Hackers who breached federal agency networks through software developed by a company called SolarWinds appear to have tested their large-scale espionage campaign last year, according to sources with knowledge of the operation.
The hackers distributed malicious files from the SolarWinds network in October 2019, five months before the previously reported files were sent to victims via the company’s software update servers. The October files, distributed to customers on October 10, did not have a backdoor built into them, however, as did the malicious files that the victims downloaded in the spring of 2020, and these files remained undetected until this month.
“We think they want to test whether it will work or not and whether it will be detected. So, it was more or less a dry race, “a source familiar with the investigation told Yahoo News. “It simply came to our notice then. They decided not to leave immediately with a back door. That means they are a little more disciplined and deliberate. “
The October files were found in the systems of several victims, but investigators have so far found no sign that the hackers carried out any additional malicious activity on these systems after the files landed on them.
Five months later, hackers added new malicious files to SolarWinds software update servers that were distributed and installed on networks of federal government agencies and other customers. These new files installed a backdoor on the victims’ networks, which allowed hackers to access them directly. Once in an infected network, attackers could have used SolarWinds software to learn about the structure of the network or to change the configuration of network systems. But it could also violate other systems on the network or download new malicious files directly to those systems.
The specific number of infected victims remains unknown at this time, but some of the victims have violated files since the spring of 2020: US Treasury and Commerce divisions, the Department of Homeland Security, national laboratories working for the Department of Energy, and the National Nuclear Security Administration , which oversees the national stockpile of nuclear weapons. In the commercial sector, security firm FireEye was also hacked by SolarWinds software, and late Tuesday Microsoft admitted to finding harmful SolarWinds files on its network as well. Not all SolarWinds customers have downloaded malicious updates.
FireEye was the first to expose the espionage campaign, in a blog post on December 8, after discovering the hackers in its network, although it did not mention that SolarWinds was the origin of the violation in its network. The company did not become aware of the SolarWinds connection until after the publication of its station, according to a source.
New information about the 2019 files extends the previously reported timeline around the entries and indicates that hackers have already compromised the SolarWinds software update system at least five months earlier than reported.
“This tells us that the actor had access to the SolarWinds environment much earlier than this year. We know at least that they had access on October 10, 2019. But they certainly should have had more access than that “, says the source. “So this intrusion [into SolarWinds] it must probably come at least a few months in advance – probably at least in the middle of 2019 [if not earlier]. “
The files distributed to the victims in October 2019 were signed with a legitimate SolarWinds certificate to make them appear to be authentic code for Orion Platform software, a tool used by system administrators to monitor and configure servers and other hardware. of the computer in their network.
SolarWinds would not answer questions about how long the attackers remained on their network, but a spokesman directed Yahoo News to a list of frequently asked questions published Friday morning addressing the 2019 files. It indicates that in October 2019 , SolarWinds distributed versions of its software that “contained code base test changes … it’s the first version I’ve seen the attacker work on right now.” The company noted that its subsequent software releases in 2019 “did not include the test changes contained” in that October 2019 release, nor the backdoor added to the spring 2020 releases.
However, the company did not say that these files were found on the victims’ devices.
Files that infected customers on October 10 were compiled on the same day that customers were infected with them, as were files released in the spring of 2020, infecting customers within hours – and in some cases minutes – after have been compiled.
Programmers first write code in a programming language before compiling it into a binary file that computers can read.
It is unclear when each customer was infected by the back door when the files first became available for download to customers in the spring of 2020. Charles Carmakal, senior vice president and technology officer at Mandiant, FireEye’s incident response arm, would not says when his company was hacked, but said the attackers were not in his company for eight months between the time the malicious software updates were made available to customers for download from the SolarWinds server and the time FireEye discovered the violation. He told Yahoo News that their investigation shows that other malware-infected SolarWinds customers did not download or install the malicious update until a few months after it became available on the update server.
There was some confusion about how FireEye discovered hackers in its network. A story published Wednesday quoted Capitol Hill sources as saying hackers had tricked a FireEye employee into revealing credentials for accessing the company’s network.
But Carmakal told Yahoo News that this is incorrect. The breach was discovered after hackers registered a device in the FireEye multifactor authentication system, which FireEye employees use to remotely connect to the company’s VPN. The multi-factor authentication system works similarly to how Gmail users access their accounts securely. It generates a unique code on the user’s phone that they enter, along with their username and password, each time they access their account, so even if someone has their username and password, they can’t access the account without the unique code. This unique code is generated only on the mobile phone of the account holder that they have linked to their account.
After hackers registered their device on the FireEye network to obtain unique codes that would normally only work on that employee’s device, the FireEye security system issued an automatic alert to the employee and the company’s security team that an unknown device was registered with the company multifactor authentication system as if the device belonged to the employee.
“They had to provide credentials for authentication [their device] to [multifactor authentication system] to authenticate to the FireEye VPN, ”said Carmakal. “It was the process that the attacker followed to register in the MFA solution that generated the alert. But by this time the attacker already had the employee’s username and password. “
The employee whose credentials were compromised told the FireEye security team that the device did not belong to him and, during the investigation into how hackers could have obtained the employee’s credentials, found that the hackers gained network access through the software malicious SolarWinds. .
Carmakal did not say how the hackers received the credentials after that or how many employee credentials they stole. But once in a network, it is common for skilled hackers to look for access to critical system files in which employee account credentials are stored, to use those credentials to gain deeper access to additional parts of the network.
_____
Read more from Yahoo News: