The US Government Hacked
On December 13, 2020, it was revealed that multiple parts of the United States Federal Government were hacked by hacking group that was backed by a foreign government. The Hacking group is known as Cozy Bear (APT29), which is backed by the Russian Intelligence Agency, the SVR.
The Cyber attack and data breach is being reported as the worst cyber-espionage ever suffered by the United States due to the sensitivity and high profile of the targets. The attack lasted six to nine months, in which the hackers had access to data. The attack had gone undetected for months, and was thought to have initially affected the U.S. Treasurey Department, the National Telecommunications and Information administration (NTIA) and part of the U.S. Department of Commerce. However, in the days following December 13, more departments and private organizations reported breaches that stemmed from this initial breach.
When and How did the Attack Start?
The cyber-attack is believed to have started in March 2020. The attackers exploited software from at least 3 U.S. firms: Microsoft, SolarWinds and VMWare. The attack is known to be a supply chain attack.
The attack was on Microsoft’s Cloud Services, and in particular, users of Microsoft’s Cloud Services bought through a reseller. The attack was also through SolarWinds’ software, Orion, which is widely used in government and industry and provided another venue for the attack, if the victim used Orion. Finally, flaws in Microsoft and VMWare products allowed the attackers to access emails and other documents and perform federated authentication across resources via single-sign-on infrastructure.
What is a Supply Chain Attack?
A Supply Chain Attack is a cyber-attack that seeks to damage an organization by targeting the less-secure elements in the supply chain. These types of attacks can occur in any industry. Cyber-criminals tamper with the manufacturing process of a product by installing a rootkit or hardware-based spying components.
Microsoft Exploits
Attackers had exploited flaws in Microsoft’s products, services and software distribution infrastructure. It is believed that the “Zerologon” vulnerability in the Microsoft Authentication Protocol NetLogon, allowed attackers to access all valid usernames and passwords in each of the Microsoft networks that they breached.
They used this vulnerability to gain access to additional network credentials and assume privileges of legitimate users on the network. Ultimately, this allowed them to compromise Microsoft Office 365 Email Accounts. Additionally, it is believed that a flaw in Microsoft’s Outlook Web App may have allowed hackers to bypass multi-factor authentication.
Hackers were also able to have broken into Microsoft Office 365 in such a way that they were able to monitor NTIA and Treasury staff emails for several months. They were able to counterfeit identity tokens allowing them to trick Microsoft’s authentication systems.
SolarWinds Exploit
Attackers used supply chain attack by accessing the build system belonging to the software company SolarWinds, possibly via SolarWind’s Microsoft Office 365 account, which had been compromised. By accessing the build system, attackers established a foothold in SolarWind’s software publishing infrastructure no later than October 2019. In the build system, attackers surreptitiously modified software updates provided by SolarWinds to their users of it’s network monitoring software, Orion. The first modification seems to have happened on October 2019 as a proof of concept. Then, between December 2019 and February 2020, they setup a command-and-control infrastructure.
From March 2020, the attackers began to plan remote access tool malware into Orion updates, and there by trajaning them. This let them access U.S. Government customers in the executive branch, the military and the intelligence services. If the user had installed the Orion update, they would execute the malware payload, which stayed dormant for 12-14 days before attempting to communicate with one or more of several command-and-control servers. This traffic was designed to mimic legitimate SolarWinds traffic, and stayed undetected. The malware started to contact the command-and-control servers in April 2020.
The attackers used the Trojan exploits in Orion then to gain access to the network of users that used Orion. They installed additional malware on these users’ systems and further gain access to sensitive resources on their networks.
VMWare Exploits
VMWare Access and VMWare Identity Manager had vulnerabilities that allowed existing network intruders to pivot and gain access and were utilized by these hackers. As of December 18, 2020, it is believed that Sunburst trojan might have provided suitable access to exploit VMWare bugs, but it has not yet definiteively known whether attackers had infact chained these two exploits in the wild.
Responsibility
On October 22, 2020, CISA and FBI have identified that the Microsoft zerologon attacker as the Russian-sponsored group, Berserk Bear. SolarWinds also believed that the malware insertion into Orion was performed by a foreign nation, and Russian-sponsored hacker were suspected to be responsible.
US Secretary of State, Mike Pompeo, has declared that Russia was '“pretty clearly” responsible for the cyber attack. Senator Mark Warner, who was briefed on the incident by intelligence officials, has said “all indications point to Russia”. On December 21, 2020, Attorney General William Barr said that he agreed with Mike Pompeo’s assessment of the origin of the cyberattack and that it “certainly appears to be the Russians”.
Russia has denied involvement.