Casting A Wide Net

The manual supply chain attack against SolarWinds’ Orion network monitoring platform has sent shockwaves throughout the world, with suspected Russian foreign intelligence service hackers gaining access to U.S. government agencies, critical infrastructure entities and private sector organizations.

The victims have included government, consulting, technology and telecom firms in North America, Europe, Asia and the Middle East, FireEye threat researchers wrote on Dec. 13. FireEye CEO Kevin Mandia said Sunday that only 50 of the 18,000 organizations who installed malicious SolarWinds Orion code into their network were “genuinely impacted” by the campaign.

Similarly, Microsoft President Brad Smith said Dec. 17 that just over 40 of the company’s customers were precisely targeted and compromised through trojanized Orion updates. From tech giants, internet service providers and IT solution providers to federal agencies and county governments, here’s a deeper look at 24 victims of the colossal SolarWinds hack who’ve been publicly identified (so far).

Belkin International

Belkin International was one of among two dozen companies identified Monday by The Wall Street Journal to install a trojanized version of the SolarWinds Orion network monitoring platform, potentially giving hackers access to sensitive corporate and personal data through a covertly inserted backdoor. The firm sells home and office Wi-Fi routers and networking gear under the Linksys and Belkin brands.

Playa Vista, Calif.-based Belkin told The Wall Street Journal that it had removed the backdoor immediately after federal officials issued an alert on Dec. 13. “There has been no known negative impact identified to date,” a company spokeswoman told The Journal.

The Journal said it gathered clues from victim computers collected by threat-intelligence companies Farsight Security and RiskIQ and then used decryption methods to reveal the identities of some servers that downloaded the malicious code. In some cases, the analysis led to the identity of compromised organizations and showed when the code was likely activated—indicating that the hackers had access.

California Department of State Hospitals

The California Department of State Hospitals by early August had installed a backdoor into their systems through a malicious SolarWinds Orion update, according to an analysis published Monday by The Wall Street Journal.

California state officials are working with federal and state agencies to address the impact of the SolarWinds backdoor, a spokesman for the state Governor’s Office of Emergency Services told The Journal. The spokesman declined to comment to The Journal on the specific state agencies affected.

The California Department of State Hospitals manages the state’s forensic mental health hospital system, providing inpatient mental health services to approximately 6,000 patients. The department oversees five state hospitals located in Atascadero, Coalinga, Los Angeles County, Napa and Patton.

Cisco

Internal machines used by Cisco researchers were targeted via SolarWinds as the impact of the colossal hacking campaign on the tech sector became apparent, Bloomberg reported Friday. Roughly two dozen computers in a Cisco lab were compromised through malicious updates to SolarWinds’ Orion network monitoring platform, according to Bloomberg, citing a person familiar with the incident.

The San Jose, Calif.-based networking giant told CRN its security team moved quickly to address the issue, and that there isn’t currently any known impact to Cisco offers or products. Cisco told CRN there’s no evidence at this time to indicate customer data has been exposed as a result of the compromise.

“While Cisco does not use SolarWinds Orion for its enterprise network management or monitoring, we have identified and mitigated affected software in a small number of lab environments and a limited number of employee endpoints,” Cisco said in a statement. “We continue to investigate all aspects of this evolving situation with the highest priority.”

Commerce Department

Suspected Russian hackers for months monitored staff emails sent via Office 365 at the Commerce Department’s National Telecommunications and Information Administration (NTIA) after breaking into the NTIA’s office software, Reuters reported Dec. 13. There is some indication that the email compromise at NTIA dates back to this summer, although it was only recently discovered, Reuters said.

Then on Monday, The Wall Street Journal reported that the hackers had since June broken into about three dozen email accounts at the NTIA, including accounts belonging to the agency’s senior leadership. The NTIA is a bureau within the Commerce Department that works on telecommunications and internet policy. The Commerce Department didn’t immediately respond to a Journal request for comment

It wasn’t clear what the hackers were seeking to gain from spying on NTIA emails, but The Journal said it could range from general intelligence gathering to a mass email leak in the future to material that could be used to more easily wage future cyberattacks. “In any case, it’s a gold mine,” a U.S. official familiar with the matter told The Journal.

Cox Communications

Reuters on Friday identified U.S. internet provider Cox Communications as a victim of the SolarWinds attack by running a coding script released by Kaspersky to decrypt online web records left behind by the attackers. The type of web record includes an encoded unique identifier for each victim and shows which of the thousands of backdoors available to them the hackers chose to open, Kaspersky said.

The unique identifier relating to Cox Communications was included in a list of technical information published by FireEye, Reuters reported Friday. The records show that the backdoor at Sandy Springs, Ca.-based Cox Communications was activated in June of this year, which Reuters said is the peak of the hacking activity so far identified by investigators.

A spokesman for Cox Communications told Reuters the company was working “around the clock” with the help of outside security experts to investigate any consequences of the SolarWinds compromise. “The security of the services we provide is a top priority,” the spokesman told Reuters.

Defense Department

Parts of the Pentagon were also affected by the SolarWinds hack, The New York Times reported Dec. 14, though U.S. officials said at the time they were not yet sure to what extent. Some Trump administration officials acknowledged Dec. 14 that parts of the Pentagon had been compromised in the breach, according to The New York Times.

“The D.O.D. is aware of the reports and is currently assessing the impact,” Russell Goemaere, a Pentagon spokesman, told The Times on Dec. 14. Then on the night of Dec. 16, the Defense Department said in a statement that it has “no evidence of compromise of the [Department of Defense Information Network],” though FedScoop said it’s unclear if other parts of DOD’s IT networks were comprised.

Public records show SolarWinds as a Defense Department vendor, and a security researcher told FedScoop that his team members have “personally used Orion within DOD networks.” “We continue to assess our DOD Information Networks for indicators of compromise and take targeted actions to protect our systems beyond the defensive measures we employ each day,” said Vice Adm. Nancy Norton.

Deloitte

Deloitte was infected in late June with malware from a trojanized SolarWinds Orion update, according to an analysis from The Wall Street Journal. The company told the Journal it “has taken steps to address” the malware but hasn’t “observed indications of unauthorized access to our systems at this time.”

London-based Deloitte provides audit, consulting, tax and advisory services to nearly 90 percent of the Fortune 500 and more than 7,000 private and middle market companies. The company’s technology consulting arm was No. 19 on the 2019 CRN Solution Provider 500.

Deloitte is one of the Big Four accounting organizations and the largest professional services network in the world by revenue and number of professionals. The company suffered a major cyberattack in September 2017 which breached client confidentiality and exposed extensive employee information.

Digital Sense

The SolarWinds hackers called for proceeding with the second stage of their attack on Digital Sense on June 24, according to a Dec. 17 blog post from Stockholm, Sweden-based cybersecurity consultancy Truesec. Digital Sense told CRN it wasn’t impacted by the campaign since the company doesn’t use SolarWinds.

Of the roughly 18,000 SolarWinds customers that received the infected Orion update, more than 1,000 experienced the malicious code ping a so-called second stage “command and control” server operated by hackers, giving them the option to hack further into the network, Bloomberg said Sunday. Command and control servers are used by hackers to manage malicious code once it’s inside a target network.

Digital Sense offers data solutions to ensure business continuity and reliable data management with advanced infrastructure, cloud hosting, colocation, disaster recovery and backup. The Kenmore, Australia-based company is a NetApp gold partner, a Veeam gold partner, and a VMware enterprise solution provider.

Energy Department

The Energy Department and National Nuclear Security Administration obtained evidence Thursday that the SolarWinds hackers had accessed their networks, Politico reported. They found suspicious activity in networks belonging to the Federal Energy Regulatory Commission, Sandia and Los Alamos national laboratories, the Office of Secure Transportation at NNSA, and the Richland Field Office of the DOE.

The hackers have been able to do more damage at FERC than the other agencies, and officials there have evidence of highly malicious activity, the officials said, according to Politico. Officials at DOE still don’t know whether the attackers were able to access anything, Politico reported, noting that the investigation is ongoing and they may not know the full extent of the damage “for weeks.”

“At this point, the investigation has found that the malware has been isolated to business networks only, and has not impacted the mission essential national security functions of the department,” a DOE spokesperson said. ”When DOE identified vulnerable software, immediate action was taken to mitigate the risk, and all software identified as being vulnerable to this attack was disconnected from the DOE network.”

FireEye

FireEye put the Russia hacking campaign in the public consciousness Dec. 8 when the company disclosed that it was breached in an attack designed to gain information on some of the threat intelligence vendor’s government customers. The attacker was able to access some of FireEye’s internal systems but apparently didn’t exfiltrate data from the company’s primary systems that store customer information.

The threat actor, however, stole FireEye’s Red Team security assessment tools, and FireEye said it isn’t sure if the attacker plans to use the stolen tools themselves or publicly disclose them. FireEye said the stolen Red Team tools range from simple scripts used for automating reconnaissance to entire frameworks that are similar to publicly available techniques like CobaltStrike and Metasploit.

Then on Dec. 13, FireEye announced that nation-state hackers had gained access to government, consulting, technology and telecom firms around the world through trojanized updates to SolarWinds’ Orion network monitoring tool. FireEye said it had identified multiple organizations where it sees indications of compromise dating back to spring 2020, and is in the process of notifying those firms.

Health and Human Services Department

The Health and Human Services Department’s National Institutes of Health (NIH) Dec. 14 joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia whose damage remains uncertain but is presumed to be extensive, The Washington Post reported at the time.

In a Dec. 15 statement, NIH says it uses “SolarWinds software” but does not specify what kind, nor does the agency confirm or deny it has been hacked. Federal procurement records show that NIH uses the Orion product, Wall Street Journal reporter Dustin Volz said. “NIH does not comment on cybersecurity matters, as such information could be used to undertake malicious activities,” NIH said in a statement.

The NIH compromise follows reports this summer that the SVR, Russia’s foreign intelligence service, went after coronavirus vaccine research.

Homeland Security Department

Emails sent by officials at the Department of Homeland Security were monitored by the SolarWinds hackers as part of their sophisticated campaign, Reuters reported Dec. 14. People familiar with the matter told Reuters that a team of sophisticated hackers believed to be working for the Russian government won access to internal Homeland Security communications.

One of the people familiar with the hacking campaign told Reuters that the critical network DHS’ cybersecurity division uses to protect infrastructure, including the recent U.S. presidential elections, had not been breached. DHS is a massive bureaucracy that is among other things responsible for securing the distribution of the COVID-19 vaccine, according to Reuters.

DHS told Reuters it was aware of the reports, without directly confirming them or saying how badly the department was affected. “The Department of Homeland Security is aware of cyber breaches across the federal government and working closely with our partners in the public and private sector on the federal response,” department spokesman Alexei Woltornist said in a statement.

Intel

Intel downloaded and ran the malicious update to its SolarWinds Orion network monitoring platform, an analysis by The Wall Street Journal found Monday. The company is investigating the incident and has found no evidence the hackers used the backdoor to access the company’s network, an Intel spokesman told The Journal.

A lot of proprietary technology, including Intel’s next-generation processors and Optane memory technology, is at stake if foreign actors were successful in breaking into the Santa Clara, Calif.-based chip maker’s network and in stealing information, Dominic Daninger, vice president of engineering at high-performance computing system builder Nor-Tech, told CRN.

A data breach for Intel specifically could compound the company’s other issues, Daninger said, which includes increasing competition from Arm-based processors being used by customers. “That kind of stuff can be very damaging and have a lot of potential future damage to it,” Daninger told CRN.

ITPS

ITPS was breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise on Aug. 11, according to a Dec. 17 blog post from Stockholm, Sweden-based cybersecurity consultancy Truesec. The company didn’t immediately respond to a CRN request for comment.

Companies like ITPS that are targeted in the second stage of the SolarWinds Orion attack should conduct a proper forensic investigation on all their infected Orion servers, examine their firewall and DNS logs, and ensure none of their accounts were compromised by looking for account creation and misuse, Fabio Viggiani, technical lead for Truesec security team, told CRN.

Gateshead, England-based ITPS is a data center partner founded in 2000 specializing in IT managed services, IT consultancy and implementation, unified communications, support services and workspace and disaster recovery. Some of ITPS’ vendor partners include Cisco, Zerto, Citrix, NetApp, Trend Micro, Barracuda, HP, Samsung, VMware, IBM, Microsoft, Dell and Veeam, according to the firm’s website.

Kent State University

The suspected Russian hackers behind breaches at U.S. government agencies also gained access to Kent State University, The Wall Street Journal reported Monday. “We are aware of the situation and are evaluating this serious matter,” Kent State spokesman Eric Mansfield said in a statement to cleveland.com and The Plain Dealer.

Mansfield declined to elaborate on the situation, including what kind of information may have been breached, according to the The Plain Dealer. The university also would not confirm whether an internal investigation is under way, according to the Record-Courier.

As of October 2019, Kent State was the third-largest university in Ohio with an enrollment of 35,883 students in the eight-campus system and 26,804 students at the main campus in Kent. The university offers more than 300 degree programs, and specializes in nursing, business, history, library science, aeronautics, journalism, fashion design and liquid crystal technology.

Microsoft

Reuters reported last Thursday that Microsoft was compromised via SolarWinds, with suspected Russian hackers then using Microsoft’s own products to further the attacks on other victims. Microsoft told CRN that sources for the Reuters report are “misinformed or misinterpreting their information,“ but acknowledged the software giant had ”detected malicious SolarWinds binaries” in its environment.

Then on Monday, The New York Times reported that the SolarWinds hackers had seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership. The Treasury Department breach came to light from Microsoft, which The Times said runs much of the department’s communications software.

Once the hacker used SolarWinds Orion to get inside Treasury’s systems, they performed a complex step inside Microsoft’s Office 365 system to create an encrypted “token” that identifies a computer to the larger network, the Times reported. That tricked the system into thinking the hackers were legitimate users, meaning the hackers were able to sign on without having to guess user names and passwords.

Netdecisions

Netdecisions was breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise on Oct. 4, according to a Dec. 17 blog post from Stockholm, Sweden-based cybersecurity consultancy Truesec.

The hackers will often drop additional malware during the second stage of the attack to establish a deeper presence, Fabio Viggiani, technical lead for Truesec security team, told CRN. Beyond that, Viggiani said there is significant variation from one intrusion to the next based on the victim’s infrastructure and what interests the hackers at the victim organization.

Netdecisions was founded in 1998, and renamed its IT services business Agilisys in 2004 with a focus on outsourcing in the technology, media and public sector arenas. The investment arm of Netdecisions was renamed Blenheim Chalcot and operates a portfolio across the technology, financial services and media sectors in both the UK and India. Neither Agilisys nor Blenheim Chalcot responded to CRN inquiries.

Nvidia

Nvidia installed the tainted SolarWinds Orion network monitoring software, giving the hackers potential access to sensitive corporate and personal data, The Wall Street Journal said Monday. The Santa Clara, Calif.-based chip maker was among at least 24 organizations that installed software laced with malicious code from hackers believed to be with the Russian foreign intelligence service, according to The Journal.

“We have no evidence at this time that Nvidia was adversely affected,” an Nvidia spokesperson said in a statement to CRN. “Our investigation is ongoing.”

If Nvidia did suffer from a data breach, the companies would likely have to disclose the incidents to customers, partners and shareholders, said Dominic Daninger of Nor-Tech. “I think it’s been very difficult for anybody here to really assess how much damage [has been done], and then, to some degree in the private space, if they do talk about it very much, it can be even more harmful,” Daninger told CRN.

Pima County, Ariz.

Fallout from the hack of the SolarWinds Orion network monitoring software extended into the servers of Pima County, Ariz. government agencies, officials there confirmed Friday. The county acknowledged Friday afternoon that it had been a target, but refused to detail the extent of the attack on its networks, The Tucson Sentinel reported.

Publicly accessible internet records indicate that the backdoors in Pima County’s installation of SolarWinds Orion were activated in July 2020, which Reuters said Friday was the peak of the hacking activity identified so far by investigators. Pima County Chief Information Officer Dan Hunt told the Tucson Sentinel that there’s no indication that any county any data was stolen.

“As soon as we were notified that SolarWinds had an issue, we unplugged every device running the software, and removed the agent from every device in our network as recommended by the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency,” Hunt said. ”We are following proper protocol and have not been able to verify that there was any data breach.”

SolarWinds

SolarWinds disclosed Dec. 13 that it experienced a highly sophisticated, manual supply chain attack on versions of its Orion network monitoring product released between March and June of this year. The company said it’s been told the attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, though no specific country was named.

A FireEye blog post states that hackers gained access to numerous public and private organizations through trojanized updates to SolarWinds’ Orion software, but didn’t disclose the identity of any of the victims. Nearly 18,000 SolarWinds customers may have an Orion installation that contains this backdoor, according to a Dec. 14 filing with the U.S. Securities and Exchange Commission (SEC).

The backdoor wasn’t evident in the Orion products’ source code but appears to have been inserted during the Orion software build process, SolarWinds disclosed Dec. 17. And an attack vector used to compromise SolarWinds’ Microsoft Office 365 emails that may have also provided access to other data contained in the company’s office productivity tools, the company said on Dec. 14.

State Department

The State Department on Dec. 14 joined the list of known victims of a months-long, highly sophisticated digital spying operation by Russia whose damage remains uncertain but is presumed to be extensive, The Washington Post reported. The breach of the State Department was particularly embarrassing given that the Russian foreign intelligence service also hacked State’s unclassified email servers in 2014.

The State Department declined to comment to The Washington Post on their report.

The State Department oversees the United States’ foreign policy and international relations, and is responsible for advising the U.S. president, administering diplomatic missions, negotiating international treaties and agreements, and representing the U.S. at the United Nations. The State Department administers America’s oldest civilian intelligence agency and maintains a law enforcement arm.

Stratus Networks

Suspected Russian foreign intelligence service hackers called for proceeding with the second stage of the attack on Stratus Networks on April 17, according to a Dec. 17 blog post from Stockholm, Sweden-based cybersecurity consultancy Truesec.

In some cases, even though the hackers proceeded to the second stage, adversary activity might have been limited to some initial scraping or filtering before deciding to terminate the operation, Fabio Viggiani, technical lead for Truesec security team, told CRN. Of that more than 1,000 companies hit with a second stage attack, Bloomberg said investigators have determined that just 200 were further hacked.

There are two companies operating under the Stratus Networks name, neither of which responded to CRN requests for comment. One is a Peoria Heights, Ill.-based carrier and telecommunication services provider that works closely with AT&T and Cisco. The other is a Hopkinton, Mass.-based managed IT services and outsourcing company that partners with Microsoft, Dell, Symantec, Fortinet and VMware.

Treasury Department

The SolarWinds hackers seized upon a Microsoft flaw to infiltrate the email system used by the U.S. Treasury Department’s senior leadership, The New York Times reported Monday. Dozens of Treasury email accounts were compromised, including those in the departmental offices division, where the most senior officials operate, Sen. Ron Wyden, D-Ore., told The New York Times.

Hackers gained access to the Treasury’s email system in July by manipulating internal software keys, and the breach came to light from Microsoft, which runs much of Treasury’s communications software. Once the hackers used Orion to get inside Treasury’s systems, they performed a complex step in Microsoft’s Office 365 system to create an encrypted token that identifies a computer to the larger network.

That tricked the system into thinking the hackers were legitimate users, meaning the hackers were able to sign on without having to guess user names and passwords. Microsoft said last week that it fixed the flaw the Russians were exploiting, but that didn’t address whether the hackers had used their access to bore through other channels into either the Treasury Department or other systems, the Times reported.

VMware

A VMware vulnerability that allowed access to protected data and federated authentication abuse was used by the SolarWinds hackers to attack high-value targets, KrebsOnSecurity reported last Friday. The U.S. National Security Agency (NSA) warned on Dec. 7 that a flaw in the software of Palo Alto, Calif.-based VMware was being used by Russian hackers to impersonate legitimate users on breached networks.

In order to exploit this vulnerability, the NSA said hackers would need to be on the target’s internal network, which KrebsOnSecurity pointed out would have been the case in the SolarWinds hack. VMware told CRN that it has received no notification or indication that this vulnerability “was used in conjunction with the SolarWinds supply chain compromise.”

After being tipped off to the flaw by the NSA, VMware released a software update Dec. 3 to plug the security hole. While some of VMware’s own networks used vulnerable versions of SolarWinds’ Orion network monitoring platform, the company told CRN that an investigation has thus far revealed no evidence of exploitation.