Getty Images/iStockphoto

CISA Insights on Ongoing APT Cyber Activity Behind SolarWinds Attack

DHS CISA launched a resource site and shared insights into the ongoing, massive APT cyber activity, brought on by the SolarWinds cyberattack.

The Department of Homeland Security Cybersecurity and Infrastructure Security Agency released insights that address the ongoing advanced persistent threat (APT) cyber activity, stemming from an earlier supply chain cyberattack on SolarWinds.

CISA also launched a webpage to consolidate resources on this global compromise, which will be routinely updated.

The suspected nation-state actors exploited a vulnerability found in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1 released between March and June 2020, trojanizing the update with malware.

The cyberattack resulted in further exploits and espionage, which also recently spurred another group of attackers to also prey on the flaw. The attack was highly sophisticated and targeted in nature, SolarWinds officials said at the time of the initial disclosure.

The exploit allowed the threat actors to access a long list of public and private organizations, and researchers are still calculating the extent of the damage. The ongoing global intrusion campaign is actively attacking the supply chain by distributing SUNBURST malware.

Once the attackers gain a foothold on a victim’s network, they stealthily hide their presence while proliferating across the network. The hackers also employ legitimate credentials and remote access to maintain a “light footprint,” while conducting nefarious activities.

CISA and a host of security researchers, including a previous victim, FireEye, have continued to track, alert, and support US organizations in response to these attacks for the past month. The previous federal alert warned the attackers were abusing authentication mechanisms to access protected data.

The attack has had a rippling effect across the globe, including the breach of several US federal agencies. According to the latest alert, the concern is that “if left unchecked, this threat actor has the resources, patience, and expertise to resist eviction from compromised networks and continue to hold affected organizations at risk.”

“The immediate danger is that the APT actor can use access to create new accounts, evade common means of detection, obtain sensitive data, move across a network unnoticed, and establish additional persistence mechanisms,” CISA explained.

“The APT actor has only targeted some organizations with further network exploitation. However, all organizations that installed the compromised updates remain at risk without corrective action,” they added.

The CISA insights are designed to stymie the impact of these hacking efforts, providing all organizations with the severity of the risks and actions security leaders can take to prioritize measures for both identifying and addressing these threats.

Security leaders should determine whether their organization installed the impacted versions of the SolarWinds Orion update and initiate incident response protocols, if it’s confirmed.

For healthcare organizations that often operate without a security leader, it’s imperative that leadership contacts an outside cybersecurity team to make this determination.

Further, even if it’s determined the entity did not install the malicious software or if the organization does not employ the SolarWinds tech, CISA reminded leaders that their managed service providers may be impacted or compromised -- thus, the organization may still be affected.

Those organizations affected by the APT activity must prioritize incident response and remediation efforts, including sufficient resources to accomplish the critical tasks.

“Leadership—working with legal, financial, and operations personnel—should empower information security staff to take appropriate action based on their expertise and to collaborate with internal and external partners,” CISA urged.

“Provide executive support and empower information security staff — or third-party support — to thoroughly investigate your IT environment for adversary activity,” they added. “Consider engaging third-party support with experience eradicating APTs from enterprise networks.

Lastly, CISA warned that organizations may need to rebuild all network assets monitored by SolarWinds Orion following incident response procedures. For impacted entities, “this will be a resource-intensive, highly complex, and lengthy undertaking.”

Next Steps

Dig Deeper on Cybersecurity strategies