[German]New information on SolarWinds supply chain attack on Orion software. Tens of thousands of companies and organizations around the world were compromised via the attack, which was suspected to be attributed to Russian state-related hackers. The U.S. Department of Justice (DOJ) has now announced that 27 U.S. government agencies were also affected by the SolarWinds hack.
The SolarWinds Orion Hack
Suspected Russian state hackers had succeeded in hacking the Orion software of the US company SolarWinds in 2020. In a supply chain attack, the attackers managed to roll out a Trojan with this software to tens of thousands of companies and organizations that used the Orion software via software updates. The Trojan implemented a backdoor that left tens of thousands of agencies, organizations, and companies vulnerable to attack via the SUNBURST vulnerability.
The hackers used this backdoor to penetrate victims' networks undetected for months, infiltrating Active Directory systems and spying on users' Exchange accounts. This operation only came to light in December 2020, when the security provider FireEye noticed corresponding activities in its own network. I had reported on this issue in several articles (see links at the end of the post).
SolarWinds hack hits 27 U.S. Attorney's Offices
The Department of Justice (DOJ) had already confirmed on Jan. 6, 2021, that the SolarWinds hack included hackers penetrating the department's Microsoft O365 email environment. In order to promote transparency and provide further leads to potential victims, the ministry has decided to disclose further details. The Department of Justice has now confirmed that the Microsoft O365 email accounts of one or more employees at the following U.S. Attorney's Offices were compromised in connection with the SolarWinds incident:
- Central District of California;
- Northern District of California;
- District of Columbia;
- Northern District of Florida;
- Middle District of Florida;
- Southern District of Florida;
- Northern District of Georgia;
- District of Kansas;
- District of Maryland;
- District of Montana;
- District of Nevada;
- District of New Jersey;
- Eastern District of New York;
- Northern District of New York;
- Southern District of New York;
- Western District of New York;
- Eastern District of North Carolina;
- Eastern District of Pennsylvania;
- Middle District of Pennsylvania;
- Western District of Pennsylvania;
- Northern District of Texas;
- Southern District of Texas;
- Western District of Texas;
- District of Vermont;
- Eastern District of Virginia;
- Western District of Virginia;
- Western District of Washington
It is believed that the APT group had access to the compromised accounts between May 7 and December 27, 2020. The compromised data included all sent, received, and stored emails and attachments found in those accounts during that time period.
While other districts were affected to a lesser extent, the APT group gained access to the O365 email accounts of at least 80 percent of employees working in U.S. Attorneys' offices in the Eastern, Northern, Southern, and Western Districts of New York. The Executive Office for U.S. Attorneys has notified all affected account holders, and the Department has provided guidance on identifying specific threats.
FireEye hacked, Red Team tools stolen
US Treasury and US NTIA hacked
SolarWinds products with SunBurst backdoor, cause of FireEye and US government hacks?
Sloppiness at SolarWinds responsible for compromised software?
News in the fight against SUNBURST infection, domain seized
SUNBURST malware: Analytic Tool SolarFlare, a 'Kill Switch' and EINSTEIN's fail
SUNBURST malware was injected into SolarWind's source code base
SUNBURST: US nuclear weapons agency also hacked, new findings
SolarWinds hack: Microsoft and others also affected?
SUNBURST hack: Microsoft's analysis and news
2nd backdoor found on infected SolarWinds systems
SolarWinds hackers had access to Microsoft source code
SolarWinds hack: Hacker goals; outsourcing are under investigation?
News from the SolarWinds hack; JetBrains software as a gateway?
Kaspersky: SolarWinds Sunburst backdoor resembles Russian ATP malware
SolarLeaks allegedly offers source code from Cisco, Microsoft and SolarWinds
Malwarebytes also successfully hacked by the SolarWinds attackers
Four more security vendors confirm SolarWinds incidents
Accusation: Microsoft failed with security in the SolarWinds hack
SolarWinds: Update for Orion software; attackers had access to top DHS accounts
SolarWinds patches critical Serv-U vulnerability (July 2021)
Cookies helps to fund this blog: Cookie settings