Threat Update
Government and private sector organizations are constantly releasing updates on all manner of topics relating to the SolarWinds Orion compromise. In this article, we have detailed a number of important SolarWinds-related developments.
Technical Detail & Additional Information
DEPARTMENT OF JUSTICE EMAIL COMPROMISE
On Wednesday, January 6th, the U.S. Department of Justice (DOJ) issued a statement that its Office 365 environment was compromised as part of the SolarWinds Orion vulnerability, and roughly “three percent” of the DOJ’s employees had their sent and received emails visible to the attackers. There are roughly 100,000 employees at the DOJ so this small percent still represents a large potential impact, however the DOJ has also stated that there is “no indication that any classified systems were impacted”1.
JOINT STATEMENT BY US GOVERNMENT ON NEW TASK FORCE
The Federal Bureau of Investigation (FBI), The Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) announced on Tuesday, January 5th that a new task force known as the Cyber Unified Coordination Group (UCG) has been formed. The main focus of which is “to coordinate the investigation and remediation of this significant cyber incident involving federal government networks”2. The UCG has identified that this is likely a Russian APT and is “taking all necessary steps to understand the full scope of this campaign and react accordingly”. The UCG also exists to assist victims in identifying and remediating compromise, as well as collecting evidence as well.
THIRD MALWARE STRAIN DISCOVERED IN SOLARWINDS ATTACK
One of the biggest names in cyber-security, CrowdStrike, has like many others been actively investigating the SolarWinds supply chain attack. CrowdStrike believes they have now identified a third malware strain which was directly involved and is referring to it as “Sunspot”. This places it alongside Teardrop and Sunburst, the previous two strains. It appears that Sunspot is of a singular purpose, and only exists to “watch the build server for build commands that assemble Orion”3. Once this was detected, Sunspot would quietly swap the original Orion source code for code containing the Sunburst malware.
SOLARLEAKS SITE CLAIMS TO SELL DATA STOLEN IN SOLARWINDS ATTACK
The theft and sale of information is nothing revolutionary, however, due to the sheer number of high-profile organizations compromised via SolarWinds Orion reports of these sales have made waves. A site called solarleaks[.]net was launched Tuesday, January 12 which purports to be selling extremely high-profile information, such as Microsoft source code and repositories, source code for multiple Cisco products, source code for the stolen FireEye red team tools, and the SolarWinds source code as well as a dump of the customer portal. While these claims at this time are largely unfounded, Microsoft has stated that threat actors did indeed access their source code, so that claim may be possible. Notably, the majority of data for sale is of commercial value, rather than that of governmental agencies.
References:
For more in-depth information about the recommendations, please visit the following links:
- https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
- https://arstechnica.com/information-technology/2021/01/doj-says-solarwinds-hackers-breached-its-office-365-system-and-read-email/
- https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/?ftag=CAD-03-10abf6j
- https://www.bleepingcomputer.com/news/security/solarleaks-site-claims-to-sell-data-stolen-in-solarwinds-attacks/
If you have any questions, please contact our Security Operations Center.