Major Corporations too. Banks, White House, NASA and more.
The hack involved getting to the vendor equipment, then inserting a backdoor into an update that was then pushed to major companies and government agencies all over the place. Between March and June last.
“Most impactful ever”…
Also got their hacking tools used to test security, i.e. world class hacking tools.
Active Exploitation of SolarWinds Software
Original release date: December 13, 2020
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.
CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures:
SolarWinds Security Advisory
FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
FireEye GitHub page: Sunburst Countermeasures
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
December 13, 2020 | by FireEye
We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
The campaign is widespread, affecting public and private organizations around the world.
FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.
FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.
Just little things like Department Of Finance, Treasury, NASA, etc. etc.
Then “lateral movement” means that once inside, they spread out inside the agencies likely leaving other malware and backdoors all over the place. This kind of intrusion needs a top-to-bottom scrub to get rid of it. Depending on the skill involved, and these guys look to have high skillz, that can include binaries embedded in disk drive firmware and other nearly impossible to detect places.
I doubt the ability of Government Agencies to effectively scrub all of it.