More US government bodies, including the Department of Energy (DoE) and the National Nuclear Safety Administration (NNSA), have fallen victim to the sprawling SolarWinds Sunburst state-backed cyber attack, while more victims are being uncovered on a global scale, including in the UK. The Cybersecurity and Infrastructure Security Agency (CISA) has branded the attack a “grave risk”.
Over the past 24 hours, details emerged of how the attackers, who have been linked to the Russian APT29 or Cozy Bear group, broke into the networks of the DoE and NNSA, which has responsibility for maintaining the US’s nuclear weapons arsenal. Among the group’s targets were the Federal Energy Regulatory Commission (Ferc), the Sandia and Los Alamos laboratories, the NNSA’s Office of Secure Transportation, and the DoE’s Richland Field Office, according to Politico.
The list of victims may now also include Microsoft, which has been at the forefront of efforts to disrupt the attack, although this is not confirmed. A Microsoft spokesperson has confirmed that the organisation did indeed detect malicious SolarWinds binaries in its environment, which it isolated and removed, but said there was no evidence of compromise of its production services or customer data. Nevertheless, Reuters, citing sources familiar with the situation, claimed that the attackers did make use of some Microsoft public cloud infrastructure.
In an alert issued on Thursday 17 December, the CISA said it was aware of compromises of government agencies, critical national infrastructure (CNI) operators, and private sector organisations by an advanced persistent threat (APT) group, beginning in March.
“This APT actor has demonstrated patience, operational security and complex tradecraft in these intrusions,” it said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organisations.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal and territorial governments, as well as critical infrastructure entities and other private sector organisations.”
Te CISA said it was facing a “patient, well-resourced and focused adversary”, and warned that the Sunburst compromise was not the only initial infection vector used in this campaign. Also, not all of the estimated 18,000 organisations that inadvertently downloaded the tainted update to SolarWinds’ Orion platform that sparked this incident have been subsequently targeted.
Microsoft president Brad Smith said the cyber assault was effectively an attack on the US, its government and other critical institutions, and demonstrated how dangerous the cyber security landscape had become.
“The attack is ongoing and is being actively investigated and addressed by cyber security teams in the public and private sectors, including Microsoft,” wrote Smith in a blog post. “As our teams act as first responders to these attacks, these ongoing investigations reveal an attack that is remarkable for its scope, sophistication and impact.
Read more about Sunburst
- Hacking tools used to conduct red team penetration testing were stolen in the initial state-backed attack on security firm FireEye.
- FireEye says investigations have revealed security breach occurred because of a flaw in SolarWinds network monitoring software.
- Nation-state actors conducted a supply chain attack on SolarWinds and planted a backdoor in software updates issued to customers such as FireEye and various government agencies.
“As much as anything, this attack provides a moment of reckoning. It requires that we look with clear eyes at the growing threats we face and commit to more effective and collaborative leadership by the government and the tech sector … to spearhead a strong and coordinated global cyber security response.”
Based on telemetry gathered from Microsoft’s Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability were very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and compromised, and is now working with them.
Most of these customers are understood to be based in the US, but Microsoft’s work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the UAE and the UK, including government agencies, NGOs, and cyber security and technology firms.
Smith added: “This is not ‘espionage as usual’, even in the digital age. Instead, it represents an act of recklessness that created a serious technological vulnerability for the US and the world. In effect, this is not just an attack on specific targets, but on the trust and reliability of the world’s critical infrastructure in order to advance one nation’s intelligence agency.
“While the most recent attack appears to reflect a particular focus on the United States and many other democracies, it also provides a powerful reminder that people in virtually every country are at risk and need protection, irrespective of the governments they live under.”