The hackers have damaged the updates released by software provider SolarWinds, which provides its products to government agencies, military, and intelligence offices.
The cyber espionage group believed to be linked with Russia have compromised the networks of several US government agencies, including the US Treasury, the Commerce Department’s National Telecommunications and Information Administration (NTIA).
The threat actors managed to spy on the internal email traffic at the U.S. Treasury and Commerce departments during the hack.
According to a report published by the Washington Post, the attacks have been credited to APT29 or Cozy Bear, the Russia-linked APT that is believed to have recently compromised the top cybersecurity firm FireEye.
The Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive 21-01 immediately in response to the compromise involving SolarWinds Orion products that are currently being exploited by malicious threat actors.
The US agency is calling on all federal civilian agencies to review their networks for indicators of compromise power down SolarWinds Orion products immediately.
The extent of the attack is not sure at the moment but the issue is considerable due to the popularity of SolarWinds’ networking and security products. Threat actors performed a highly-sophisticated supply chain attack.
SolarWinds’ networking and security products are used by more than 300,000 customers worldwide, including government agencies, military offices, major US telecommunications companies, education institutions, and Fortune 500 companies.
The Pentagon, State Department, NASA, National Security Agency (NSA), Postal Service, NOAA, Department of Justice, and the Office of the President of the United States also use SolarWinds solutions.
FireEye who is investigating the supply chain attack has already confirmed that an attacker by the name UNC2452 had used a trojanized SolarWinds Orion business software updates to distribute a backdoor tracked as SUNBURST.
The experts believe that the campaign may have started as early as Spring 2020 and is still ongoing. And is the work of a highly-skilled threat actor.
SolarWinds published a security advisory confirming the supply chain attack. The attackers compromised versions 2019.4 through 2020.2.1 of the SolarWinds Orion Platform software that was released between March and June 2020. They recommend the users to upgrade to Orion Platform release 2020.2.1 HF 1 as early as possible.
They have also planned to release a new update (Orion Platform version 2020.2.1 HF 2) on Tuesday, December 15, that would replace the compromised component and provides several additional security enhancements.
Image Credits : CX Briefs