Highly skilled hackers breach US agencies and private companies

The hacking campaign focused on data theft may have started as early as last spring, FireEye said in its statement. FireEye didn’t directly blame Russia for the attacks, but U.S. officials did.

FireEye and the DHS said the attackers gained access to victims through compromised updates of the Orion IT monitoring and management software from vendor SolarWinds. The company pulled the affected software and issued a security advisory on Dec. 15.

Once inside a victim’s network, attackers can access the organization’s global administrator account or other authorization credentials and impersonate existing users and accounts, the Microsoft Security Response Center said.

This attack gives the hackers access to “any on-premises resources,” noted Karen Walsh, a cybersecurity compliance expert and the CEO of Allegro Solutions, a back-office solutions provider for charities. The attack routes against traditional protections, such as firewalls.

“Instead of traditional phishing, which relies on poor cyber hygiene, this methodology required the actors to infiltrate the legitimate code and change it while it still resided in SolarWinds environment,” she told the Washington Examiner. “In short, this was extremely sophisticated and not a dark web, off-the-shelf methodology.”

Once inside a victim’s systems, the hackers may be able to set up new privileged accounts, redirect emails, and gather information from Microsoft’s SharePoint and OneDrive products, said Matt Walmsley, director for the Europe, Middle East, and Africa region at Vectra, a vendor of artificial intelligence-based cybersecurity services.

Attackers could also set up automated workflows to consolidate all the activities and “run them autonomously while quietly exfiltrating data,” he told the Washington Examiner.

“IT administrators and security teams have access to highly privileged credentials as part of their legitimate work,” he added. “Attacking the digital supply chain of their software tools is an attempt to gain penetration and persistence right at the heart of their operations, gain privileged access, and to provide springboard out across their … cloud enterprise.”

Cybersecurity experts said the hackers could be looking for various sensitive information from U.S. agencies and breached companies. It appears that hackers were monitoring agencies’ email, said Hank Schless, a senior manager for security solutions at Lookout, a mobile security vendor.

“If their email is being monitored, it’s not out of the question that they could have access to any sensitive documentation stored or shared in the platform,” he told the Washington Examiner. “Email attachments that include highly sensitive documents, such as an individual’s travel details during a campaign and spreadsheets that break down federal spending, could be accessed.”

It appears that hackers were also looking to raise doubts about federal cybersecurity efforts, added Reuven Aronashvili, the founder and CEO of CYE, a cybersecurity firm.

“This is a classic spy-and-undermine campaign, which aims to both steal secret governmental information and, at the same time, undermine the confidentiality, availability, and above all … citizen trust,” he told the Washington Examiner.

Also, the hackers may have targeted U.S. companies to affect financial markets, Aronashvili said. He also wondered if the timing of the attacks might be an effort by another nation to determine the “rules of engagement” as President-elect Joe Biden is set to take office next month.

The attack’s size seems to suggest nation-sponsored hackers, added Safi Raza, director of cybersecurity at Fusion Risk Management, a vendor of business continuity software.

“The primary objectives are espionage, blackmailing, financial sabotage, and fearmongering,” Raza told the Washington Examiner. “Cybercriminals achieved their objectives here. They shook our sense of security, tarnished the reputation of the organizations, and caused financial damage.”