US Federal Cyber Warning, 17 December 2020

US federal authorities issued a warning on 17 December 2020 that Russian hackers used an expansive variety of malicious cyber tools to penetrate US government systems and said that the cyber offensive was, “a grave risk to the federal government.” These cyber findings indicate a wider range of hacking, which appears to extend beyond nuclear research laboratories and the US Pentagon, Treasury and Commerce Department systems. This expansion of cyber capabilities is complicating challenges for US investigators as they try to assess the damage and figure out what took place.[1]

Microsoft added that it has identified 40 companies, government agencies and think tanks that the suspected Russian hackers, at a minimum, had infiltrated. Nearly half are private technology firms, Microsoft said, many of them cybersecurity firms, like FireEye, that are charged with securing vast sections of the public and private sector.

The US Energy Department and its National Nuclear Security Administration, which maintains the American nuclear stockpile, were compromised as part of the larger attack, but its investigation found the hack did not affect “mission-essential national security functions,” said a US Department of Energy spokesperson.

It is believed this cyber-attack was conducted by the Sluzhba Vneshney Razvedki (SVR), a Russian intelligence agency. A Microsoft “heat map” of infections shows that the vast majority (80 percent) are in the US, while Russia shows no infections. The US warning did not provide the new TTPs the hackers penetrated US government systems. FireEye, a cybersecurity firm, confirmed that there were other routes (high confidence level) attackers discovered new ways into US networks. FireEye was the first to inform the US government that the suspected Russian hackers had, since at least March of 2020, infected the periodic software updates issued by a company called SolarWinds, which makes critical network monitoring software used by the government, hundreds of Fortune 500 companies and firms that oversee critical infrastructure, including the power grid.[2]

US Investigators and other officials believe the goal of the Russian attack was traditional espionage, the sort the US-National Security Agency (NSA) and other agencies regularly conduct against adversaries. But the extent and depth of the attack highlights worries that hackers could ultimately use their access to shut down US systems, corrupt or destroy data, or take command of computer systems that run industrial processes.

Investigators say it could take months to reveal the extent to which US networks and the technology supply chain are compromised. Microsoft reported the supply-chain element made the attack perhaps the most serious cyber-attack against the US in many years. Some researchers believe Microsoft was itself compromised in the attack.

Days before the “official” US warning, Microsoft and FireEye took remediation efforts to halt the communication between the SolarWinds network management software and a command-and-control center that the Russians were using to send instructions to their malware using a so-called ‘kill switch.’ That action effectively shut off further cyber penetration. This is of no consolation to companies and organizations that have already been penetrated by an attacker back in March. The most important point the US feds provided was that the SolarWinds “supply chain compromise is not the only initial infection vector” that was used to get into federal systems. That suggests other software, also used by the government, has been infected and used for access by foreign spies.

Across US federal agencies, the private sector and the utility companies that oversee the power grid, forensic cyber investigators continue to examine the extent of this network(s) compromise. Many security teams are somewhat relieved compromised system warning did not turn into a panic, as they learned other third-party applications may have been compromised.

Red Sky Alliance has been has analyzing and documenting cyber threats and vulnerabilities for over 9 years and maintains a resource library of malware and cyber actor reports. Specifically, our analysts are currently collecting and analyzing the supply chains inside the transportation sector. For many years we have believed the supply chain is the Achilles Heel to the over-all cyber network.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com

Weekly Cyber Intelligence Briefings: https://attendee.gotowebinar.com/register/8782169210544615949