No Simple Fix For SolarWinds Supply Chain Attack – Says FireEye
The cybersecurity firm FireEye, who discovered the SolarWinds Supply Chain Attack, said that this almost seven-month-old cyber attack still remains in its early stage with no development in the analysis of the attack and tracing the intruder. This attack has massively and shockingly impacted the private and government sector of the US. On Tuesday, cybersecurity firm FireEye has launched a tool and published a white paper for the victims of this attack to make sure if the attackers have entered and remained active and also to cleanse their installations of Microsoft 365 (cloud-based) that contains users tools, emails, and documents.
They explained that their aim is not only to trace and kick out the attackers but to also block them from breaking in again. The assessment team leader explained that they understood that to actually kick out the attackers, one will have to do several specified things. The SolarWinds attack was first discovered by FireEye in December 2020 and since then the breaches have been discovered on various agencies of government that involve Departments of Justice, Treasury, Commerce, federal courts, and other several private sector organizations mainly belonging to industries of software and think tanks. The attackers somehow managed to stay hidden for months, wisely selecting their targets of the total 18,000 affected victims.
They said that they are still discovering fresh victims every single day and are considering themselves to be in the early stages to understand the scope of the attack. It hasn’t been made clear that exactly who are the compromised victims and a fact for this could be that many of the users still can’t understand what did the attackers do and until they do understand they do not feel any urge to report.
Charles Carmakal is the chief technical officer at FireEye, explains that the attacker of this cyber attack is too good, patient, disciplined, evasive, and experienced which made it too difficult for anyone to understand the scope and effects of the attack. He also believes that there are more huge numbers of victims than what has been public and will emerge with time, plus attackers may continue to access the other organizations producing fresh victims.
Even Microsoft was affected by the attackers and they disclosed it on 31 December 2020 and explained that the attackers have viewed some part of their source code but their systems were never compromised nor utilized to attack any others. It is being believed that the organizations related to softwares were the attacker’s main targets as they can continue to use the product even after being discovered or blocked.
The awareness of the attackers about their programming allowed them to create tokens and certificates that were used to get past the Microsoft 365 installations without the verification and sign-in. Due to this, it has been super difficult to detect anything (it is like a ghost hijacking). Charles Carmakal said that the attackers stuck to mainly two types of accounts, to stay updated with the measures and steps that are being considered to eradicate them, which are the accounts that had high-level network access and that contained valuable information.
The hackers would evaluate the data repositories of top engineers if they are targeting any software-related company and will access important intelligence, emails, and national security associated documents if their targets are government agencies.
If you like this article, follow us on Twitter, Facebook, Instagram, and Linkedin.