The FireEye Breach and the SolarWinds Supply Chain Compromise Campaign
December 16th, 2020
Subscribe to our blog and stay up to date
On December 8, 2020, security vendor FireEye disclosed that unidentified and highly sophisticated state-sponsored threat actors had breached its networks and stolen its Red Team tools that it uses for penetration testing of its clients. FireEye released countermeasures to defend against the potential malicious use of these tools in OpenIOC, Yara, Snort, and ClamAV. The scope and the applications of the compromised tools vary, from complete frameworks to automated reconnaissance scripts, but they did not include any zero-day exploits. FireEye developed its own tools in-house to emulate attacks that it observed in the wild and publicly available penetration testing tools.
FireEye did not provide further details on the identity or the affiliations of the state-sponsored intruders but noted their special interest in its government clients. Media reporting has nonetheless suggested an attribution of the incident to the Russian APT29, also known as CozyBear. APT29 is attributable to the SVR, Russia's foreign intelligence service. Previous targets of APT29 have included the White House, the US State Department, and COVID-19 vaccine research. The FBI, which is investigating the incident, reportedly assigned the case to its Russia specialists.
This incident serves as a reminder that even the most security-conscious and security-centric organizations can become victims. State-sponsored threat actors in particular often pursue more difficult targets at length and invest considerable resources in such attacks if they believe that the compromise of those specific targets is essential to their intelligence mission.
Breaching a security vendor poses a higher risk that the breached security vendor will detect the attack and disclose information on it to customers and the general public, thereby compromising whatever tools, infrastructure, or TTPs the actors may have used. This risk is significant for state-sponsored cyber espionage groups, who tend to choose their targets carefully and invest considerable resources in the development of proprietary tools and malware.
The FireEye Breach Leads to the Discovery of a Much Broader Campaign
FireEye's investigation of its own breach revealed that it originated with a supply chain compromise through the Orion network monitoring and management software of the US technology company SolarWinds. The actors added malware, which FireEye has named SUNBURST, to legitimate Orion updates and used that malicious code to gain remote access to the networks of organizations using Orion. The malware also disguises its command & control (C2) communications as legitimate Orion network traffic. The actors, whom FireEye is tracking with the designation UNC2452, went to considerable lengths to cover their tracks, using minimal malware and ensuring that whatever tools they did use would be difficult or impossible to attribute. It appears FireEye was just one of many different victims of this supply chain compromise, which has affected public and private sector organizations around the world since March 2020. FireEye has released countermeasures for SUNBURST. SolarWinds, which confirmed the compromise of its March and June 2020 versions of Orion, released a non-compromised update for Orion and provided mitigations for those users that are unable to update their Orion installations.
This supply chain compromise campaign may have succeeded in part due to SolarWinds' recommendation that Orion users exempt Orion files and file directories from anti-malware scans and group policy object restrictions so that Orion can function properly. This supply chain compromise campaign exploited the trust of Orion users in the security of Orion, which in retrospect was misplaced. Perhaps anti-malware scans might have detected the malicious code in the compromised Orion files, and perhaps exempting Orion files from anti-malware scans enabled them to evade detection in some cases. In any event, this point illustrates the advantages of a “zero-trust” approach to security.
Updating Orion or otherwise mitigating the impact of the original Orion compromise is a good idea, but it will probably not resolve any compromise that the actors may have already enabled via that infection vector. If the actors chose to compromise a given network, they probably established persistence via means other than Orion, such as by compromising legitimate network credentials. Updating, disconnecting, or uninstalling Orion would probably not eradicate that persistence mechanism. Users of the compromised versions of Orion should conduct a thorough security review of their networks in search of activity matching FireEye's description of the actors' TTPs.
Targeting and Attribution
While the SolarWinds supply chain compromise may have affected organizations in many different countries and industries, it would appear that the US Government was a priority target of this campaign. This revelation is consistent with FireEye's initial observation that the actors demonstrated special interest in FireEye's government clients as they explored FireEye networks. Affected US Government organizations include the Treasury Department and the National Telecommunication and Information Administration (NTIA) of the Commerce Department. The full scope of the compromise remains unclear, but other Orion users include all five branches of the US military, NASA, NSA, the Departments of Defense, State, and Justice, and the Executive Office of the President. The potential magnitude and severity of the campaign was such that it prompted a National Security Council meeting on Saturday. The Cybersecurity and Infrastructure Security Agency (CISA) also issued an emergency directive to US Government agencies to disconnect Orion installations. FireEye stopped short of attributing this campaign to any specific country, but US Government officials reportedly believe that state-sponsored Russian actors - specifically, CozyBear/APT29 - are responsible for it.
Even if the US Government was a primary target of this campaign, Orion users in the private sector should take heed as well. State-sponsored cyber espionage groups generally choose their targets for specific intelligence reasons, but that more selective targeting does not preclude them from taking advantage of other opportunities that present themselves by chance, such as in this broad supply chain compromise. For example, many of the top US telecommunications providers are SolarWinds customers. Telecommunications companies are a valuable target for foreign intelligence services because compromises of their networks can yield high volumes of signals intelligence (SIGINT) by enabling them to monitor customers' phone and Internet traffic. Indeed, the reported compromise of the Commerce Department's National Telecommunications and Information Administration in this campaign would seem to suggest an interest in the targeting of US telecommunications infrastructure.
Supply Chain Compromises and Third-Party Risks
Supply chain compromise is not a new tactic by any means, but it is not typical of state-sponsored Russian cyber espionage per se. Supply chain compromise is more typical of state-sponsored Chinese cyber espionage groups, for whom China's huge share of the manufacturing market is an advantage that Russia lacks. The use of supply chain compromises via technology companies as an infection vector is more typical of targeted ransomware attacks on enterprise networks. Breaches of managed service providers (MSPs) have enabled ransomware operators to scale up their attacks on enterprise networks by infecting large numbers of MSP customers at once. If this campaign is in fact the work of a state-sponsored Russian cyber espionage group, such as CozyBear/APT29, then perhaps they learned the value of this tactic by reading about these attacks or via the recruitment of Russian criminals. Russian-speaking criminals are at the forefront of the ransomware market, and state-sponsored Russian cyber espionage groups often retain the services of Russian criminals for specific tasks.
Supply chain compromises such as this campaign serve as a reminder of the risks of reliance on third-party vendors of technology services and products for functions as sensitive as network monitoring and management. When evaluating and selecting such vendors, their security footprint and track record should be a primary consideration. Security requirements, including what to do in the event of a breach, should also be a top priority and a legal consideration in contract negotiations with such vendors.
The means by which the actors originally compromised SolarWinds remain unclear. One possible explanation is this exposure of possibly weak SolarWinds FTP credentials in November 2019 via a public Github repository. A security researcher was able to use this information to upload unauthorized files to a SolarWinds FTP server. It is unclear if the attackers in this campaign might have used such unauthorized FTP access to deliver their malicious Orion binaries to SolarWinds customers.
Many security professionals assume that state-sponsored attacks of this severity against hardened targets, such as government agencies, involve sophisticated capabilities, such as zero-day exploits. This assumption is often true, but it is not necessarily the case. Third-party breaches of vendors with less rigorous security measures can enable attacks on customers with more hardened defenses. Exposed or weak credentials are a common source of breaches. IntSights cyber threat intelligence coverage for customers includes monitoring for credential exposures and compromises, including on GitHub.
Learn more about how state-sponsored threat actors in Russia carry out cutting-edge cyberattacks against adversaries and businesses alike by reading our research report, The Dark Side of Russia.
Paul Prudhomme is a Cyber Threat Intelligence Advisor at IntSights. He previously served as a leader of the cyber threat intelligence subscription service at Deloitte and as an individual contributor to that of iDefense. Paul previously covered cyber issues as a contractor in the US Intelligence Community. Paul specializes in the coverage of state-sponsored cyber threats, particularly those from Iran. Paul originally served as a linguist and cultural advisor and speaks multiple languages, including Arabic. He has a Master’s degree in History from Georgetown University. Paul is also a certified scuba diver and an award-winning amateur underwater photographer.
Stay up to Date!
Subscribe to the blog to stay up to date with all the latest industry news and updates from IntSights.