“In preparing for battle,
I have always found that plans are useless,
but planning is indispensable.”
– Attributed to General Dwight D. Eisenhower
Let’s take a look at the FireEye breach, and I do so not in a critical manner at all, for I know that we are constantly targeted as well; and perhaps if my own firm had gone after some of the Advanced Persistent Threat (APT) actors like Mandiant/FireEye has, we would see nation-state resources dedicated to infiltrating us as well.
In 2013, Mandiant/FireEye published a report with evidence linking APT1, a group that sponsored “an enterprise-scale computer espionage campaign” to China’s 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department (Military Cover Designator 61398).
The 2018 book The Perfect Weapon: War, Sabotage, and Fear in the Cyber Age by David Sanger says that Mandiant/FireEye got this information by actually “hacking back” and penetrating the Chinese military cyber unit after the latter had breached a Mandiant client’s systems in 2012. Mandiant/FireEye disputes this claim, but according to Perfect Weapon, Mandiant/FireEye was able to get into the Chinese attackers’ systems, even to the extent of accessing video cameras to snapshot the hackers’ faces.
Whether they hacked back, or did not, there was no doubt that Mandiant (which merged with FireEye in 2014) had become a thorn in the side of APT groups and would have a target on their back forever thereafter.
Fast forward to 2020. In this case, it was likely the Russians, and not the Chinese, who finally found a way into the FireEye fortress and gained access to their proprietary tools and data. What was the hackers’ intent? To embarrass? Maybe. Revenge? Probably. But most likely, it was to collect valuable intelligence, in terms of intellectual property, allowing them to circumvent security measures in the future.
What was the biggest prize of the hack? The trove of Red Teaming (penetration testing) tools used by FireEye. These have already started to show up in some forums, just as we saw with the ShadowBrokers after their breach of the NSA’s Equation Group in 2017.
How did they do it? FireEye discovered that the hack came through a trojanized software update to SolarWinds Orion business software in order to distribute malware that they dubbed “SUNBURST.”
For the uninitiated: SolarWinds is software that allows for centralized health/status monitoring and management of corporate networks. For anyone using the software, the Orion suite would have a wide reach, touching mostly everything in the enterprise. SolarWinds customers include Microsoft, McDonald’s, Lockheed Martin, and Yahoo, as well as many government and military departments in the US and internationally.
Disturbingly, FireEye, as well as 18,000 other SolarWinds customers, would have downloaded the malicious Orion software update, which was actually cryptographically signed (i.e., vendor “verified” software) by SolarWinds between March (version 2019.4 HF 5) and June of 2020 (version 2020.2.1).
The trojan itself stayed dormant for a couple of weeks before it began connecting out to command & control sites to retrieve and execute commands, including the ability to transfer and execute files, pull system profile info, reboot machines, and disable services.
The malware evades detection by mimicking normal SolarWinds API communications, interleaving its network traffic with legitimate SolarWinds Orion Improvement Program (OIP) protocol traffic, and even storing its reconnaissance results within legitimate plug-in configuration files. The trojan also uses multiple obfuscated blocklists to side-skirt endpoint protection tools running as processes, services, and drivers.
So, how did SolarWinds get hacked? We don’t know yet. According to SolarWinds, the attack
“was likely the result of a highly sophisticated, targeted, and manual supply chain attack by an outside nation state, but we have not independently verified the identity of the attacker.”
Some have said there’s the possibility of an insider at SolarWinds who helped the hackers gain access to its clients, perhaps like the attempt at Tesla earlier this year. Or maybe attackers exploited a weakness in a public-facing system meaning they could be targeting them remotely.
According to a SolarWinds report filed with the U.S. Securities and Exchange Commission (SEC), it was a DevOps security issue: “the vulnerability … was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products.”
DevOps is, of course, the combination of development (Dev) and operations (Ops) – i.e., the people, processes, and technology used to put out new software builds. “DevSecOps”, a newer term, is the concept of adding security into this process through automation at every step of the software development life-cycle. Perhaps if SolarWinds had better DevSecOps practices in place, it could have detected and stopped the malware before it was widely propagated.
No matter how it happened, I hope the lesson is very clear here for everyone: no matter who you are and no matter how sophisticated, it’s not if you will be targeted, but when, and how ready you will be to respond.
From a monitoring standpoint, Abacode already has signatures of the attack and is able to alert on command & control traffic. In following the MITRE ATT&CK Framework, we see that defense evasion, command & control, data exfiltration, and so forth are all Indicators of Compromise (IOCs) to be investigated. As we have said before, unless you have a third-party such as Abacode with eyes-on-glass, 24/7/365 monitoring for these IOCs, you are flying blind.
Something else that has occurred to me, while perusing the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) for Critical Infrastructure Protection is that the majority of controls in their checklist are reactive (i.e., monitor/contain/respond/improve) rather than proactive (i.e., prevent/engineer/architect).
There’s little FireEye could have done, when they were using signed software by a trusted vendor, to prevent this attack. The attackers also worked hard to obfuscate and cover their tracks. So, how quickly FireEye could detect, respond, recover, and improve for the future – became paramount in this case.
This is the modern approach to cybersecurity: we’ve more or less admitted that “defending is useless” (paraphrasing Eisenhower) and darn near impossible – i.e., you’re sure to miss something. But as long as you have good visibility into your systems and a good incident handling protocol, you’re doing the best you can to lower risk.
The flip-side is also true: if you don’t have continuous monitoring (24/7/365 managed detection & response), you really have nothing. No security at all.
If you are a SolarWinds customer, or even if you’re not, what can you do, today?
- Have Abacode perform a comprehensive assessment of your security posture versus a best-practices framework, such as NIST CSF, and design a managed program for reducing cyber risk at all levels.
- Implement Abacode’s Cyber Lorica™ managed detection and response (MDR) immediately to give you visibility & IR handling capability.
- If you are developing software or hardware, speak to Abacode about our DevSecOps assistance. We can help imbue your system development lifecycle with security practices, provide deep-dive security training for developers, and offer security testing-as-a-service (both static/source-code and dynamic/running-app).