关注ITValue,看企业级最新鲜、最价值报道!
Robert O'Brien, the US National Security Affairs Assistant, shortened his travel itinerary on the 15th local time and returned to Washington urgently from Paris to coordinate the handling of the "U.S. government agency's cyberattack" incident.
As of December 16, at least 200 important institutions have been confirmed to have been victimized, spreading to sensitive institutions in important technologically developed regions of the world such as North America and Europe, of which the United States accounts for more than 60%. At the same time, it was discovered that the implementation of the action may be a group organization of hundreds of people.
In the victimized institution
The U.S. accounts for more than 60%
In response to this attack, Microsoft announced that from 0:00 on December 17, Beijing time, Microsoft Defender software will begin to block known malicious SolarWinds installation files. At the same time, according to a foreign media ZDNet report, Microsoft has seized the server where the domain name played a core role in this incident.
The core domain name was pointed to an IP address owned by Microsoft. According to the pre-made instructions of the attack sample, all the victims' related attack activities were immediately terminated.
This is obviously an emergency response of the United States to this APT incident. According to reports from the Wall Street Journal and many other US media, if cyber espionage activities are divided into 1-10 levels according to their possible severity and impact on national security, this time The action level can reach level 10. The Cyber Security and Infrastructure Security Agency of the US Department of Homeland Security even issued an order stating that the current hacking attacks may endanger government systems.
According to information from the cybersecurity knowledge base Qi Anxin CERT, at least 200 organizations have been acted upon by the APT organization. The victims are governments, technology companies and telecommunications companies in North America, Europe, Asia and the Middle East, covering military and energy industries. And many other industries involving national security. As of December 16, 124 organizations in the United States have been attacked, accounting for 62%.
Qi Anxin CERT security expert rem4x@A-TEAM believes that this is a software supply chain attack that can affect large organizations around the world. The organization's APT attack has great strategic intent, and may be for long-term control of some important targets, or to obtain sufficient credentials for long-term activities.
Perform the action
Is a group of hundreds of people
According to analysis, this is a collective APT organization with hundreds of people. The organization has a huge system, clear division of labor, strong discipline, and hidden attacks. In performing this task, it includes at least three action organizations with different functions.
Based on their attack methods and sample analysis, Chianxin CERT sketched out the APT organization's operational roadmap: "This attack has three combat missions, which are completed by three independent operational organizations." Chianxin CERT security expert rem4x@ A-TEAM said.
Combat mission 1: Invade suppliers and cast the net on a large scale
rem4x@A-TEAM judged that the APT organization captured the world-renowned network management software manufacturer SolarWinds as the target of the invasion. The software is used in more than 200,000 organizations worldwide, and customers include all five branches of the US military, the Pentagon, the State Department, the Department of Justice, the National Aeronautics and Space Administration, the President's Executive Office, and the National Security Agency.
This APT attack first hacked the Orion network monitoring software update server under SolarWinds and planted malicious code. The currently contaminated SolarWinds software bears the company's signature, which indicates that the SolarWinds company is likely to have been completely controlled by hackers.
SolarWinds also stated in the statement: “According to monitoring, the Orion products released in March and June of this year may have been secretly installed in a large number of highly complex and targeted targets.” At the same time, SolarWinds is reporting to the US Securities and Exchange Commission. The submitted file also stated: "About 18,000 customers have downloaded the Trojanized version of SolarWinds Orion."
Combat mission two: implement supply chain attacks and accurately screen key targets
The organization is highly disciplined. It is extremely patient and cautious in the timing of attacks and the choice of targets.
Qi Anxin CERT believes that at least dozens of people are needed to complete this goal. These personnel have superb code counterfeiting capabilities. The malicious code implanted is completely consistent with the code style of SolarWinds products, which is completely different from the code style written by hackers, thus successfully bypassing SolarWinds’ complex testing, cross-auditing, verification, etc. In this process, malicious code is implanted in the released software version.
After the malicious sample is implanted, it will take at least 8 steps to carry out complex verification and inspection before the supply chain attack will be officially launched. The intercepted part of the attack flowchart is as follows:
Next, the organization will determine whether to proceed with the next action based on the returned victim information, which is divided into three categories: termination, waiting, and action, and then assigns different action teams according to different objects. At least dozens of people are required to perform this stage of operations. They need to complete infrastructure maintenance, attack framework design and development, target screening and screening. According to the data analyzed by Qi Anxin CERT as of December 16, the attackers excluded at least 100 targets from the action category.
Operational task three: aiming at the penetration of specific targets and completing the net closing
At present, according to statistics, there are at least 200 target organizations that have completed combat mission two. Once the third phase of combat is launched, it means that they have the "hands of God" of these 200 organizations...
The 200 key organizations that were victimized covered the United States, Canada, Japan, Belgium, the Netherlands, Australia, etc., and most of them were developed countries. In terms of industry distribution, it includes key basic businesses such as defense technology, government, medical services, education, finance, and food.
Qi Anxin CERT estimates that targeted penetration of 200 key institutions means that there are 200 attack groups. It is conservatively estimated that the number of combat personnel in the third stage may be hundreds.
A detail that is extremely scary
And an ultimate suspense
Details: The new crown epidemic has greatly increased the attack success rate
The behavior of this cyber attack overlaps with the outbreak of the new crown epidemic. SolarWinds official website shows that during the new crown epidemic, it opened remote office and claimed to support global customers to conduct online office.
After February and March of this year, the new crown epidemic spread globally, accelerating the global digitalization process, and many companies and institutions have shifted their business from offline to online.
Sorting out the relevant timeline, the attacker updated the NS record of the core control domain name on February 26, 2020. The record is considered the hub of this operation. The diagram is as follows:
Ultimate suspense: How many "SolarWinds" are there?
SolarWinds said that as early as March of this year, the company's customers unknowingly installed malware that was implanted into a seemingly harmless routine update released by a software product called Orion . It was this Orion software product that became the conveyor belt of this APT attack.
"How many undiscovered'SolarWinds' and who will be the next one to be discovered? What is the scale and radiation range of the APT attack hidden under the iceberg?" All these questions are still impossible Know. "The only certainty is that the security threat of APT attacks is more serious than we thought. We see far less than all the possibilities." rem4x@A-TEAM said.
------
No matter what the outside world changes, always be firm
In December, the Titanium Media Global Leaders Annual Meeting was as high-level and international as ever
The 2020 T-EDGE Global Innovation Conference will be held from December 18th to 20th, Beijing Daxing Starlight Vision Center
Hundreds of domestic and foreign guests were invited to participate in this year’s T-EDGE, and they will share more wonderfully on the spot
Tickets for the 8th Anniversary of Titanium Media are exempted, and they are free for a limited time
First come first served, scan the QR code below to buy tickets instantly!
▼▼▼
Previous highlights
Industry ▽
Observe ▽
$27.7 billion was acquired by Salesforce. How did Slack go from 0 to 1 billion that year?
Surveying 1847 CIOs, Gartner has four suggestions for next year’s digitalization
Trend ▽
China's enterprise-level application SaaS market growth rate will buck the trend and overtake
Gartner releases important strategic technology trends for 2021