SolarWinds’ supply chain attack and CISA’s Emergency Directive 21-01

The CyberWire Staff |

At a glance.
    • US response to the SVR’s software supply chain attack.
    • The Council of Europe’s election security principles.
    • US NDAA’s provisions for Defense communications.
    • IARPA’s biometric research program, designed for drones.
    • US school districts are buying Cellebrite phone-cracking tools.
SolarWinds’ supply chain attack and CISA’s Emergency Directive 21-01.

FireEye and Microsoft have both published updates to the incident FireEye last week disclosed as involving a breach of some of the security company’s red-teaming tools. They conclude that the incident involved a software supply chain attack against the widely used SolarWinds Orion platform.

The US Government reacted to the incident over the weekend. Late yesterday evening, the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise,” to the Federal organizations it oversees. Shortly before midnight CISA distributed the following advisory:

“The Cybersecurity and Infrastructure Security Agency (CISA) tonight issued Emergency Directive 21-01, in response to a known compromise of SolarWinds Orion products that are currently being exploited by malicious actors. This Emergency Directive calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.

“’The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,’ said CISA Acting Director Brandon Wales. ‘Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation.’

“This is the fifth Emergency Directive issued by CISA under the authorities granted by Congress in the Cybersecurity Act of 2015. All agencies operating SolarWinds products should provide a completion report to CISA by 12pm Eastern Standard Time on Monday December 14, 2020.”

The Directive requires agencies to image systems hosting instances of the affected Orion versions, analyze them for new user or service accounts, and analyze stored network traffic for indications of compromise. Not all agencies, CISA recognizes, are capable of doing this, and so all affected agencies are directed to “immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network.” CISA will direct them to rebuild their Windows OS instances and reinstall the SolarWinds platform once it’s determined that this can be done securely. In the meantime the agencies are directed to, “Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed,” and “Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.”

Affected agencies are to treat all hosts monitored by the SolarWinds Orion as compromised, and are to “assume that further persistence mechanisms have been deployed.” They’re directed to rebuild hosts monitored by Orion from trusted sources, and to reset all credentials SolarWinds software used or stored, as such credential should be assumed to be compromised.

CISA emphasizes that Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised. CISA took particular note of the risk of kerberoasting, an attack that takes credentials from memory and subsequently cracks them offline.

Agencies were required to report completion by noon today.

The whole incident, which broke as “the FireEye breach,” should now therefore probably be thought of as “the SolarWinds compromise.” It’s known to have affected the US Departments of Commerce and the Treasury as well as FireEye, the Wall Street Journal reports. And the Washington Post added this afternoon that the Department of Homeland Security was itself also affected. According to the Post, DHS has yet to confirm that it was compromised, but has the reports under investigation. The effects of the compromise are widely expected to be found in other agencies and private companies.

The incident also affords an unfortunate case study in the problem posed by software supply chain attacks. ImmuniWeb’s COO Ekaterina Khrustaleva sent us comments on this aspect of the incident:

“Supply chain attacks have surged in 2020: they offer rapid and inexpensive access to valuable the data held by VIP victims. The victims, like has happened in the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them.

“Most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors deliberately target the weakest link, get fast results, frequently remain undetected and unpunished. Attribution of sophisticated APT attacks, as reportedly affected SolarWinds and subsequently its customers, remain a highly complicated, time-consuming and costly task. Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable.”

Consensus attribution has come relatively quickly: the operation seems to be the work of Cozy Bear, Russia’s SVR foreign intelligence service, most notorious for its activity against campaign organizations during the 2016 US election cycle. SolarWinds called the incident “a highly sophisticated, manual supply chain attack.” Cozy Bear earned a reputation during operations against US campaigns in 2015 and 2016 for being quieter and less obtrusive than its GRU cousin Fancy Bear. That seems to have been the case in the SolarWinds incident. FireEye yesterday afternoon blogged that the threat actor’s work was characterized by a:

  • “Light malware footprint: Using limited malware to accomplish the mission while avoiding detection,”
  • “Prioritization of stealth: Going to significant lengths to observe and blend into normal network activity,” and
  • “High OPSEC: Patiently conducting reconnaissance, consistently covering their tracks, and using difficult-to-attribute tools.”

While SolarWinds itself believes that exploitation of the vulnerability appears to have been narrowly targeted against a relatively short list of organizations, the potential risk may be very widespread: SolarWinds’ customers include large corporations, government agencies, and military services.

Reuters reports that Moscow denies having done anything. Rosa Smothers, a former CIA cyber threat analyst and technical intelligence officer, who’s now a senior vice president with KnowBe4, offered some perspective on the implications of the espionage:

“APT29, the group attributed to this past week’s FireEye breach – a company known for its due diligence – is now known to have compromised both the Departments of Treasury and Commerce. They’re also attributed to compromising other areas of government as well as sensitive Covid-19 research. The National Security Council considered this series of events significant enough to warrant a weekend meeting where they assured the public they’re taking ‘all necessary steps,’ though it’s not clear at this point what those steps are. Reuters reporting states hackers have been ‘monitoring internal email traffic’ which can occur via many attack methods – most often through some form of social engineering. APT29 most successfully uses spear phishing to gain access to a network, from there they escalate permissions to expand into the network.”

She suggests that NSA’s recommendations of defense-in-depth should be reviewed in the light of this incident. Saryu Nayyar, CEO, Gurucul, sees the episode as further evidence that there’s an ongoing cold war in cyberspace, one that shows considerable continuity with the original Cold War, especially with respect to espionage:

“The recent high profile breaches of major security vendors and US government agencies, apparently by state actors, shows the cold war continues on the internet. The specifics of this breach highlights how difficult it can be to defend ourselves, our supply chains, and our 3rd party software vendors from determined, well resourced, attackers.

“Organizations at all levels need to do everything possible to keep their security stacks up to date. That includes following cybersecurity best practices and deploying the best security solutions, including behavioral analytics, to try and stay ahead of highly skilled and well resourced attackers.”

The Council of Europe’s principles on election security.

The Council of Europe, an organization that includes most European nations, overlapping but not officially identical with the European Union, has issued a report on election cybersecurity that enunciates eight principles the Council’s Venice Commission describes as “human rights centred.” They’re designed to “deter digital danger in elections:”

  • “Principle 1: The principles of freedom of expression implying a robust public debate must be translated into the digital environment, in particular during electoral periods
  • “Principle 2: During electoral campaigns, a competent impartial Electoral Management Body (EMB) or judicial body should be empowered to require private companies to remove clearly defined third-party content from the Internet, based on electoral laws and in line with international standards.
  • “Principle 3: During electoral periods, the open Internet and net neutrality need to be protected
  • “Principle 4: Personal data need to be effectively protected, particularly during the crucial period of elections.
  • “Principle 5: Electoral integrity must be preserved through periodically reviewed rules and regulations on political advertising and on the responsibility of Internet intermediaries.
  • “Principle 6: Electoral integrity should be guaranteed by adapting the specific international regulations to the new technological context and by developing institutional capacities to fight cyber threats.
  • “Principle 7: The international cooperation framework and public-private cooperation should be strengthened.
  • “Principle 8: The adoption of self-regulatory mechanisms should be promoted.”

Council of Europe documents aren’t binding, but they’re influential.

US Defense Department: “Can you hear me now?” US Defense communications growth areas.

The annual National Defense Authorization Act currently awaiting US President Trump’s signature (or perhaps his veto, in which case the bill would likely pass anyway via a Congressional supermajority) directs the Defense Department to bolster nuclear communications systems cyber defenses, according to Breaking Defense. More specifically, Congress would like to see Defense’s plan for updating the nuclear command, control, and communication (NC3) system, including its organizational structure and cybersecurity strategies and capabilities, in line with the first annual report on the system’s resilience. The budget for NC3’s ongoing modernization is classified, but is estimated at $77 billion, and includes such line items as upgrading “Doomsday” aircraft. The primary goal of NC3 is, in strategic deterrence official Lt. Gen. James Dawkins’ words, to “ensure connectivity [with the President] in the worst case on the worst day.”

PR Newswire reports another study, this from the private sector, that’s sounding alarms about Defense connectivity and cyber preparedness: the second annual State of Military Communications report, funded by Viasat and the Government Business Council. Survey respondents said funding constraints, outdated assets, and organizational complacency undermine communications. Since “communications technology strategy is still not seen as an agency priority,” nearly all surveyed had experienced total connectivity interruptions on duty, while a majority thought the US was trailing or merely matching enemy states’ capacities. A majority also thought bolstered private partnerships would speed up modernization projects.

IARPA announces biometric research program for drone packages.

Attempts to outfit drones with facial recognition capabilities have struggled with environmental obstacles like distance, angles, lighting, and visibility, says Nextgov. The Intelligence Advanced Research Projects Activity’s Biometric Recognition and Identification at Altitude and Range (BRIAR) initiative will fund the development of algorithms for detecting total body “signatures” like build and gait. IARPA’s solicitation call says, “Expanding the range of conditions in which accurate and reliable biometric-based identification could be performed would greatly improve the number of addressable missions.” Proposals are due in two months.

Schools buying high-end phone crackers.

Gizmodo reports that US school districts have “for years” been “quietly purchasing” Cellebrite phone cracking software. Cellebrite’s products are high-end mobile device forensic tools (MDFTs) that have been used by law enforcement agencies in high-profile criminal and terrorist investigations. Cellebrite’s tools can access students’ pictures, texts, and other data, in what Gizmodo calls “a frightening reminder of how technology originally developed for use by the military…keeps trickling down.” US schools often don’t need warrants for student searches. Of five-thousand public education websites surveyed, eight mentioned MDFT purchases. The Los Angeles Unified School District’s provided a rationale: their Cellebrite cracker is “used by a team that investigates complaints of employee misconduct against students.” The district’s Digital Forensics Investigator also searches out fraud. Another district said they use MDFTs “for evidentiary purposes.” Well-informed conjecture would suggest some of those purposes at least relate to child protection, but the record of purchases is surprising.

SolarWinds' supplychain attackExternal Link: SolarWinds’ supply chain attack and CISA’s Emergency Directive 21-01

Share this page:

Related Posts