What seemed to be at first a targeted attack against FireEye, turned out to be a much worse espionage campaign associated with APT29 that the United State has suffered from.
The SolarWinds attackers, linked to a Mimecast attack on Jan 13th, executed a sophisticated supply chain attack infiltrating cloud service providers. This method provided them covert access to thousands of customers by compromising the vendor's secret key. The attack escalated with the discovery of additional malware, including links to Russian origins, and suspicions of JetBrains TeamCity involvement, though the company denies it.
The scope of the attack continued to grow, affecting at least 250 federal agencies. On Jan 5th, the U.S. officially named Russia as the perpetrator, and subsequent updates from CISA and reports of various attack vectors, including cloud-based methods, unfolded in the following weeks.
The campaign utilized advanced tactics like the "Golden SAML" technique and a zero-day authentication bypass exploit named SUPERNOVA in the SolarWinds product. The situation intensified with the compromise of multiple U.S. agencies, emphasizing the severity of the cyber threat.
The large-scale cyber campaign revealed attackers expanding from on-premises to cloud systems, emphasizing a hybrid threat requiring collaboration between on-premises and cloud security team. The following are attack vectors that were exploited:
- Direct exposure to SolarWinds deployed in the cloud
- Lateral movement risk between on-premises to cloud environment
- Long term access via untraceable identity backdoors
- Long term access via backdoors