Concern is gathering over the effects of the FireEye breach on Britain’s public sector as tight-lipped government departments refuse to say whether UK institutions were accessed by Russian spies.
The hack was carried out by a hacking crew thought to be APT29, aka Cozy Bear, a crew of miscreants linked to Russia’s Foreign Intelligence Service, though no firm evidence has yet been put forward publicly. The Reuters financial newswire broke the story, stating that the hackers’ illicit access to US government systems through compromised updates to SolarWinds’ Orion network performance monitoring (NPM) tool had been ongoing since March.
Research by The Register has shown that SolarWinds’ Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils.
A job advert for the MoD’s Corsham tech bunker lists SolarWinds as one of the tools used by a third-line software support engineer; similarly, a network design engineer job with the MoD’s Defence Equipment and Support agency posted in May also listed SolarWinds proficiency as a “nice-to-have” skill.
SolarWinds’ products are in regular use in the Royal Navy and Royal Air Force, with the agency also counting GCHQ, the Cabinet Office, and the Ministry of Justice among its customers. Most concerningly, a company brochure [PDF] also stated that the MoD’s Defence Equipment and Support agency was a SolarWinds customer. DE&S is the agency that maintains Britain’s high-tech fighter jets, submarines, and warships.
A list of SolarWinds’ UK customers taken from a marketing presentation issued by the company. Click to enlarge.
Local governments also facing possible storm
Down at local government level, the three London boroughs of Brent, Lewisham, and Southwark all use SolarWinds Orion as part of a joint backend IT venture. Meeting minutes [PDF] from July revealed: “The service has also standardised on the Orion SolarWinds monitoring product, initially for the network infrastructure, but this will be expanded to cover other key components such as server compute and storage.”
Other councils around the country also use the product, with the National Cyber Security Centre (NCSC) advising orgs using it to “have these instances installed behind firewalls, disabling internet access for the instances, and limiting the ports and connections to only what are critically necessary”.
Yet government departments fobbed off El Reg‘s questions about the hack, referring us to the NCSC’s public statement, which merely said it was “working closely with FireEye and international partners on this incident”.
Microsoft has published a detailed technical blog about the FireEye/SolarWinds compromise, speculating that the Russians may have “compromised internal build or distribution systems of SolarWinds, embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll”. SolarWinds’ customers are being urgently advised by the firm to upgrade to Orion Platform version 2020.2.1 HF 1 “as soon as possible to ensure the security of your environment”.
The normally talkative cybersecurity sector has been practically silent about the FireEye breaches, which sources suggested to The Register was because smaller firms are scared of being seen to criticise one of the industry’s largest players. Meanwhile, the NCSC’s refusal to answer any questions about the breach suggests its impact may well be larger than officials want to admit.
Meanwhile, in America
The US government’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Sunday evening calling for an immediate lockdown by government agencies.
“Affected agencies shall immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network,” the directive stated.
“Until such time as CISA directs affected entities to rebuild the Windows operating system and reinstall the SolarWinds software package, agencies are prohibited from (re)joining the Windows host OS to the enterprise domain.”
In addition, Uncle Sam’s IT admins are told to block all incoming and outgoing traffic from machines “where any version of SolarWinds Orion software has been installed,” conduct forensic analysis of new user or service accounts, and to analyze network logs to look for suspicious behavior.
CISA also warned that even if servers look clear, administrators should “treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.” ®