“Highly Evasive” Nation-State Attackers Eavesdropped on the US Treasury for Months – Several Victims Across Multiple Verticals Worldwide


Just like any holiday period, this December is also getting us a lot of hacking stories, but this one may just take the cake. Over the weekend, Reuters reported that attackers that are "believed to be working for Russia" had been monitoring employee emails at the U.S. Treasury and Commerce departments.

The point of attack was through SolarWinds, a Texas-based IT security vendor that serves a number of government departments and Fortune 500 companies. In an advisory, the company acknowledged "a highly sophisticated, manual supply chain attack" that targeted SolarWinds "Orion Platform software builds for versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1."

Russian Hacker Arrested in Prague Tied to 2012 LinkedIn Breach – Moscow Wants Him Back

We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.

In its own blog post, Microsoft called this a "nation-state activity at significant scale, aimed at both the government and private sector." While SolarWinds hasn't shared any details, the Windows maker wrote that the attack was made through malicious code in the SolarWinds Orion product, which resulted "in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials."

An intruder using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate. This enables them to forge SAML tokens that impersonate any of the organization’s existing users and accounts, including highly privileged accounts.

Microsoft said that its Defender now has detections for these malicious files, something that didn't happen earlier because Orion needed exceptions from antivirus protection to function correctly.

Orion hack gave attackers potential access to hundreds of thousands of companies and government agencies

Through this one compromise of Orion, these attackers could have gained access to a number of companies and government departments, including top 10 telecommunications companies, military branches, and all of the top five accounting firms that use this product.

Unlike most other attacks, this one didn't target just one organization. According to FireEye, there are potentially worldwide victims across multiple verticals, including "government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East."

We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.

The true impact of this large scale attack may not be known for a while as more agencies and companies will have to audit in a month that's usually low on staff. As of now, only the Treasury and Commerce departments are the confirmed victims according to investigators.

“I Will Die in a Year” – Arrested Russian Hacker Says He Worked for Putin & Will Be Tortured by US

The US Cybersecurity and Infrastructure Security Agency issued an emergency advisory over the weekend, directing all agencies to review their networks "for indicators of compromise and disconnect or power down SolarWinds Orion products immediately," adding that the compromise poses "unacceptable risks." It is worth noting that SolarWinds suggests it has over 300,000 clients worldwide.

The FireEye report adds that attackers may have had this access since at least March, as "multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website." The hack also involved Microsoft 365 according to Reuters, however, Microsoft maintains that it hasn't "identified any Microsoft product or cloud service vulnerabilities" in its investigations.

- More technical details are available in this FireEye report.