In early December of last month, I was “at work” in my home office. Since the start of the COVID-19 pandemic, I’ve been working remotely as a contractor for the Cybersecurity and Infrastructure Security Agency (CISA). As an architect, I work with a lot of people in CISA, and my current task required me to talk to various system administrators and network engineers about some architecture issues…only none of them were available.
I soon learned that there’d been a wide-ranging global malware attack called SolarWinds, that CISA’s network had been penetrated by it, that a LOT of people at CISA were upset, and that every available technical resource was being thrown at the problem, and that all of the people I need to talk to had been drawn into the crisis. It was, in fact, what came to be known as the SolarWinds Supply Chain Hack.
You can’t work for CISA, which is dedicated to protecting the United States, its civilian government agencies, and the country’s critical physical infrastructure from threats, and not be anything but dedicated to the side of the good guys. Knowing that I was helping keep the country more secure was, in fact, one of the intangible benefits of the job. But this was the first time I’d been at “ground zero” for a major malware hack that had actually affected secure networks that I used every day.
I got curious about exactly what had happened. SO, after the threat had been dealt with and the dust had settled, I started doing some research. I wanted to know how the malware attack happened, and what actions were taken to end the threat. I used public sources so there’s no privileged information being released here.
The Cyber Attacker
APT29 was identified as the hacker group believed to be responsible for the SolarWinds Supply Chain Hack. It is also known as the “Cozy Bears,” following a cybersecurity tradition in which threat actors are assigned a randomly generated codename.
For the record, APT stands for “Advanced Persistent Threat,” which is a term that defines highest tier of cyberattack. It involves highly skilled, well-funded actors (often nation-states) conducting prolonged, stealthy campaigns to infiltrate networks. So, you can see how the generic “APT29” name was derived.
The group is believed to be associated with the Sluzhba Vneshney Razvedki (SVR), the Russian Foreign Intelligence Service. SVR is the civilian external intelligence and espionage service that succeeded the First Directorate of the KGB when the Soviet Union fell in 1991.
The Supply Chain Compromise
News of the hack was released publicly on December 13, 2020, which was also the day that I first found out about it.
The SolarWinds Corporation was an American software company headquartered in Austin, Texas. The company produced enterprise software that helped businesses and managed service providers monitor, optimize, and secure their networks. In 2020, one of their major products was the SolarWinds Orion IT Platform, which was being used by numerous private companies and government agencies.
The SolarWinds Corporation was breached by the malware sometime in early 2020, at least by March, or possibly earlier. According to SolarWinds, FireEye, and CISA, one of the servers compromised was a Windows server used to build updates for the SolarWinds Orion IT Platform, a widely used infrastructure management product.
Regular software updates to the compromised monitoring platform carried that malware into numerous organizations around the world from March through June of 2020, including the Cybersecurity and Information Security Agency (CISA), the US Treasury, the US Department of Commerce’s National Telecommunications and Information Administration (NTIA), the Depart of Health’s National Institutes of Health (NIH), the US Department of State, FireEye (an incident response and threat intelligence company), and others. It was a global hack, affecting organizations all across the world, not just in the United States.
Once compromised versions of the Orion IT Platform were in place, APT29 had backdoor access to the internal networks of the compromised organizations, potentially allowing for 1) the exfiltration of information, and 2) Command and Control (C2) communications to further manage malicious activities on the compromised networks.
Stopping the Threat
A number of tactics were used to stop the threat, with numerous organizations working together to largely eliminate the threat over a 4-day period, from December 13 – 16, 2020.
- Information Dissemination: One of the most effective ways to end a threat is to make sure everyone knows about. FireEye named the malware “SUNBURST,” while Microsoft named it “Solorigate.” Both released information on how it worked and, more importantly, how to detect if your organization was infected. CISA also released an emergency directive with instructions on how government agencies could detect and analyze systems infected by the malware.
- Fix the Supply Chain: On December 15, 2020, SolarWinds provided an update to the Orion IT Platform that 1) was verified to not include the malware, and 2) also included several other security enhancements. Now, their software was no longer a vector for continued compromise.
- Zapping Digital Certs: The malware was able to function on Windows servers because the files were trusted. Microsoft removed the digital certificates that conferred that status, thereby causing Microsoft Windows to treat those files as untrustworthy.
- Microsoft Defender Alert: Many enterprise severs at organizations were using Microsoft Defender. Microsoft quickly added the capability so that Microsoft Defender could detect the threat and provide an alert if it detected an infected system.
- Sinkhole: Once a system was infected, it would reach out to a particular domain name to get further instructions. This is what is known as Command & Control, or C2, in the cybersecurity realm. Microsoft and others moved quickly to wrest control of the domain away from the original anonymous owners, thereby decapitating any possibility for continued C2 by APT29. Additionally, they could detect when compromised systems reached out to the domain. With that information, organizations with compromised systems could be notified of the infection.
- Quarantine: Finally, on December 16, 2020, on the fourth day of efforts to contain the threat, Microsoft updated its Microsoft Defender product once, changing it from alerting upon detection to automatically quarantining the malware if it was detected.
Conclusion
The malware produced by APT29, whether you call it SUNBURST or Solirigate, was highly sophisticated and effective. Additionally, by compromising a supply chain vendor like the SolarWinds Corporation, it unleashed an unprecedented vector that compromised all sorts of organizations, including US government agencies. It was also a global threat, affecting organizations all around the world.
Once detected, it was also stopped in its tracks over a period of fours days by the concerted efforts of whole bunch of organizations.
That’s good, but remember, those Advanced Persistent Threats are still out there. It’s only through dedicated security processes that we can keep the threats at bay.
About The Author
