Recent attacks targeting U.S. government agencies are now revealing internal email traffic was monitored for a considerable amount of time. The hack raised concerns among government departments as to whether there is a bigger story.

While the hack is considered to be one of the most sophisticated and perhaps largest hacks in more than five years, the cybersecurity community attributes it to APT29 a.k.a. CosyBear, the Russian intelligence-linked hacking group. 

What is not surprising in this attack is how hackers reached government agencies – a third-party vendor.

According to the recent acknowledgment by the Trump administration, hackers have been monitoring internal email traffic at the U.S. Treasury and Commerce Departments. While the FBI and CISA are now investigating the matter, the intrusion culminated in a National Security Council meeting on Saturday at the White House.

In addition to the Treasury Department, hackers were able to break into a range of key government networks.

“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” said John Ullyot, a spokesman for the National Security Council.

Several others claim hackers also targeted national security-related organizations, although it was not clear if the systems contained highly sensitive information.

The accusations were dismissed by the Russian foreign ministry as another “unfounded” effort by the US media to blame Russia for cyberattacks on US agencies.

The Third-Party IT Vendor

Cyberspies are believed to have tampered with updates released by the vendor named SolarWinds, a third-party IT company leveraged as an initial vector in the attack campaign.

SolarWinds serves government customers across the executive branch, military, and intelligence services, according to [1]. In a website announcement, the vendor states its customer base includes most of the Fortune 500 companies in the U.S., the top 10 U.S. telecommunications providers, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States.

The tool blamed for the attack is SolarWinds’ Orion platform, and the attack is referred to as “a highly sophisticated, manual supply chain attack on Orion software builds for versions 2019.4 through 2020.2.1, released between March and June”. CISA issued an emergency warning ordering all federal agencies to disconnect their Orion devices from the network.

Orion Software enables centralized monitoring and management of IT stack, from infrastructure to application. In a filing with the U.S. Securities and Exchange Commission, Solarwinds said only 33,000 of its 300,000 customers use Orion and fewer than 18,000 are believed to have installed the malicious update.

What was in common between SolarWinds and FireEye?

SolarWinds traced the intrusions back to springtime, suggesting that for most of the year the hackers had complete freedom. However, it’s not clear how many emails and other networks were sought after for access. 

On the other hand, the hacker’s methods were far more sophisticated than traditional attacks. Once they were inside the Orion, the hackers were able to counterfeit the tokens used to authenticate to Microsoft by gaining access to an organization’s trusted SAML token-signing certificate.

The forged SAML tokens allowed hackers to impersonate any of the organization’s existing users and accounts (which allowed them to access on-premises and cloud resources.) The organization’s Azure Active Directory settings were also changed to facilitate long term persistence [2].

What started at SolarWinds resulted in a compromise of user accounts in the U.S. Treasury and Commerce Departments and perhaps many others.  

FireEye, a cybersecurity company that first raised the alarm about the Russian campaign after its own systems were penetrated, said the so-called supply chain attack was a “top-tier operational tradecraft.”

Recently, FireEye announced hackers stole some of their red-team tools for finding vulnerabilities in its clients’ systems, which was also attributed to Cozy Bear or A.P.T. 29. FireEye also has government-affiliated clients, including the Department of Homeland Security and other intelligence agencies. 

Although hackers only got their hands on the red-teaming tools that did not contain zero-day exploits, one can assume the expectation was far more aggressive than what was achieved. CEO Kevin Mandia added in a blog post, “there is no sign that the hackers have used the stolen tools, nor is there evidence that customer information was stolen.”

Supply-Chain Attacks: Not a Surprise!

Supply chain or third-party compromises should not come as a surprise to companies or state agencies today. We have seen many attacks emerging from third parties beginning with the famous Target breach, which cost the supermarket giant millions of dollars. It was the result of hacking a third-party HVAC company. Other sensational supply chain attacks included  British Airways and AMCA breaches. With British Airways facing the largest GDPR fine, and AMCA having leaked massive amounts of healthcare records, supply chain attacks have only continued to grow since.

The main emerging threat beginning in the last decade is hackers attacking the weakest links in supply chains. This method was a proven way of reaching out to larger organizations; as seen in the recent case involving the U.S. government agencies.

Monitoring and continuous oversight of supply-chains are critical. A mindset that goes beyond the organization, including anywhere an organization’s data is handled during the process, should be maintained.

norm-shield

Black Kite’s Third-Party Risk Assessment continuously assesses an entity or a supplier throughout the entire supply chain, capturing critical information in the cyber risk dashboard and providing detailed drill-down capabilities to fully understand and mitigate the risk. Ongoing monitoring surfaces prioritize risks and measures cyber risk posture improvement over time. By providing a Cyber Rating (technical), Compliance Estimations (policies and processes), and FAIR results (the probable impact in financial numbers), Black Kite provides a 3-dimensional picture of risk in a supply chain.

q7

Governments as new Targets

Last week, the Norwegian parliament experienced a similar incident which was attributed to Fancy Bear, a hacker group that has ties to Russia’s GRU military intelligence agency as well. The parliament fell victim to a cyber attack in August and many lawmakers and officials’ e-mail accounts were compromised [3]. The allegation was dismissed by Moscow as a deliberate provocation.

Initial investigations revealed the attack was part of a broader campaign “that has been going on at least since 2019”. We will update this post as more information comes from the investigation.

References

[1] https://www.reuters.com/article/us-usa-cyber-treasury-exclusive/suspected-russian-hackers-spied-on-us-treasury-emails-sources-idUSKBN28N0PG

[2] https://www.helpnetsecurity.com/2020/12/14/compromised-solarwinds-orion

[3] https://www.neweurope.eu/article/russian-hacker-group-fancy-bear-accused-of-cyberattack-on-norwegian-parliament
Featured photo by Bermix Studio on Unsplash