A Russia-linked hacker group, APT29, has used a vulnerability in frequently used network software to carry out a major hack into US government computers.

Pádraig Belton, Contributor, Light Reading

December 14, 2020

4 Min Read
Russia-linked cyber group hacks US government agencies

An extremely ambitious cyber-espionage campaign linked to Russia has infiltrated several US government agencies, in the biggest US government breach for years.

The affected agencies include America's Treasury department and National Telecommunications and Information Administration (NTIA), which oversees telecom policy and is part of the Commerce Department.

A hacking group linked to the Russian Foreign Intelligence Service (SVR), known as APT29 or occasionally as Cozy Bear, is currently the chief suspect, say cybersecurity experts who have described it as a "ten out of ten" attack in terms of severity and national-security implications.

The hacking campaign made use of a vulnerability in SolarWinds' Orion platform, which many government agencies and large companies use to monitor and manage their networks.

Hackers managed to insert malware into SolarWinds software updates, possibly as early as spring 2020, says the cybersecurity company FireEye.

As a result, the APT29 attackers can "gain access to network traffic management systems," with the only known remedy being disconnecting affected devices, said the US government's Cybersecurity and Infrastructure Security Agency (CISA).

The APT stands for advanced persistent threat, a normally state-linked group able to gain unauthorized access to computer networks and stay undetected for lengthy periods.

Officer, the hacker ransomware

This APT29 group had previously made attempts to steal coronavirus vaccine research in the US, the UK and Canada.

The same group, during the 2016 presidential campaign, targeted Democratic National Committee party servers in a likely effort to harm Hillary Clinton's presidential hopes, US intelligence officials believe.

Hacks of this type "take exceptional tradecraft and time," with this attack probably "underway for many months" says Chris Krebs, who directed the Cybersecurity and Infrastructure Security Agency from November 2018 until November 2020.

President Donald Trump fired Krebs as the US's top cyber official on November 17 for saying claims of cyber tampering with that month's US elections were either "unsubstantiated or are technically incoherent." The US cyber agency is currently headed by an acting director, Brandon Wales.

Want to know more about 5G? Check out our dedicated 5G content channel here on Light Reading.

This is only the fifth time since 2015 the US Department of Homeland Security has used its legal powers to issue a formal directive order, in this case requiring US government agencies to immediately disconnect any machines running the impacted SolarWind software.

"It's almost impossible to overstate how bad this SolarWinds hack is going to end up being. The amount of data that could be compromised is unfathomable," says a former US government employee who runs a popular whistleblower account on Twitter.

"This is one of the most successful state directed cyberattacks in recent memory," with 275,000 government and enterprise customers receiving compromised updates between March and June, says the former staffer.

Vladimir computin'

The code allows a hacker to hijack and overwrite named scheduled tasks by using a technique APT29 invented in 2014, says Microsoft's Nick Carr on Twitter.

The malware seems to export an XML task to its working directory before modifying and re-importing it, adds FireEye's Matthew Dunwoody.

This "highly sophisticated" attack "was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack," said SolarWinds on Sunday.

FireEye, which has 3,000 employees in 19 offices, said it had itself been a victim of the hack last week.

The San Francisco Bay area company said it had also found "numerous" other victims in government, telecom, extractive, technology and other industries in North America, Europe, Asia and the Middle East.

FireEye has named the malware code SUNBURST, though Microsoft has called it Solorigate. Earlier today, FireEye published a technical report with further details it has managed to find out.

And Krebs offers advice to companies that use the SolarWinds product.

"Assume compromise and immediately activate your incident response team," he says.

"Odds are you're not affected, as this may be a resource intensive hack," one that is executed by hand against particular targets of particular interest to the APT29 group and its state masters, he says.

"Focus on your Crown Jewels. You can manage this," he says.

Related posts:

— Padraig Belton, contributing editor, special to Light Reading

About the Author(s)

Pádraig Belton

Contributor, Light Reading

Contributor, Light Reading

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like