Fed Task Force Says Russian APT Hackers Behind SolarWinds Attack

January 06, 2021 - The extent of the serious compromise of SolarWinds technology is continuing to unfold. The latest alert from the National Security Council officially claims that advanced persistent (APT) threat actors from Russia were behind the initial cyberattack on the Orion platform.

The National Security Council established a task force, the Cyber Unified Coordination Group (UCG), which is made up of the FBI, the Director of National Intelligence (ODNI), and Department of Homeland Security Cybersecurity and Infrastructure Security agency, with support from the NSA.

The task force is working to investigate and remediate the scope of the incident, acknowledging that it will take sustained and dedicated remediation to fully understand the extent of the compromise. CISA released further guidance on identifying and remediating the threat on January 6.

The global supply chain attacks were first reported in early December. Nation-state actors trojanized previous updates to the SolarWinds Orion Platform software with malware. The attack was designed for further exploits and espionage efforts.

Hackers preyed on a vulnerability found in software versions 2019.4 HF 5 through 2020.2.1 HF1, for which patches were provided between March and June 2020.

By infecting these updates, hackers have continued to gain access to a range of public and private sector organizations, as well as at least 10 government agencies. FireEye previously noted that the attack leverages SUNBURST malware.

Once initial access is gained, the threat actors use multiple tactics to hide their operations, while moving laterally across connected systems and devices. DHS CISA recently released a resource website to help organizations in identifying and remediating these attacks.

The Office for Civil Rights previously warned healthcare organizations to heed federal warnings regarding the compromise, as well. Even if a provider is not leveraging the affected technology on their network, the entity could still be impacted if one of their supply chain vendors is compromised.

A later federal advisory warned hackers were also abusing authentication mechanisms, as part of the SolarWinds attack scheme. The NSA also warned that hackers are abusing trust on compromised systems to access protected data.

"An ‘on premises’ federated identity provider or single sign-on (SSO) system lets an organization use the authentication systems they already own (e.g. tokens, authentication apps, one-time passwords, etc.) to grant access to resources, including resources in ‘off premises’ cloud services,” according to the previous alert.

“When an actor can subvert authentication mechanisms, they can gain illicit access to a wide range of an organization’s assets,” it added. “In some cases, actors have stolen keys from the SSO system that allow them to sign assertions and impersonate any legitimate user who could be authenticated by the system.”

The latest federal alert confirmed that the attacks were orchestrated by Russian hackers, which appears to be focused on intelligence gathering efforts. Further, the malicious activity against both government and non-government organizations is ongoing.

The UCG also believes that “a much smaller number” of the SolarWinds’ 18,000 customers have been impacted by the compromised tech and subsequent cyber activity.

The FBI is tasked with threat response for these attacks and is currently investigating four key areas in response, which include identifying victims, collecting evidence, analysis, and data sharing with government and private entities to inform operations into the ongoing investigations.

CISA is working on information sharing activities and has created a free tool for detecting unusual and potentially malicious activities tied to this security issue. All federal agencies have been directed to rapidly disconnect or power-down impacted SolarWinds Orion platforms from the network.

As previously noted to HealthITSecurity.com, healthcare faces a serious risk for nation-state hacking -- especially in light of the national response to COVID-19. Healthcare providers should review federal guidance on the serious SolarWinds threat and should verify all supply chain vendors have not been compromised.  

Given that Russian threat actors continue to target vulnerable email systems, the COVID-19 supply chain, and remote work endpoints, it’s imperative that all vulnerabilities are patched or segmented, as well.

Previous guidance from the Healthcare and Public Health Sector Coordinating Council can also provide insights into protecting the valuable data targeted in espionage attacks, including healthcare trade secrets and research.