Over the past two weeks, reports of Advanced Persistent Threat (APT) cyberattacks have indicated a scale and complexity that sets a new bar for potential threat impact. Yesterday CISA, the U.S. Cybersecurity & Infrastructure Security Agency, issued an alert warning that the initially identified access vector, a compromise of SolarWinds Orion platform, was not the only one.
While CISA does not attribute the attacks to a nation-state, the level of focus and resourcing implies a nation-state threat actor. Media reports point to Russia as the culprit, but no verification for that attribution has been provided at this point.
Regardless of the source of the attack, if you’re a critical infrastructure or industrial organization, or a government agency, you need to pay urgent attention to the information provided by CISA. You should be immediately planning your response to the attack and evaluating your potential risks.
This blog provides a brief recap of the currently available information, where to go for resources, and how Nozomi Networks customers can assess their systems for APT indicators of infection.
The Scope and Severity of the APT Cyberattack Becomes Clear
On December 8, 2020, cybersecurity firm FireEye reported that their systems had been breached by “a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.”
On December 13, 2020, CISA published an advisory surrounding an active exploitation of the SolarWinds Orion network monitoring platform. CISA also issued an emergency directive ordering all affected federal agencies to immediately disconnect or power down SolarWinds Orion products.
On December 17, 2020, CISA published Alert (AA20-352A) advising that TTPs (tactics, techniques and procedures) consistent with the SolarWinds software compromise were identified as a new group of victims. These victims are either not using SolarWinds products, or have the products, but without exploitation activity. According to the Alert, “CISA has determined that this threat poses a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
“There is still much we don’t know, including exactly how the supply chain hack was accomplished, what other vectors were used besides SolarWinds, how many victims were impacted, what the adversary’s objectives were, what information they were able to obtain, what they will do with that information, and more.
At this time, it appears that this does not involve hacks of industrial control systems. However, insights gleaned from corporate files or potentially from government agencies like FERC regarding vulnerabilities and security measures could enable future disruption of critical infrastructure. It’s a stark reminder of the need for visibility into your network, the ability to detect anomalous activity, and planning now for how you can mitigate the impact of a breach.
Removing this threat will be a battle. This is not an adversary that runs away once detected. They will fight to maintain a persistent presence, even returning once booted out. We must band together to defend our networks, sharing information and implementing mitigations faster than the enemy can innovate.”
Suzanne Spaulding, Nozomi Networks Advisor and Former DHS Under Secretary
Compromise Identification and Remediation is a Colossal Challenge
The December 17th CISA Alert describes the technical details of the attack and provides several ways to detect it. Your security teams should take immediate action based on this information.
However, given the stealthy nature of the attacks, determining if you’ve been infected will be difficult. And, if you do detect malicious activity, CISA warns that “removing the threat actor from compromised environments will be highly complex and challenging.”
“This is a highly significant cyber threat, particularly because many organizations won’t know if they’ve been attacked. The APT can stay dormant in your network for a long period of time, making your systems vulnerable for the foreseeable future.
Furthermore, if you have been successfully breached by a highly sophisticated nation-state entity with the skillset to maintain a foothold, it may take a complete rebuild and re-credentialing of the entire enterprise to clean the problem up. One victim of this APT ousted the attackers twice, only to have them gain access again using other methods.
If you suspect that you’ve been attacked, reach out immediately to CISA for assistance.”
Chris Grove, Product Evangelist, Nozomi Networks
The latest CISA advisory contains information on how to contact them, as shown here for your convenience:
- 1-888-282-0870 (From outside the United States: +1-703-235-8832)
- email@example.com (UNCLASS)
- firstname.lastname@example.org (SIPRNET)
- email@example.com (JWICS)
Nozomi Networks Customers – Review Your Network Traffic Data Now for IoCs
The first step in determining whether you’ve been compromised is to assess your network traffic for the period of March through June 2020 using Guardian’s Time MachineTM feature for reviewing saved network snapshots.
The Nozomi Networks Labs threat research team is continuously updating Guardian’s detection capabilities via our Threat Intelligence service as we learn more about the attacks. We currently detect all known IoCs (such as malicious traffic signatures, IPs, and domains) related to these attacks.
Our detection capabilities include IoCs related to the SolarWinds Orion breach, as well as the use of FireEye Red Team tools leaked during the breach, to detect threat actors using the internal tools during real attacks.
When analyzing the historical network activity, Guardian will generate alerts if it detects activity associated with these IoCs in your network.
You can share our detailed alert information (including MITRE ATT&CK techniques and tactics) with your SIEM for additional event correlation if warranted.
The Complexities and Consequences of This New APT are Extreme
This isn’t the first time that the month of December has revealed milestone cyberattacks. The Ukrainian power sector suffered attacks in 2015 and 2016 that extended beyond infiltration to outages.
The sophistication of this APT and the severity of the warnings issued by CISA mean that this threat vector is setting a new benchmark in attacks on critical infrastructure. Your technical and management teams need to quickly establish a strategy for identifying and mitigating any damage.
Our Labs team will continue to monitor this emerging threat and update our Threat Intelligence service as appropriate. Nozomi Networks technical resources are also available to help. Simply reach out to your account manager or contact Customer Support for assistance.
We’re still optimistic even during such difficult times. While the consequences of these attacks will likely have far-reaching impact for governments and companies alike, we believe as with past attacks, that they offer the opportunity to improve cybersecurity programs, shore up defenses and improve cyber resilience.