[German]The list of those affected by the cyberattack via SolarWind’s Orion SUNBURST backdoor is growing. Microsoft has also found the Trojan in its network (no data is said to have been leaked). And there is a second attack by a probably second hacker group (Beserk Bear) with more names of targets.
The hack of several US agencies via the SUNBURST backdoor in SolarWinds Orion monitoring software (see article FireEye hacked, Red Team tools stolen and US Treasury and US NTIA hacked) is taking on ever greater dimensions. The networks of the National Nuclear Security Administration (NNSA) and the U.S. Department of Energy (DOE) have also been hacked, as I reported last night in the article SUNBURST: US nuclear weapons agency also hacked, new findings.
It is now also clear that the attackers used multiple strategies to hack into the victims’ IT systems. This is because there are also victims who have not deployed SolarWinds Orion or for whom the Orion monitoring software shows no unusual activity. The identification and cleanup of affected systems may take months. In the meantime, however, more and more information is becoming known about who is among the victims.
GErman blog reader No points out two blog posts on Prevasio.com in this comment (thanks for that). There is a thread research blog where Sergei Shevchenko (Threat Research Manager bei Sophos) posts his analysis. In this post he prepares his knowledge regarding what can be deduced about domains of possible victims from malware analysis. He has written a decoding routine for the encrypted domain identifiers and then published a list of potential victims.
Shevchenko writes that the list may be inaccurate – but it is definitely interesting to have a look at it. There is a lot from Cisco and Check Point to Intel and various banks.
Microsoft finds Trojans in its own network
Microsoft has also found the malware in its own networks. This can be seen from the following statements in this blog post.
“Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
Microsoft confirms there that the malicious SolarWinds binaries were detected, isolated and removed in the Microsoft environment. However, Microsoft found no evidence that production services or customer data were accessed. Investigations, which are ongoing, have found no evidence that Microsoft’s systems were used to attack others.
The list of victim grows
The colleagues from ZDNet have published the list of confirmed victims so far in this article. Naturally, this list refers to US facilities.
- US Treasury Department
- US Department of Commerce’s National Telecommunications and Information Administration (NTIA)
- Department of Health’s National Institutes of Health (NIH)
- Cybersecurity and Infrastructure Agency (CISA)
- Department of Homeland Security (DHS)
- US Department of State
- National Nuclear Security Administration (NNSA) (see)
- US Department of Energy (DOE) (see)
- Drei US-Bundesstaaten (sih)
- City of Austin Texas (see)
In addition, there is FireEye and now probably Microsoft (the attack is assigned to the Cosy Bear group). I think we will read more names in the coming hours and days.
What Microsoft writes about victims
In this blog post, Microsoft gives a general overview of what is known so far about the attacks via the SolarWinds Orion vulnerability. Microsoft has published the following map showing victims of the SolarWinds Orion SOLARBURST vulnerability.
SolarWinds Orion SOLARBURST vulnerability victim, source: Microsoft
The card’s data is based on telemetry data from Microsoft’s Defender anti-virus software. This map identifies customers running Defender who have installed versions of SolarWinds’ malware-infested Orion software. The hot spot is in the U.S., but the U.K. and the Netherlands are also affected. Hits can even be found in Germany, Switzerland and Austria. This illustrates that the attack is of global significance and how vulnerable the United States basically is. In its blog post, Microsoft therefore also calls for joint action to defend against such attacks.
Attack on Austin and other victims
The attack on the U.S. city of Austin is arguably out of the ordinary. The Intercept has published this lengthy article about the attack on the U.S. city of Austin attributed to the Russian hacker group Berserk Bear. The attack likely came to light through Microsoft investigations and documents. From the Microsoft Threat intelligence Center (MSTIC), there is probably a document that was distributed to Microsoft public sector customers in mid-November as a warning of a Berserk Bear attack. In the warning, there is probably a list of indicators of compromise by Berserk Bear, the MSTIC . That document warned that BROMINE, Microsoft’s name for Berserk Bear, had also targeted the telecommunications, aerospace and defense sectors, affecting facilities in the United Kingdom and Turkey in addition to the United States.
Austin’s Internet address was the only public IP on the MSTIC list. The other IP addresses belonged to cloud hosting providers such as Amazon, DigitalOcean, Microsoft Azure, and the German company Hetzner, as well as the Turkish mobile operator Turkcell. The next day, MSTIC distributed a copy of the same alert without Austin’s IP address. It’s possible that Microsoft originally included Austin’s IP address by mistake as an indicator of compromise, but VirusTotal’s malware activity makes that scenario unlikely. And VirusTotal cataloged six malware samples communicating with that IP that were submitted in November and December 2020. That suggests, according to The Intercept, that Austin’s network remains compromised.
Cisco, Cox and other agencies affected
Addendum: It was ever mentioned above, the provider Cisco is also among the victims of the hack. Bloomberg picked up on the case here. Some internal machines used by Cisco researchers were affected, the networking equipment provider said in a statement. The company says its security team acted quickly to resolve the issue and that the “affected software” has been “mitigated.” Personally, I think these are partially thrown smokescreens, since without more detailed forensic analysis, it’s unclear what kind of manipulations were made to the Active Directory and network structures. Cisco in particular may have been a lucrative target.
And Reuters reports here about a publicly available analysis here that the hackers also penetrated the networks of Cox Communications and the local government in Pima County, Arizona. A spokesman for Cox Communications said the company is working “around the clock “with the help of outside security experts “to investigate the aftermath of the SolarWinds compromise. “The security of the services we provide is a top priority,” the spokesman said – what else could he communicate.
In an email to Reuters, Pima County Chief Information Officer Dan Hunt said his team followed U.S. government advice to take the SolarWinds software offline immediately after the hack was discovered. He said investigators found no evidence of another intrusion.
Reuters identified the victims by running a coding script published on Friday by researchers at Moscow-based cybersecurity firm Kaspersky to decrypt logs containing data from the infected systems, which are now available online.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a ‘Kill Switch’ and EINSTEIN’s fail
SUNBURST malware was injected into SolarWind’s source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
Cookies helps to fund this blog: Cookie settings