• Netenrich
  • /
  • Blog
  • /
  • US Government Officially Points Finger At Russia For The Solarwinds Attack – KNOW More

US Government Officially Points Finger At Russia For The Solarwinds Attack – KNOW More

Post by rajarshi Jan 07, 2021

The US government has finally decided to blame Russia for the infamous SolarWinds attack. As per the report, the hack was an “intelligence gathering effort” by Cozy Bear – the threat actor responsible with ties to the Kremlin. This was one of the top trending stories as collated by KNOW – our cybersecurity news aggregator and threat intel platform.

sunburst threat intelligence overview

How did the SolarWinds attack happen?

The hackers infiltrated SolarWinds’ Orion Software by injecting trojan malware. By doing so, the hackers could spy on multiple government agencies like the US Treasury, State Department, and the Department of Homeland Security. They also managed to infiltrate Microsoft products and cloud service provider VMware.

Aftermaths of the SolarWinds attack

SolarWinds has been sued by an investor who claimed that the firm was aware of the vulnerability but didn’t take any steps to remediate it. Meanwhile, the US National Security Council created a new task force named the “Cyber Unified Coordination Group” (UCG). They will be responsible for investigating the SolarWinds attack and lead remediation efforts. As per the authorities:

“The UCG remains focused on ensuring that victims are identified and able to remediate their systems, and that evidence is preserved and collected. Additional information, including indicators of compromise, will be made public as they become available.”

Reactions from Twitter

#1 CISA

#2 Carla Gentry

#3 ZDNet

SolarWinds attack context from KNOW

KNOW attaches automated threat context to the stories it collates. In this story, it has attached context for Sunburst and APT 29 aka Cozy Bear.

#1 What is Sunburst?

Sunburst is a trojanized version of SoalrWinds.Orion.Core.BusinessLayer.dll of Solarwind Orion IT monitoring tool. The trojanized file delivers the SUNBURST malware through a backdoor as part of a digitally-signed Windows Installer Patch.

Industries targeted

  • Information Technology
  • Consulting
  • Telecommunications
  • Cybersecurity

Sunburst references from KNOW

Sunburst references from KNOW

 

  • Total references: 3,000
  • Previous 60 days: 2,000
  • Last 7 days: 288

Sunburst context from KNOW

  • Related intrusion methods: Data Exfiltration, Computer Network Exploitation, Steganography.
  • Associated threat actors: APT29 The Dukes and UNC2452
  • IPs: 7
  • Domains: 5
  • Hashes: 17
  • URLs: 1
  • Most sandbox sighting: Hybrid Analysis result for ‘876a6b9a546cade33fc5665c11911fb1722a6763196fdbee5fa720f2f8baac23’

#2 More on Cozy Bear

Prior to this attack, Cozy Bear’s victims primarily belonged to Western Europe, Brazil, China, Japan, Mexico, New Zealand, South Korea, Turkey, and Central Asian countries.

Cozy Bear references from KNOW

cozy bear references from social media

  • Total references: 4,000
  • Last 60 days: 364
  • Previous 7 days: 298

Cozy Bear context from KNOW

cozy bear context from KNOW

  • Risk rules triggered: 7 out of 48
  • Campaign: Operation Ghost
  • Hashes: 35
  • Industries affected: industries: Healthcare, Energy & Natural Resources, Healthcare Providers, Finance, Aerospace & Defense, Education, and Research
  • Most recent sandbox sighting: Hybrid Analysis result for ‘Tracking GhostNet_ Investigating Cyber Espionage – Network Information Warfare Monitor.pdf’
  • Related intrusion methods: Phishing, Web shell, Data Exfiltration, Social Engineering, Privilege Escalation, Spam Campaign, Directory Traversal and 14 more
  • Malware: WellMail, WellMess, OnionDuke, MiniDuke, RegDuke, PolyglotDuke, PoisonIvy, Cloudlook, SOGU, and njRAT
  • Vulnerabilities: CVE-2019-11510, CVE-2018-13379, CVE-2019-19781, and CVE-2019-9670

Secure your systems with a 1-2 punch of threat and attack surface intelligence

KNOW first. Act fast.

Companies invest thousands (conservatively) in firewalls, SIEMs, anti-malware, Intrusion Prevention/ Detection Systems (IPS/IDS), and other security tools. Yet, they produce gazillions of alerts, most of which turn out to be false positives. Netenrich delivers a powerful combination of Threat and Attack Surface Intelligence led by machines and powered by security experts.

Empower your SecOps to:

  • Find hidden risks to your brand on the public Internet
  • Stay informed about threats in a minute versus hours
  • Act on the most critical threats first

Interested?

YES I AM

Oh and since you are here, why don’t you check out our latest article on how you can turn 2020’s cybersecurity challenges into next year’s opportunities?

SHOW ME

 

rajarshi

About the Author

rajarshi

Subscribe To Our Newsletter!

The best source of information for Security, Networks, Cloud, and ITOps best practices. Join us.

Thank you for subscribing!

Related Post

Hacker with a hoodie typing on a laptop
Jun 28 2021

Clop ransomware and Molerats resurface again – Threats

Clop ransomware launches a series of new attacks, ...

Read More
Hacker wearing a black hoodie typing on a computer
Jun 18 2021

KNOW this week – Avaddon, Fancy Lazarus, CVE-2021-3195

Deploy a reliable endpoint detection and resolutio...

Read More
A person pushing another away with imaginary power force
Jun 07 2021

Darkside ransomware, Sodinokibi ransomware and CVE-2018-1337

There’s an increasing trend in ransomware attacks ...

Read More