Cybersecurity Advisory: SolarWinds Orion Compromise Updates

Technical Detail and Additional Information

Department of Justice Email Compromise

On January 6, the U.S. Department of Justice (DOJ) issued a statement that its Office 365 environment was compromised as part of the SolarWinds Orion vulnerability; as a result, about 3 percent of DOJ employees’ sent and received emails were visible to the attackers. The DOJ employs about 100,000 people, so this small percentage still represents a large potential impact; however, the DOJ also has stated that there is “no indication that any classified systems were impacted.”¹

¹ https://arstechnica.com/information-technology/2021/01/doj-says-solarwinds-hackers-breached-its-office-365-system-and-read-email/

Joint Statement by U.S. Government on New Task Force

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the National Security Agency (NSA) jointly announced on January 5 that a new task force known as the Cyber Unified Coordination Group (UCG) has been formed. The main focus of the task force is “to coordinate the investigation and remediation of this significant cyber incident involving federal government networks.”² The UCG has identified that this is likely a Russian advanced persistent threat (APT) and is “taking all necessary steps to understand the full scope of this campaign and react accordingly.” The UCG also is available to aid victims in identifying and remediating compromises, as well as collecting evidence.

² https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure

Third Malware Strain Discovered in SolarWinds Attack

One of the most prominent players in cybersecurity, CrowdStrike, has been actively investigating the SolarWinds supply-chain attack. CrowdStrike believes it now has identified a third malware strain—dubbed “Sunspot”—that was involved directly in the attack. This places Sunspot alongside “Teardrop” and “Sunburst,” the previous two strains that were found. It appears that Sunspot had a singular purpose, and only exists to “watch the build server for build commands that assemble Orion.”³ Once this was detected, Sunspot quietly would swap the original Orion source code for code containing the Sunburst malware.³

³https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/?ftag=CAD-03-10abf6j

SolarLeaks Site Claims to Sell Data Stolen in SolarWinds Attack

The theft and sale of information typically is not newsworthy; however, because of the sheer number of high-profile organizations compromised via the SolarWinds Orion attack, reports of these sales are notable. The SolarLeaks website was launched on January 12; it purports to be selling extremely high-profile information, such as Microsoft source code and repositories, source code for multiple Cisco products, source code for the stolen FireEye red team tools, and the SolarWinds source code, as well as a dump of the customer portal.

While these claims at this time largely are unfounded, Microsoft has stated that cyberattackers did indeed access its source code, so that claim may be legitimate. Notably, the majority of data for sale is of commercial value, rather than that of governmental agencies.

Last month, Mission Critical Partners made several suggestions to our clients in response to this attack, which can be viewed here.

Mike Beagles is MCP’s platform and service product manager and a certified Cisco CyberOps associate. He has more than 13 years of IT and cybersecurity experience. Mike can be emailed at MikeBeagles@MissionCriticalPartners.com.