It’s been a heck of a month for cybercriminals. Two major cybersecurity firms had their lunch eaten by hackers
Who Was Hacked?
FireEye and SolarWinds were hacked. Up to 18,000 SolarWinds customers were affected by the attack and FireEye had proprietary cybersecurity tools stolen.
Amongst those 18,000 customers were both the United States Federal Government, and FireEye…wait a minute…are these two attacks connected? You better believe it!
Earlier this month, FireEye was hacked. The cybersecurity firm said the attack was sophisticated, so much so, that they believed it to be the work of a foreign nation.
After breaching FireEye, attackers stole a collection of tools the company’s Red Team uses to mimic cyberattacks with customers to help the customer better protect themselves. Some of the tools had already been shared with the public, while others were proprietary to the FireEye Red Team program and not publicly available.
As FireEye researched the breach, they came to realize it was connected to a compromised piece of software they had downloaded and installed from a business partner, SolarWinds.
“We looked through 50,000 lines of source code, which we were able to determine there was a backdoor within SolarWinds,” said Charles Carmakal, senior vice president and chief technical officer at Mandiant, FireEye’s incident response arm, in a recent interview with Bloomberg. (Read Here)
Back in March, hackers compromised two software updates to Orion, a SolarWinds product that’s billed as a scalable, one-stop-shop IT monitoring software.
The versions, 2019.4 HF 5 through 2020.2.1, were deployed between March and June of this year.
Hackers used a very sophisticated manual supply chain attack to monitor the communications of the SolarWinds customers who had the versions installed. According to a recent court filing from SolarWinds (read here), the company estimates 18,000 of their customers had the compromised software installed.
Who is Behind the Hack?
Unsure, but currently we believe the attack was pulled off by a team known for working with the Russian Foreign Intelligence Service (SVR). That’s a preliminary finding. I don’t think the general public will ever get absolute confirmation that Russia was behind the attack, outside of what’s already been said publicly.
What Were the Hackers Doing/Looking At?
So far it looks like they were monitoring internal communications. Emails. What’s important is those emails belonged to people in the Department of the Treasury, Department of Homeland Security, and the Pentagon.
Since the hackers are the ones who compromised the software to begin with, I assume they’ve had access to these emails for a long, long time.
What Happens Next?
The Cybersecurity & Infrastructure Security Agency (CISA. If you’re unfamiliar with them check out this article) has already told impacted government bodies via a release (Read Here) to disconnect the Orion products from their network.
The breach was so significant for the Fed that the National Security Council held an emergency meeting to try and wrap their head around how damaging the breach was.
As for what should happen next, that’s still up in the air. If you’re a SolarWinds customer and you’re using the compromised software it might be a good idea to stop what you’re doing and patch, patch, patch. SolarWinds released a fix for the issue yesterday. You can find out more about what you have to do here: https://www.solarwinds.com/securityadvisory
Like our blog? Subscribe using the CTA in the upper right-hand corner of this page. Feel like sharing your thoughts with us? Use the comment section below.