CISA: Hackers Breached US Govt Using More Than SolarWinds Backdoor

The US Cybersecurity and Infrastructure Security Agency (CISA) said that the APT group behind the recent compromise campaign targeting US government agencies used more than one initial access vector.

“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available,” the agency said.

“Not all organizations that have the backdoor delivered through SolarWinds Orion have been targeted by the adversary with follow-on actions.”

Hard to remove from compromised networks

The APT group, suspected to be the Russian state-sponsored APT29 (aka Cozy Bear and The Dukes), was present on the networks of compromised organizations for long periods of time according to CISA.

Also Read: IT Governance Framework PDF Best Practices And Guidelines

Additionally, the agency said that it is very likely that the threat actor behind this coordinated hacking campaign made use of other tactics, techniques, and procedures (TTPs) that have not yet been discovered as part of ongoing investigations.

The agency is also currently investigating incidents where it found TTPs consistent with this ongoing malicious activity, “including some where victims either do not leverage SolarWinds Orion or where SolarWinds Orion was present but where there was no SolarWinds exploitation activity observed.”

“CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” the US risk advisor added.

“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions. CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”

Additional technical details including info on initial infection vectors, tactics, techniques, and procedures (TTPs) used in this campaign, mitigation measures, and indicators of compromise are available in CISA’s AA20-352A alert.

🚨 ACTIVITY ALERT 🚨
Review @CISAgov’s new Alert on the #APT campaign against federal agencies & critical infrastructure, providing updated affected product versions, IOCs, ATT&CK® techniques, and mitigation steps. https://t.co/ZgzAbUNKjL #Cyber #Cybersecurity #Infosec pic.twitter.com/QnntuVhUXb

— US-CERT (@USCERT_gov) December 17, 2020

US govt hacks officially confirmed

The compromise of multiple US federal networks after the SolarWinds breach was officially confirmed today for the first time in a joint statement issued by the FBI, CISA, and the ODNI.

“This is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government,” the US intelligence agencies said.

Microsoft, FireEye, and GoDaddy have collaborated to create a kill switch for the SolarWinds backdoor to force the malware to delete itself from compromised networks.

Also Read: How Bank Disclosure Of Customer Information Work For Security

The backdoor, tracked as Solarigate by Microsoft and Sunburst by FireEye, was distributed via SolarWinds’ auto-update mechanism onto the systems of approximately 18,000 customers.

The list of US government targets compromised so far in this campaign includes the US Treasury, the US Department of State, US NTIA, US NIH, DHS-CISA, and the US Department of Homeland Security.