UPDATE: SolarWinds Supply Chain Attack to Blame for FireEye Breach
In a statement on Monday, December 14, cybersecurity firm FireEye confirmed that software provider SolarWinds was breached by what is believed to be a foreign government. The attack deployed a malware-laced update for its Orion software that infected the networks of U.S. government agencies and corporations, including FireEye itself.
This report comes after Reuters, The Washington Post and the Wall Street Journal all reported that the U.S. Treasury Department and the U.S. Department of Commerce’s National Telecommunications and Information Administration were breached. Reuters, also reported that the security breach was considered serious enough that it required a rare meeting including the U.S. National Security Council at the White House on Saturday.
According to sources who spoke with the Washington Post, the attack is being connected to APT29, a codename used to associate hackers with the Russian Foreign Intelligence Service.
FireEye itself did not confirm that APT29 was responsible for the attack, however several sources told ZDNet.com that the hackers associated with the attacks were indeed likely connected to APT29 based on all of the evidence.
Microsoft, who was also affected by the attack, privately sent security alerts to customers confirming the SolarWinds attack and offering countermeasures to those who may have been affected.
In a press release published by SolarWinds, the company confirmed the breach to its Orion software. Orion is a software program that is used for centralized monitoring and management. It is used in larger networks to track IT resources such as servers and workstations.
The versions of Orion infected with Malware were 2019.4 through 2020.2.1. These versions of the software were released between March 2020 and June 2020.
FireEye has published a technical report, along with detection rules on GitHub for the malware, which they have named “SUNBURST”. Microsoft, who named the malware “Solorigate”, has also added detection rules to their Defender antivirus.
FireEye stated that despite initially thinking it was an attack that targeted the United States, “The campaign is widespread, affecting public and private organizations around the world. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals.”
The number of victims in this attack has not been made public.
The U.S. Cybersecurity and Infrastructure Agency has issued an emergency directive detailing instructions on how government agencies can tell if their systems have been compromised with SUNBURST.
On December 15, SolarWinds will release an update (2020.21 HF 2), that “replaces the compromised component and provides several additional security enhancements.”
Story via ZDNet.com