IOTW: US Treasury & Commerce Departments, DHS, NIH & Others Significantly Exposed

Russian hackers breached several United States government and private sectors worldwide.

Facts

It came to light on December 8th that SolarWinds, was breached by Russian operatives. An update of it's Orion product became weaponized. The involvement of the Russian government’s foreign intelligence service, SVR, and its hacking associates commonly known as Fancy Bear or APT28 is cause for alarm. In 2016, it was this group that broke into the National Democratic Committee. 

FireEye, a successful and well-respected cyber security agency, was the first to notice the SolarWinds breach when remediating a breach of it's own. FireEye is practicing full disclosure regarding the incident in order to spread awareness, warn others, and work with the industry’s best to track, trace, and stop the spread of the malware, dubbed Sunburst. Best practices after a cyber breach include transparency and open communication with officials and clients. FireEye is being praised for its response to the incident.

Related: Hacking Exposed: Learning from the Adversaries- An Interactive Session

SolarWinds develops enterprise software that assists in network, system, and IT management. Its Orion Platform, used by 300,000 private and government organizations globally, was exploited in March and June, spreading undetected until now. In a document filed with the Securities and Exchange Commission on Monday, SolarWinds claims that less than 18,000 of its customers installed the patch that enabled the breach.

The attack was novel and sophisticated. It involved trojanizing Orion patch updates. According to FireEye, “The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.” After lying dormant for two weeks, Sunburst begins to spread laterally, stealing information as it goes. It uses legitimate remote access credentials it has lifted along the way, favoring a less obvious intrusion method than typical malware.

The U.S. Treasury, Commerce Department, and other U.S. government agencies, plus, according to The Washington Post, “…government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East…” are victims of the attack.

It is still too early to know the full scope of the attack, but “It appears the attackers may have taken our own tools for finding vulnerabilities in foreign networks,” said Matthew Schmidt, a professor in the national security department of the University of New Haven’s Henry C. Lee College of Criminal Justice and Forensic Sciences. “They hacked our hacking capability. It's very early, but the level of immediate reaction suggests a very, very serious intrusion.” 

In other words, Russian operatives are now equipped with the very tools that were built to keep them out. The DHS, FBI, and CISA are working together to counter the attack, which Russia denies.

Related: Forrester Study: Yesterday’s Solutions Won’t Solve Tomorrow’s Data Security Issues

On Sunday, the Russian Embassy in Washington released a Facebook statement reading in part, “…malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations. Russia does not conduct offensive operations in the cyber domain.

What is more, the Russian Federation actively promotes bilateral and multilateral cyber security agreements. In this regard, we would like to remind our American collegues [sic] of the initiative put forward by President Vladimir Putin on September 25 on a comprehensive program of measures to restore Russia-U.S. cooperation in the field of international information security.”

While some experts insist sanctions are the best way to move forward after such an attack, The United States’ counter is yet to be seen.

Quick Tips

It is possible that the PII of citizens have been compromised. Governments hold a great deal of information on its citizens. Whether or not Russian operatives have any plan to act on that information is unknown, but there are a few steps citizens can take to ensure the most amount of their data is safe the most amount of time. These tips can and should be applied to enterprises as well.

• Use different and complex passwords for all digital accounts
• Monitor finances closely for suspicious activity or inexplicable credit changes
• Turn on two-factor authentication wherever possible, but especially for email and social media accounts
• Change all government passwords, i.e., social security, IRS, and/or SBA
• Keep an eye out for government correspondences regarding the breach and its effects

Additionally, according to the December 8^th alert released by the CISA, they recommend, “…cybersecurity practitioners review FireEye’s two blog posts for more information and FireEye’s GitHub repository for detection countermeasures:

• FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
• Unauthorized Access of FireEye Red Team Tools
• FireEye’s GitHub repository: Red Team Tool Countermeasures ”

Read More: Incident Of The Week