Russian hackers have been on a rampage. ‘Cozy Bears’ or the APT 29, the names given to Russian hackers from the SVR have been slipping corrupted and infected updates into the IT management platform used by the United States Commerce, Treasury, and Homeland Security departments and the security firm FireEye. The system hit by the Cozy Bears exposes thousands of organizations and companies to risk, and no one knows how dampening its effect will be.
The attack, reported by Reuters first on Sunday, was carried out by the SVR hackers but, the respondents of the attack are attempting to track down the exact origin of the attack within Russian military hacking apparatus.
This extremely high-end attack on SolarWinds’ Orion network monitoring product has exposed networks of public, defense contractors, and more than 500 private companies.
“We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack,” SolarWinds said in a statement.
With more than hundreds and thousands of clients, SolarWind stated on Monday that over 18,000 of the clients are potentially at risk. FireEye’s threat researchers said that the victims of this attack sprawl to government, technology, consulting, and telecom firms over Europe, North America, Asia and the Middle East. It is anticipated that various other countries might also get affected due to breach.
The flow of the hack firstly compromised Orion update mechanism so that it could send out Trojan software to thousands of organizations. The hackers through this can manipulate the Orion software as a backdoor into the victim’s networks and move about within the target systems, stealing administrative access tokens. And lastly gaining access to huge spaces, the hackers can exfiltrate data. This can have extremely serious consequences on organizations important data.
This is not the first time Russia has used a wide chain-supply attack to gain immense impact. Three years back, in 2017, Russia’s GRU military intelligence used entry into MeDoc, Ukrainian accounting software to spread its Trojan, NotPetya malware throughout the world.
David Kennedy, CEO of the threat tracking firm Binary Defense Systems said, ‘We should expect that other organizations in the supply chain are compromised as well. Nation-states typically use these types of attacks for highly targeted efforts, but still, the impact you have to assume is huge and has a direct impact on national security.”
SolarWinds have requested customers to upgrade to Orion Platform version 2020.2.1 HF 1 as early as possible to make sure every piece of information is safe. Also, by today, an additional hotfix release will be made available that ensures enhanced security and replaces the compromised components.