14 Dec 2020
We wrote last week about the irony of FireEye being successfully infiltrated by hackers, and we cut them some slack because we realized that the attack was highly sophisticated… FireEye is a $3.5 billion Cyber Security firm that has some big and important clients, like the US government, and though Russia is saying that the mainstream media is lying about Russia’s involvement (*insert eye roll here*), it appears pretty likely that this was a concentrated attack, spearheaded Cozy Bear, a Russian Federal Security Service (FSB) hacking group.
It appears that the clients of FireEye, including the US Government, have also been successfully infiltrated. Confirmations of attacks started to roll out yesterday, the same day that FireEye released a statement that attackers had infected their victims by taking control of an update mechanism from the popular software app, Orion, from SolarWinds that the hackers exploited in order to install backdoor access FireEye researchers have dubbed “Sunburst.”
Unfortunately, this has impacted more than just US government agencies and businesses; other victims include government, consulting, and other tech-savvy businesses in North America, Europe, Asia, and the Middle East, though it’s believed that this is just the start. FireEye has already notified everyone they have found so far that were successfully breached in this attack.
How it Happened
According to a Microsoft post about the attack, after using the Orion update vulnerability to access their victims’ networks, the hackers began to burgle select signing certificates, which allowed them to that allow them to mimic not only their marks’ existing users but their accounts, as well… including the “highly privileged” accounts.
What’s really unsettling has that FireEye stated in a post of their own that apparently a multitude of businesses may have even been infected since around the beginning of stay-at-home orders. Additionally, these are not “set it and forget it” attacks; each attack was carefully planned and executed and required manual manipulations.
SolarWinds for their part, have acknowledged that products released both in March and June of this year were likely weaponized by a nation-state.
For as many answers as we have, there are still at least that many questions. We will continue to write about this massive breach as more information becomes available.