5, 2020.2 with no hotfix installed, or with 2020.2 HF 1 were affected

For this article, we will look at just one of the affected aspects of the Orion platform that were exploited by malware and give a surface level explanation as to what it does. We are not tech experts at Diverge Media and so our explanation will be rudimentary.

Network Configuration Manager – according to manageengine.com, an NCM is capable of but not limited to Network device discovery, Configuration backup, Configuration change management and they help Execute complex network operations.

What are examples of a complex network operation?

“Network Configuration Management includes the execution of many network operations and sometimes these can also be automated. For instance, if you need to change the password of all cisco routers on a network, applying the change to every device individually would be a tedious process. This is where configuration templates that are commonly called ‘Configlets’ come into play. You can centrally execute this operation to all the devices using configlets. They also come with the added advantage of scheduling, which does not require the user to be around while the operation is being executed.”

This doesn’t mean that the SolarWinds malware affecting some of its Orion Platform versions 2019.4 HF 5, 2020.2 and 2020.2 HF 1 are compromised to this full extent – just that it has the possibility of being very bad.

It was concerning enough that The Cybersecurity and Infrastructure Security Agency (CISA) described the situation as follows;

“CISA is aware of compromises, which began at least as early as March 2020, at U.S. government agencies, critical infrastructure entities, and private sector organizations by an APT actor. This threat actor has demonstrated sophistication and complex tradecraft in these intrusions. CISA expects that removing the threat actor from compromised environments will be highly complex and challenging. This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks. It is likely that the adversary has additional initial access vectors and TTPs that have not yet been discovered.”

CISA on December 20th listed the key takeaways from the hack as follows;

Key Takeaways (updated December 18, 2020)

• This is a patient, well-resourced, and focused adversary that has sustained long duration activity on victim networks.
• CISA is investigating other initial access vectors in addition to the SolarWinds Orion supply chain compromise. 
• Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.
• Organizations with suspected compromises need to be highly conscious of operational security, including when engaging in incident response activities and planning and implementing remediation plans.

CISA futher described the situation as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”

The hack dates back to at least March of 2020. Getting rid of the malicious software will not be easy and there is obvious concern of what information is being accessed from these organizations that are critical to national security.

Private sector organizations are also affected. The New York Times reported that nearly all Fortune 500 companies, including The New York Times themselves, use SolarWinds products to monitor their networks. So does Los Alamos National Laboratory, where nuclear weapons are designed, as well as major defence contractors like Boeing.

It is currently unclear what organizations have been affected but it is believed that the hackers were selective – targeting the most high profile users.

The Wall Street Journal reported that “technology giant Cisco Systems Inc., chip makers Intel Corp. and Nvidia Corp., accounting firm Deloitte LLP, cloud-computing software maker VMware Inc. and Belkin International Inc., which sells home and office Wi-Fi routers and networking gear under the LinkSys and Belkin brands,” – were among the companies that had downloaded the malicious software.

The attackers also had access to the California Department of State Hospitals and Kent State University.

FireEye, the intelligence-led security company has also confirmed that it was infected with the malware and was seeing the infection in customer systems as well.

This has been linked back to Russia, but an IT source of ours has indicated the list of IP addresses given to them to block (for non-government related institutions) did not go back to Russian IP addresses. There will be more on this tomorrow.

Diverge Media is an independent Canadian media company that doesn’t receive government funding – and will never accept government funding. As a result, we rely on our readers/viewers and their donations to help us continue our work. If you would like to support more work like this – please do so by donating in the form below. All the best, the Diverge Media team.