Even though Microsoft sped up the path release by a week, most of the damage was done in the 10 days before the patch was issued.īoth hacks involved nation-states. So, the attackers tried to compromise as many servers as possible before Microsoft could distribute the patches. The unnerving subplot behind the Exchange server hack was that there was a race against the clock as the attackers seemed to have found out that Microsoft was about to issue patches for the vulnerabilities. Depending on how you want to measure damage, these vulnerabilities affected 250,000 Exchange servers, of which at least 30,000 appear to have been compromised.
The second hack was against Microsoft Exchange servers and had a more familiar trajectory: Attackers found a series of zero-day vulnerabilities that could be chained together to break into any Exchange servers that were internet-accessible – and steal all the emails and files stored on them. The twin shocks we must now assess with SolarWinds are the unprecedented scope of the assault – and that we got hit so hard with such recognizable weaponry. The SolarWinds hack involved the use of Cobalt Strike BEACON for the backdoor – Cobalt Strike is a framework used by red teams for adversary-attack simulation and is well-known to all threat researchers. While APT29 tends to cycle through offensive tools they use at any point in time, much of their arsenal is not new. SVR), which generally collects information, while the GRU, the Russian Military Intelligence Service, weaponizes it. It’s believed to be connected to the Russian Foreign Intelligence Service (a.k.a.
Cozy Bear is also blamed for hacking the Democratic National Committee in 2015. You may know APT29 by another name: Cozy Bear.
This attack is attributed to a group which Mitre, the nonprofit research organization, has dubbed APT29. Other elements of the SolarWinds hack are disturbingly familiar. It is well-placed within target networks to reach pretty much any other asset, making it an ideal base camp for an attacker to pursue many goals. Two, Orion is an “infrastructure monitoring and management” tool. One, Orion clients include numerous large enterprises and U.S. The SolarWinds hack was a “supply-chain” attack on approximately 18,000 purchasers of the company’s Orion software. The past four months have exposed two high-profile attacks, which both had pundits declaring them the “worst-ever” and “unprecedented.” They shared other similarities – both attacked businesses rather than individuals, and affected tens of thousands of organizations.