It is virtually impossible to estimate the scale of the ongoing cyberattack that relied on administrative tools developed by the security vendor SolarWinds, according to a memo released on Wednesday, January 6, 2021, by the Administrative Office (AO) of the U.S. Courts. While we don’t know the scope of the incident, we do know it was the result of poor password policies on the vendor’s end.
Advanced attacks hide hackers in plain sight
While there has been no confirmation of the claim, U.S. government officials say the attack is “likely Russian in origin,” and conducted by inserting a backdoor into SolarWinds Orion network security product.
Hackers reportedly obtained privileged access into SolarWinds products by password guessing, password spraying, and inappropriately obtaining remote access passwords, according to an alert from Cybersecurity and Infrastructure Security Agency (CISA) that provided the first forensic details about the attack. The report detailed numerous advanced techniques attackers used to initially gain access and obfuscation techniques used to mask their communications and hide their activities. After the initial compromise, attackers sought to ship the update containing a backdoor to all users, compromising SolarWinds’ entire supply chain.
The new information provided by CISA shows attackers expanded on the supply chain compromise announced December 17, 2020, to explain the routes in which adversaries obtained privilege escalation, falsified authentication credentials, and compromising Microsoft Azure/365 accounts. It also explained how officials detected the attack. Security professionals with CISA detected impossible authentication tokens lasting much longer than the standard one hour, logging in from impossible locations as well as assigning tokens and certificates to existing Azure/Microsoft 365 (M365) accounts.
Federal Judiciary also impacted by breach
An additional announcement from CISA, the FBI, and the NSA informed the public that the breach has also exposed an unknown number of classified documents and court filings from the justice department.
“The UCG believes that, of the approximately 18,000 affected public and private sector customers of SolarWinds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems. We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted,” officials wrote in a joint statement on January 5, 2021.