September 25, 2023

State-sponsored actors allegedly working for Russia have targeted the US government agencies,to monitor internal email traffic as part of a widespread cyberespionage campaign.

APT29 or Cozy Bear, the same hacking group that’s believed to have orchestrated a breach of US-based cybersecurity firm FireEye a few days ago leading to the theft of its Red Team penetration testing tools.

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” emergency review of networks for suspicious activity and disconnect or power down SolarWinds Orion products immediately which serves most of the US Organization


FireEye, which is tracking the ongoing intrusion campaign under the moniker “UNC2452,” said the supply chain attack takes advantage of trojanized SolarWinds Orion business software updates in order to distribute a backdoor called SUNBURST, began as early as 2020.

Once after compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.”

SolarWinds Software Backdoor

This rogue version of SolarWinds Orion plug-in, besides masquerading its network traffic as the Orion Improvement Program (OIP) protocol, is said to communicate via HTTP to remote servers so as to retrieve and execute malicious commands (“Jobs”) that cover the spyware gamut, including those for transferring files, executing files, profiling and rebooting the target system, and disabling system services.

Orion Improvement Program or OIP is chiefly used to collect performance and usage statistics data from SolarWinds users for product improvement purposes.

Microsoft also corroborated the findings in a separate analysis, stating the attack leveraged the trust associated with SolarWinds software to insert malicious code as part of a larger campaign.

Earlier last week FireEye was breached and Red Teaming tools were exfilterated by the intruders

The theft also includes exploit payloads that leverage critical vulnerabilities in Pulse Secure SSL VPN (CVE-2019-11510), Microsoft Active Directory (CVE-2020-1472), Zoho ManageEngine Desktop Central (CVE-2020-10189), and Windows Remote Desktop Services (CVE-2019-0708).

This attacks seems to be a larger scale supply chain attack in MiddleEast, Europe and US regions

Leave a Reply

%d bloggers like this: