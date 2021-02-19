Events can escalate quickly in cyberspace. What started out as an audacious but apparently isolated breach of FireEye became, in a matter of days, one of the most impactful state-sponsored cyber-espionage campaigns ever discovered. Russia is thought by many to have been behind the attacks, which compromised multiple US government departments and numerous tech companies, NGOs, contractors and others around the world.

Microsoft president Brad Smith has described it as a “moment of reckoning” that demands a coordinated response from democratic governments around the world, working hand-in-hand with the technology industry. In the meantime, CISOs caught in the middle must find a way to mitigate risk as best they can both in their organization and across the supply chain, according to the experts that Infosecurity spoke to.

The story begins with that attack on FireEye, revealed by the firm in early December 2020. It claimed the attackers were looking for information on its government customers, although at the time said no data on them had been taken. In fact, the only assets they took were some of the tools used by FireEye’s red team operatives to test for weakness in customers’ IT environments.

Just a few days later, the vendor dropped a bombshell, revealing that this incident was part of a much bigger “top tier” nation state attack. The attack vector? Updates to a popular product (Orion) from IT management software firm SolarWinds, which enabled compromise via a backdoor Trojan known as Sunburst (Solorigate). It’s possible that the vendor was itself compromised via its Office 365 installation. This kind of supply chain attack technique shares similarities with the NotPetya campaign of 2017, which began with Trojanized versions of popular Ukrainian accounting software.

FireEye’s analysis reveals the sophisticated OpSec techniques the group used to stay hidden. It apparently relied on only a light malware footprint, focusing mainly on compromising legitimate credentials to move laterally and remotely access systems. Of the malware that was used, Sunburst hid its network traffic as the Orion Improvement Protocol in order to blend in with legitimate SolarWinds activity. It also used multiple obfuscated blocklists to identify and stop any AV tools running.

The US government appears to have been the main target of what reports are claiming was an attack coordinated by APT29 (aka Cozy Bear), which was linked to previous attacks on the Democratic National Committee in 2016 and COVID-19 vaccine data. Although it hadn’t revealed which departments were targeted at the time of writing, these are believed to have included: the Commerce Department’s National Telecommunications and Information Administration; the departments of health, state, energy and homeland security; the National Nuclear Security Administration and the Cybersecurity and Infrastructure Security Agency (CISA), as well as some US state governments.

Many of these details were subject to further change, which in itself is testament to the scale of the campaign and the lengths the actors went to stay hidden. CISA has revealed that there is evidence of additional “initial access vectors” besides the malicious Orion updates.

A Fatal Mistake

Experts are agreed that FireEye was not the primary target for this campaign, which may have given Russian attackers access to government emails and other sensitive systems since March 2020.

“Many of the stolen tools are open source and not proprietary to FireEye. There are no zero-day exploits in the cache of tools stolen,” Forrester senior analyst, Brian Kime, tells Infosecurity. “Additionally, FireEye shared detections (Yara and Snort rules) with the community to detect those tools. With those detections available, the perpetrators of the theft will likely have to modify the stolen tools and those modifications will be a signature of who is using the particular tool.”