This means that there are actually three subgroups within the potential victims of these attacks: Orion users who installed the backdoor but were never exploited for any other purpose; Victims who had malicious activity on their networks but were ultimately not attractive targets for attackers; and victims who, in fact, have been severely compromised for holding valuable data.
“If they don’t exfiltrate data, it’s because they didn’t want to,” says Jake Williams, former NSA hacker and founder of the security firm Rendition Infosec. “If they didn’t have access, it was because they weren’t interested.”
Nobody knows how deep Russia’s hacking rampage goes
Even so, these first and second groups still have to castrate the back door to prevent future access. With FireEye’s ability to analyze indicators from its own breach, FireEye spearheaded an initiative that other companies have since joined to release information about the anatomy of the attacks. The “compromise indicators” include IP addresses and responses to Domain Name Service records associated with the attacker’s malicious infrastructure. Responders and victims can use this information to check whether servers or other devices on their networks have communicated with the hackers’ systems. Microsoft also worked with FireEye and GoDaddy to create some sort of “kill switch” for the back door by taking control of the IP addresses the malware communicates with so that commands can no longer be received.
Getting rid of the back door is vital, especially since the attackers are still actively exploiting it. And now that the technical details of their infrastructure are public, there is also the risk that other hackers will also use the malicious access if it is not blocked.
In the house
However, for victims who have made deeper compromises, it is not enough to simply close the door as attackers have already established themselves inside.
With clear targets like US government agencies, the question arises of what exactly attackers have access to and what the overall picture that information can paint in terms of geopolitics, US defense and offensive capabilities across the Department of Defense, critical infrastructure, and more.
It is difficult and time consuming to pinpoint exactly what was recorded. For example, some reports have indicated that hackers have breached critical systems of the Department of Energy’s National Nuclear Security Administration, which is responsible for the US nuclear arsenal. But DOE spokesman Shaylyn Hynes said in a statement late Thursday that while attackers accessed DOE “business networks” they did not breach “the ministry’s” mission-critical national security functions. “
“The investigation is ongoing and the response to this incident is real time,” said Hynes.
This is the situation for all victims at this point. Some targets will continue to find that they were more affected than they initially thought. others may find that hackers kicked the tires but went no further. This is the core threat of a supply chain attack like the SolarWinds breach. Attackers suddenly get a large amount of access and can select victims while the emergency services catch up.
While it is difficult to determine the full extent of the situation, researchers have made a concerted effort to find out who was hit hard and how. By tracking and associating IP addresses, DNS records, and other attacker flags, security analysts are even developing methods for proactively identifying targets. For example, on Friday Kaspersky Labs released a tool that can decode DNS requests from the attacker’s command and control infrastructure in order to indicate which targets the hackers prioritized.
The hacking Spree news is likely to last for weeks as more and more companies figure out where they fit in the potential targets rubric. Microsoft President Brad Smith wrote Thursday that the company has notified more than 40 customers of signs of deep intrusion into their networks. And Microsoft says the vast majority of these victims are in the US, but some are in seven other countries: Canada, Mexico, Belgium, Spain, the UK, Israel, and the United Arab Emirates. “It is certain that the number and location of victims will continue to increase,” added Smith.
Later that night, Microsoft confirmed that it had also been compromised in the campaign.
More great WIRED stories