Russian hackers who stole red team tools from FireEye may have been in action on a much broader scale, operating a sophisticated supply chain campaign targeting multiple global organizations and governments.
FireEye revealed in an update on Sunday that nation state attackers inserted malicious code into legitimate software for SolarWinds’ popular Orion product to gain remote access into victim environments.
Although it didn’t name any victims or the identity of the group, a Reuters report on Sunday citing “people familiar with the matter” pointed the finger at Moscow and claimed that the US Treasury and Commerce departments were both hit.
It’s claimed the attackers may have had access to staff emails since spring.
SolarWinds also confirmed the attack in an advisory over the weekend, and urged users to upgrade as soon as possible. Its software was seeded with a malicious backdoor dubbed “Sunburst” by FireEye.
“The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” the security vendor explained in a technical blog.
“The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
The attackers conducted a carefully planned, patient and highly sophisticated campaign based around a light malware footprint, prioritization of stealth and advanced OpSec to cover their tracks and use difficult-to-attribute tools, it added.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East,” said FireEye. “We anticipate there are additional victims in other countries and verticals.”
It’s unclear what the end goal of the group was, although a New York Times story named it as APT29, or Cozy Bear, which has been associated with previous attacks on the Democratic National Committee in 2016 and COVID-19 vaccine data earlier this year.
The Commerce Department’s National Telecommunications and Information Administration (NTIA), which decides which tech imports and exports to block on national security grounds, was reportedly one of the targets.