The recent Solarwinds attack is perhaps the most massive sweeping attack on networks worldwide. For some context, Solarwinds is a company that provides IT management software that’s used to monitor network. The attack was done by compromising an update of their software Orion in what is known as a supply chain attack. This update then carried a payload of malicious code that provided network access to the perpetrators.
Unlike other attacks, many organizations aren’t ready for supply-chain attacks. This modern equivalent of Trojan horse attack could lead to massive financial gains for the cybercriminals responsible from corporate targets, the real aim apparently is to gain access to high-profile credentials of government agencies who fell victim to this attack. The attack is a dragnet that catches all sorts of game but will process only the right ones.
Just recently, in a joint statement by the Federal Bureau of Investigation (FBI), the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI), a Russian-backed Advanced Persistent Threat (APT) group, believed to be Cozy Bear, is behind the attacks. And, that the real goal was to gain access to government agencies through a sweeping attack. In short, espionage.
It’s believed that over 3,000 US Justice Department Office 365 mailboxes have been compromised, according to a DoJ spokesman. Other affected agencies include the US Department of State, the Department of Energy which stoked fears that hackers are after major utilities, Department of Homeland Security, the National Nuclear Security Administration, and the US Department of Homeland Security.
Solarwinds products service over 18,000 customers which not only include the agencies specified above but a large majority of fortune 500 companies, the US Military, the Pentagon, as well as hundreds of universities worldwide. Solarwinds has since advised customers to upgrade to cleaner versions of their Orion software but security experts have advised to watch out for more suspicious activities as the perpetrators who have already gained access have laterally moved on within their networks.