Breaking News

US agencies say Russia is likely behind solar winds agreement



US agencies say Russia is likely behind solar winds agreement

Four US intelligence and law enforcement agencies say Russians were behind the hack of the Orion Network Management platform of solarwinds, which led to an undisclosed number of government and private sector organizations worldwide.

In a joint statement Tuesday, the director of National Intelligence, an official of the National Security Agency, the FBI and the Cyberspace and Infrastructure Security Agency (CISA), said that an advanced persistent threat (APT) actor, "is likely to be Russian in origin. , ”Responsible for all recently discovered and ongoing cyber or both governmental and non-governmental networks.

In an effort to spread concern that the attackers may have placed malware that could shut down electrical utilities and other sensitive US critical infrastructure in the future, the statement also said that the attack is currently "intelligence The attempt to raise "appears to be. Specially.

"We are taking all necessary steps to understand the full scope of this campaign and to respond accordingly," the statement said.

The four agencies were assigned to a Cyber ​​Unified Coordination Group (UCG) to analyze the attack, which became publicly known only when FireEye found out last month that its RED team was testing a customer network Some of the equipment were stolen. Upon investigation, FireEye realized that the vehicle for the robbery was an infected deployment of Orion that allowed the installation of the backdoor. Orion was compromised through a changed security update downloaded by approximately 18,000 users.

UCG has so far identified fewer than 10 US government agencies that download updates, including the Treasury and the Department of Energy.

'Serious compromise'
The statement warned, "This is a serious compromise, which will require sustained and dedicated effort to resolve."

As the lead agency for the response to the threat, the FBI is still trying to identify victim organizations, gather evidence, and reduce encroachments. CISA focuses on quickly sharing information with government departments and the private sector to understand the extent of the campaign and the level of exploitation. The CISA has also created a free tool to detect unusual and potentially malicious activity related to this incident. In an emergency directive posted on 14 December, the CISA ordered the Solar Winds Orion products affected by the federal network to be either disconnected or power-down.

The NSA focuses on assessing the scale and scope of the incident as well as providing technical mitigation measures.

In an email interview Ed-Dubrovsky, managing partner of Toronto-based incident response firm Cyt July, said supply chain attacks are planned and take months if not years.
"While many threat actors are focused on monetary gain, the attack was a long-term approach to compromising many types of organizations. Monetary attacks typically fall short in their" implementation phase "and involve a short reconnaissance phase Are those that identify a potential attack vector and proceed rapidly to implement the attack, followed by action. Encryption of the file (such as a ransomware attack) to push the victim to pay.
The SolarWinds Agreement took years to infiltrate the organization's SDLC (software development lifecycle), but there would have been an objective even before the move and that objective was based on gathering some intelligence that would target potential victim organizations of interest Used to identify as "

The invasion, he said, requires many resources and very specific access will certainly contribute to the nation-state.

"Russia as one of the leading countries has generally seen many of the people involved in the threat to ransomware groups develop a very advanced approach to cyberbaitaxes and as such, the conclusion is that the attacks The prospect of Russia behind is quite possible. In my opinion, China, Iran and North Korea will be the other candidates, but they are likely to be behind Russian capabilities in the region. "

No comments