US Coast Guard Orders Maritime Facilities To Report SolarWinds Breaches

The U.S. Coast Guard (USCG) has ordered MTSA-regulated facilities and vessels using SolarWinds software for critical functions to report security breaches in case of suspicions of being affected by the SolarWinds supply-chain attack.

USCG’s order was delivered through a Marine Safety Information Bulletin (MSIB) published on Wednesday on continued awareness regarding the ongoing exploitation of SolarWinds software.

“It is critical that the Coast Guard understands the potential risks of this APT actor on marine transportation system networks and supply chain connections,” the USCG said.

“Reporting malicious cyber activity enhances maritime domain awareness and allows us all to be better postured to prevent and respond to cyber incidents that could disrupt commerce or jeopardize national security.”

When to report a security breach

The order applies to operators or owners of maritime facilities and vessels regulated by the Maritime Transportation Security Act (MTSA).

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

MTSA security regulations address the higher risk of transportation security incidents concerning high capacity passenger and cargo vessels, offshore extraction platforms, as well as port facilities that serve them.

Such facilities and vessels are required to create security plans to better detect and defend against security threats.

Following today’s order, they are now also required to report breaches of security if:

• They have downloaded the trojanized SolarWinds Orion plug-in
• They note any system with a critical security function displaying any signs of compromise, including those that may have not originated from the SolarWinds Orion compromise but utilize similar TTPs (as detailed in CISA’s AA20-352A alert)

Scanning for activity connected to the SolarWinds incident

The USCG also advised using open-source tools developed by the Cybersecurity and Infrastructure Security Agency (CISA) and private security firms for detecting and remediating malicious activity stemming from the SolarWinds security incident.

The PowerShell-based Sparrow tool created by CISA’s Cloud Forensics team helps detect potentially compromised applications and accounts in Azure/Microsoft 365 environments.

Cybersecurity firm CrowdStrike released a similar detection tool known as the CrowdStrike Reporting Tool for Azure (CRT) and designed to help admins analyze Azure environments to an overview of privileges assigned to third-party resellers and partners.

FireEye also released a free tool dubbed Azure AD Investigator that can help organizations discover artifacts indicating malicious activity by the threat actor behind the SolarWinds supply-chain attack.

This threat actor is tracked as StellarParticle (CrowdStrike), UNC2452 (FireEye), SolarStorm (Palo Alto Unit 42), and Dark Halo (Volexity).

While its identity is still unknown, a joint statement issued by the FBI, CISA, ODNI, and the NSA says that it is likely a Russian-backed hacking group.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

A detailed timeline of attacks using trojanized SolarWinds software shared by Microsoft shows that a backdoor was injected in February 2020 and later deployed in compromised networks in late-March.