After taking control of the Orion update mechanism, attackers installed a backdoor…
The US Treasury and Commerce departments are among the US government agencies hit in an operation that multiple news outlets, citing people familiar with the matter, said was led by Cozy Bear, a hacking group believed to be part of the Russian Federal Security Service or FSB. Word of attacks arrived on Sunday, five days after FireEye, the $3.5 billion security company, said on Tuesday it had been hacked by a nation-state.
After taking control of the Orion update mechanism, the attackers were using it to install a backdoorOn Sunday night, FireEye said the attackers were infecting targets using Orion, a widely used business software app from SolarWinds. After taking control of the Orion update mechanism, the attackers were using it to install a backdoor that FireEye researchers are calling Sunburst.
Russian hackers have breached networks belonging to the US government and private organizations worldwide in a widespread espionage campaign that uses the global software supply chain to infect targets.
“FireEye has detected this activity at multiple entities worldwide,”
FireEye researchers wrote.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.”
After using the Orion update mechanism to gain a foothold on targeted networks, Microsoft said in its own post, the attackers are stealing signing certificates that allow them to impersonate any of a target’s existing users and accounts, including highly privileged accounts.
In a separate post FireEye said it has identified multiple organizations that appear to have been infected as long ago as this past spring.
“Our analysis indicates that these compromises are not self-propagating,”
company researchers said.
“Each of the attacks require meticulous planning and manual interaction.”
SolarWinds is saying that monitoring products it released in March and June of this year may have been surreptitiously weaponized in a “highly sophisticated” attack from a nation-state.