According to a US agency, almost a third of the victims of the attack did not use the SolarWinds software, which was previously the main gateway for the attackers.
The serious cyberattack on government institutions and companies in the USA is drawing ever wider circles. According to their own statements, investigators there have found evidence that the alleged espionage operation went well beyond the compromise of the small software provider SolarWinds. So far, its network management platform Orion was considered the main gateway for the hackers.
Attack without a direct connection to SolarWinds
Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency (CISA) told the Wall Street Journal that around 30 percent of the victims from the private sector and government agencies have no direct connection to SolarWinds . The attackers “gained access” to their targets in different ways. “This opponent was very creative,” says the official, whose agency belongs to the Department of Homeland Security and coordinates defense and reconnaissance measures in the USA.
The operation should no longer be viewed as a pure SolarWinds incident, Wales stressed. Business experts come to the same conclusion, according to the report. Last week, for example, the IT security company Malwarebytes, which was also affected, announced that a number of its e-mail accounts in Microsoft’s Azure cloud had been compromised by the same attackers. However, these penetrated in a different way than in the SolarWinds case.
Open source tool for “unusual activity” in Azure
According to the newspaper, the new findings fuel fears that vulnerabilities in corporate software that millions of people use every day are being exploited. The hackers apparently infiltrated a wide variety of systems by adopting more or less known security holes in software products and guessing online passwords. According to the investigators, the attackers should also have benefited from peculiarities in the way Microsoft configured cloud-based software.
CISA recently warned of “ongoing threats” in the cloud environment . It has been observed that a relevant actor in a victim is using compromised applications in the Azure environment of Microsoft’s office suite 365 and using additional credentials and programming interfaces to gain access to cloud resources from private and public sector organizations. The cybersecurity agency released a free, open source tool to detect “unusual and potentially malicious activity” in Azure.
Numerous ministries and authorities affected
Microsoft had admitted on New Year’s Eve that the masterminds behind the incidents had access to a “small number of internal accounts” belonging to employees in the company’s internal network . The hackers are said to have used an account to view “source code in a number” of relevant directories. The account was not linked to authorization to “change code or technical systems”. The software company’s security team has not yet commented on the current report.
It was already known that the attackers located by the US secret services in Russia were using the Sunburst malware and had been smuggling it onto the systems of up to 18,000 customers of the service provider, including Microsoft, via infected updates for Orion at least since the spring . These included numerous ministries and authorities. The malware installed a back door and thus initiated the takeover of infected systems from a distance.
Further attacks – including on Microsoft 365 accounts
The previously unidentified group had previously successfully attacked the IT security company FireEye . At the end of the year, CrowdStrike reported that it had also been targeted by the attackers – but without them being able to score. The hackers are said to have used Microsoft resellers.
In the course of the week, other security companies reported unusual attacks, which they now associate with the ominous group. For example , the email security provider Mimecast announced that hackers had used one of its programs against him to view customers’ Microsoft 365 accounts. Fidelis Cybersecurity claims to be investigating indications of an online attack. Qualys admitted this, but it had “no impact on our production environment”. Data did not flow out.
Cybersecurity companies are a worthwhile goal as gatekeepers
Palo Alto Networks joined the ranks of the cyber security companies affected, but was able to repel the attack according to its own account. Ryan Gillis, who is responsible for strategy and global guidelines at the company, spoke to the Bloomberg agency of an “ongoing, sophisticated attack”. He strongly advised organizations to review the supply chains of their IT infrastructures with a focus on the incidents. Cybersecurity companies are a worthwhile target as gatekeepers, as they are supposed to guard third-party networks and at the same time often have remote access to them.
US Senators Ron Wyden and Cory Booker of the Democrats and eight members of the House of Representatives called on the NSA on Friday to explain its own measures to protect the government from attacks on supply chains such as the SolarWinds hack . Five years ago it became known that another government equipment supplier, Juniper, had inadvertently delivered software updates with malicious code . The case was never officially cleared up.
According to the electorate, researchers later discovered “that Juniper had used an encryption algorithm developed by the NSA, which experts had long claimed to have a back door”. The key to this backdoor was then probably modified. The US citizens have a right to know why the NSA did not act in the interests of those affected. According to the federal government, 15 German ministries and authorities also use SolarWinds products . At least via sunburst, however, no unauthorized access to federal administration systems should have taken place.