The agency also warned that getting attackers out of networks will be complex—especially because they are monitoring IT and cybersecurity employees’ emails.
The fallout from the SolarWinds breaches will be far more difficult and time-consuming to remediate than originally assumed, as the attackers likely found more ways to enter federal networks than just the SolarWinds Orion product and have been targeting IT and response personnel, according to the government’s lead cybersecurity agency.
The Cybersecurity and Infrastructure Security Agency, or CISA, released an alert Thursday through the U.S. Computer Emergency Readiness Team, or US-CERT, detailing what the agency currently knows about the attack. The alert calls out at least one other attack vector beyond SolarWinds products and identifies IT and security personnel as prime targets of the hacking campaign.
“CISA has determined that this threat poses a grave risk to the federal government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations,” officials wrote.
While the alert does not name suspects, officials offered a look into what is known about the attackers’ techniques and motivations.
“The adversary’s initial objectives, as understood today, appear to be to collect information from victim environments,” the alert states. “CISA has observed in its incident response work adversaries targeting email accounts belonging to key personnel, including IT and incident response personnel.”
Between the potential depth of the intrusions, additional yet unknown attack vectors and the focus on IT and security personnel’s email, CISA officials warned organizations to maintain extra security around remediation discussions.
“Due to the nature of this pattern of adversary activity—and the targeting of key personnel, incident response staff, and IT email accounts—discussion of findings and mitigations should be considered very sensitive, and should be protected by operational security measures,” the alert states. “An operational security plan needs to be developed and socialized, via out-of-band communications, to ensure all staff are aware of the applicable handling caveats.”
The alert cites four versions of the SolarWinds Orion software that were found to be compromised. Those vectors have since been stitched shut, denying any new breaches but not remediating any deeper intrusions.
“Based on coordinated actions by multiple private sector partners, as of December 15, 2020, avsvmcloud[.]com resolves to 20.140.0[.]1, which is an IP address on the Microsoft blocklist. This negates any future use of the implants and would have caused communications with this domain to cease,” the alert states. “In the case of infections where the attacker has already moved [command and control] past the initial beacon, infection will likely continue notwithstanding this action.”
That last bit is the big worry for federal IT and security managers, as the SolarWinds Orion product was designed to access broad swaths of the network it is installed on. The alert notes the perpetrators were able to leverage their initial access to get more privileged access across agency networks, burrowing in deep before covering their trails.
“Once this is accomplished, the adversary creates unauthorized but valid tokens and presents them to services that trust [Security Assertion Markup Language] tokens from the environment,” the alert states. “These tokens can then be used to access resources in hosted environments, such as email, for data exfiltration via authorized application programming interfaces.”
The depth with which the attackers might have penetrated networks, combined with sophisticated masking—or “anti-forensic techniques”—means detection and remediations work will continue for some time.
“This APT actor has demonstrated patience, operational security, and complex tradecraft in these intrusions,” officials said. “CISA expects that removing this threat actor from compromised environments will be highly complex and challenging for organizations.”
However, officials have also discovered additional attack vectors beyond Orion products.
“CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated,” the agency said. “CISA will update this alert as new information becomes available.”
The alert offers some details on one other potentially related attacks discovered by security researchers at Volexity.
After FireEye published its findings on Dec. 13—the first public acknowledgement of the SolarWinds breaches—Volexity researchers were able to tie that intrusion to ongoing campaigns they had been tracking for years dubbed Dark Halo. Those attacks, using similar tactics, targeted U.S. think tanks as far back as 2019.
“In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time,” researchers wrote in a Dec. 14 blog post. “Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication to access the mailbox of a user via the organization’s Outlook Web App service.”
In a statement, a Duo Security spokesperson clarified the “described incidents were not due to any vulnerability in Duo’s products.”
The attackers were able to get past the multifactor authentication security measures after compromising another service, “such as an email server,” they said.
It wasn’t until Dark Halo’s third attempt to access the think tank’s networks in June and July that researchers saw the SolarWinds Orion exploit.
“This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known,” CISA wrote in Thursday’s alert.
“This adversary has demonstrated an ability to exploit software supply chains and shown significant knowledge of Windows networks,” CISA officials wrote. “It is likely that the adversary has additional initial access vectors and tactics, techniques, and procedures that have not yet been discovered.”
The latest release also does not give any information on who the government believes is behind the attack. While several news outlets have cited anonymous government sources pointing to Russian government group Cozy Bear, also known as APT29, the alert offers no attribution, only a summation of the quality of the attackers’ work.
“This threat actor has demonstrated sophistication and complex tradecraft in these intrusions,” the alert states, noting that, “removing the threat actor from compromised environments will be highly complex and challenging.”
The alert also offers a comprehensive list of known infected SolarWinds Orion products and identified indicators of compromise.