CozyBear Breach

Ongoing Cyber Attack Uses SolarWinds Software Update to Distribute Malware

Beckage’s Incident Response Team is monitoring an evolving hacking campaign that is leveraging a popular managed service provider named SolarWinds.

What happened?

Beginning over the weekend, multiple organizations around the globe, including United States government agencies, have been targeted by a hacking campaign reportedly carried out by a Russian organization known as CozyBear, APT29, or UNC2452.  While cybersecurity officials are currently scrambling to implement countermeasures, initial signs suggest this campaign has been running for months. 

Who has been affected?

FireEye, an American cybersecurity firm that was one of the organizations accessed, has led much of the analysis on this sophisticated cyber attack.  Other victims so far include government agencies, consulting, technology, telecom, and oil and gas companies across North America, Asia, Europe, and the Middle East.

How was this attack carried out?

The attackers used a trojanized SolarWinds Orion business software update to distribute a backdoor called SUNBURST.  Once this Trojan has infiltrated a server, the attackers are able to remotely control the devices on which this update has been installed.  They can use this access to move freely throughout an organization’s server, installing additional software, creating new accounts, and accessing sensitive data and valuable resources.  By confirming itself as an authorized user, the attackers may be able to maintain this access even if the SolarWinds backdoor is removed, creating a slew of additional issues that may present themselves in the future.

The SUNBURST malware is stealthily designed to make it very difficult to determine whether a computer has been affected.  After the backdoor has accessed a device, it waits quietly for a period of 12 to 14 days before taking any action.  Once activated, the attacker sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment.  This allows the attacker to blend into the environment, avoid suspicion, and evade detection.  The attackers also use primarily IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.

What to do now

Beckage recommends that organizations using SolarWinds as a provider implement several preventative steps to safeguard their organization including of the following measures:

  • Review current incident response protocols and processes.
  • Carefully craft internal and external messaging and FAQs with an experienced data breach attorney.
  • Make sure employees know who to contact if they have reason to believe there is suspicious activity.

Beckage has extensive experience dealing with headline-making data incidents similar to the CozyBear attack.  Our team can assist you with implementing urgent preventative actions to avoid falling pray to this attack.  If your systems have been accessed, we can work to minimize your legal exposure and regulatory vulnerabilities and manage response efforts and communications with any relevant stakeholders.

If an attack is detected and additional resources are needed, Beckage can be reached using our 24/7 Data Breach Hotline at 844-502-9363.

The Big Take Away

Attackers continue to target service providers.  This incident is one more piece of evidence that service providers are highly desirable and valuable businesses to compromise because they can provide an attacker with access to many, many clients.  Attackers are looking for the hub of the wheel, so they can expand into all the spokes and carry out many simultaneous breaches.

This reality makes vendor management programs, including vendor security audits and initial security questionnaires of service providers more essential than ever.  Beckage’s clients benefit from our counsel on vetting vendors and service providers in order to mitigate risk of falling victim to a cyber attack because of a vendor compromise.

A Holiday Reminder on Malicious Activity

Phishing campaigns, email compromise, and ransomware activities are extremely common around the holiday season. As a reminder, be sure your organization is being diligent in your efforts against these types of attacks even if you have not been affected by this particular incident.

*Attorney advertising. Prior Results do not guarantee future outcomes.

Subscribe to our Newsletter.