For what it is worth, here are further disclosures by the cybersecurity firm rooted in the eye of the Sunburst firestorm.
In a follow-up to cybersecurity firm FireEye’s disclosure of a severe breach into its networks and the firestorm of thousands of breaches into Orion users around the world, the firm’s CEO Kevin Mandia has issued further comments worth noting:
“In our announcement on Dec. 8, we stated we would provide updates as we discovered additional information, in order to ensure that the broader community is aware of the evolving threats we all face. As part of that commitment, we want to provide you with the following update on our investigation.
We have identified a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain. This compromise is delivered through updates to a widely-used IT infrastructure management software—the Orion network monitoring product from SolarWinds. The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors.
Based on our analysis, the attacks that we believe have been conducted as part of this campaign share certain common elements:
- Use of malicious SolarWinds update: Inserting malicious code into legitimate software updates for the Orion software that allow an attacker remote access into the victim’s environment.
- Light malware footprint: Using limited malware to accomplish the mission while avoiding detection.
- Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity.
- High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.
Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the Spring of 2020, and we are in the process of notifying those organizations. Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction. Our ongoing investigation uncovered this campaign, and we are sharing this information consistent with our standard practice.
We have been in close coordination with SolarWinds, the Federal Bureau of Investigation, and other key partners. We believe it is critical to notify all our customers and the security community about this threat so organizations can take appropriate steps. As this activity is the subject of an ongoing FBI investigation, there are also limits to the information we are able to share at this time.
We have already updated our products to detect the known altered SolarWinds binaries. We are also scanning for any traces of activity by this actor and reaching out to both customers and non-customers if we see potential indicators.
For more information please see:
- Technical details regarding the actor’s tactics, techniques and procedures
- FireEye’s GitHub for SUNBURST countermeasures
- SolarWinds Security Advisory
FireEye’s mission is to make our customers and the broader community safer. We are methodically uncovering and exposing this campaign piece by piece and working to prevent future attacks. It will require coordinated action by public and private organizations to fully expose and mitigate this threat, and we intend to continue our efforts.”
Meanwhile, according to Reuters and other news agencies over the week, emails by officials at the US Department of Homeland Security had been monitored by hackers. Going forward, security teams in all affected organizations could take months or even years trying to figure out what have been (outwardly) been compromised.