2020 United States federal government data breach


In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.
The attack, which had gone undetected for months, was first publicly reported on December 13, 2020, and was initially only known to have affected the U.S. Treasury Department and the National Telecommunications and Information Administration, part of the U.S. Department of Commerce. In the following days, more departments and private organizations reported breaches.
The cyberattack that led to the breaches began no later than March 2020. The attackers exploited software or credentials from at least three U.S. firms: Microsoft, SolarWinds, and VMware. A supply chain attack on SolarWinds's Orion software, widely used in government and industry, provided an initial entry point. Microsoft cloud products provided another, allowing the attackers to also breach victims who were not SolarWinds customers. Flaws in Microsoft and VMware products allowed the attackers to access emails and other documents, and to perform federated authentication across victim resources via single sign-on infrastructure.
In addition to the theft of data, the attack caused costly inconvenience to tens of thousands of SolarWinds customers, who had to check whether they had been breached, and had to take systems offline and begin months-long decontamination procedures as a precaution. U.S. Senator Richard J. Durbin described the cyberattack as tantamount to a declaration of war. President Donald Trump was silent for several days after the attack was publicly disclosed. He suggested that China, not Russia, might have been responsible for it, and that "everything is well under control".

Background

, a Texas-based provider of network monitoring software to the U.S. federal government, had shown several security shortcomings prior to the attack. SolarWinds did not employ a chief information security officer or senior director of cybersecurity. Cybercriminals had been selling access to SolarWinds's infrastructure since at least as early as 2017. SolarWinds had been advising customers to disable antivirus tools before installing SolarWinds software. In November 2019, a security researcher had warned SolarWinds that their FTP server was not secure, warning that "any hacker could upload malicious " that would then be distributed to SolarWinds customers. Furthermore, SolarWinds's Microsoft Office 365 account had been compromised, with the attackers able to access emails and possibly other documents.
On December 7, 2020, a few days before trojaned SolarWinds software was publicly confirmed to have been used to attack other organizations, longstanding SolarWinds CEO Kevin Thompson retired. That same day, two private equity firms with ties to SolarWinds's board sold substantial amounts of stock in SolarWinds. The firms denied insider trading.

Methodology

Multiple attack vectors were used in the course of breaching the various victims of the incident.

SolarWinds exploit

The attackers used a supply chain attack. The attackers accessed the build system belonging to the software company SolarWinds, possibly via SolarWinds's Microsoft Office 365 account, which had also been compromised at some point. SolarWinds was using build management and continuous integration server TeamCity provided by the Czech company JetBrains. In 2021 The New York Times stated that unknown parties apparently embedded malware in JetBrains' software and through this way compromised also SolarWinds.
The attackers established a foothold in SolarWinds's software publishing infrastructure no later than September 2019. In the build system, the attackers surreptitiously modified software updates provided by SolarWinds to users of its network monitoring software Orion. The first known modification, in October 2019, was merely a proof of concept. Once the proof had been established, the attackers spent December 2019 to February 2020 setting up a command-and-control infrastructure.
In March 2020, the attackers began to plant remote access tool malware into Orion updates, thereby trojaning them. These users included U.S. government customers in the executive branch, the military, and the intelligence services. If a user installed the update, this would execute the malware payload, which would stay dormant for 12–14 days before attempting to communicate with one or more of several command-and-control servers. The communications were designed to mimic legitimate SolarWinds traffic. If able to contact one of those servers, this would alert the attackers of a successful malware deployment and offer the attackers a back door that the attackers could choose to utilize if they wished to exploit the system further. The malware started to contact command-and-control servers in April 2020, initially from North America and Europe and subsequently from other continents too.
The attackers appear to have utilized only a small fraction of the successful malware deployments: ones located within computer networks belonging to high-value targets. Once inside the target networks, the attackers pivoted, installing exploitation tools such as Cobalt strike components, and seeking additional access. Because Orion was connected to customers' Office 365 accounts as a trusted 3rd-party application, the attackers were able to access emails and other confidential documents. This access apparently helped them to hunt for certificates that would let them sign SAML tokens, allowing them to masquerade as legitimate users to additional on-premises services and to cloud services like Microsoft Azure Active Directory. Once these additional footholds had been obtained, disabling the compromised Orion software would no longer be sufficient to sever the attackers' access to the target network. Having accessed data of interest, they encrypted and exfiltrated it.
The attackers hosted their command-and-control servers on commercial cloud services from Amazon, Microsoft, GoDaddy and others. By using command-and-control IP addresses based in the U.S., and because much of the malware involved was new, the attackers were able to evade detection by Einstein, a national cybersecurity system operated by the Department of Homeland Security.
FBI investigators in February 2021 found that a separate flaw in software made by SolarWinds Corp was used by hackers tied to another foreign government to help break into U.S. government computers.

Microsoft exploits

The attackers exploited flaws in Microsoft products, services, and software distribution infrastructure.
In another supply chain attack, at least one reseller of Microsoft cloud services was compromised by the attackers, constituting a supply chain attack that allowed the attackers to access Microsoft cloud services used by the reseller's customers.
Alongside this, "Zerologon", a vulnerability in the Microsoft authentication protocol NetLogon, allowed attackers to access all valid usernames and passwords in each Microsoft network that they breached. This allowed them to access additional credentials necessary to assume the privileges of any legitimate user of the network, which in turn allowed them to compromise Microsoft Office 365 email accounts.
Additionally, a flaw in Microsoft's Outlook Web App may have allowed attackers to bypass multi-factor authentication.
Attackers were found to have broken into Microsoft Office 365 in a way that allowed them to monitor NTIA and Treasury staff emails for several months. This attack apparently used counterfeit identity tokens of some kind, allowing the attackers to trick Microsoft's authentication systems. The presence of single sign-on infrastructure increased the viability of the attack.

VMware exploits

Vulnerabilities in VMware Access and VMware Identity Manager, allowing existing network intruders to pivot and gain persistence, were utilized in 2020 by Russian state-sponsored attackers. As of December 18, 2020, while it was definitively known that the SUNBURST trojan would have provided suitable access to exploit the VMware bugs, it was not yet definitively known whether attackers had in fact chained those two exploits in the wild.

Discovery

SolarWinds exploit

On December 8, 2020, the cybersecurity firm FireEye announced that red team tools had been stolen from it by what it believed to be a state-sponsored attacker. FireEye was believed to be a target of the SVR, Russia's Foreign Intelligence Service. FireEye says that it discovered the SolarWinds supply chain attack in the course of investigating FireEye's own breach and tool theft.
After discovering that attack, FireEye reported it to the U.S. National Security Agency, a federal agency responsible for helping to defend the U.S. from cyberattacks. The NSA is not known to have been aware of the attack before being notified by FireEye. The NSA uses SolarWinds software itself.
Some days later, on December 13, when breaches at the Treasury and Department of Commerce were publicly confirmed to exist, sources said that the FireEye breach was related. On December 15, FireEye confirmed that the vector used to attack the Treasury and other government departments was the same one that had been used to attack FireEye: a trojaned software update for SolarWinds Orion.
The security community shifted its attention to Orion. The infected versions were found to be 2019.4 through 2020.2.1 HF1, released between March 2020 and June 2020. FireEye named the malware SUNBURST. Microsoft called it Solorigate. The tool that the attackers used to insert SUNBURST into Orion updates was later isolated by cybersecurity firm CrowdStrike, who called it SUNSPOT.
Subsequent analysis of the SolarWinds compromise using DNS data and reverse engineering of Orion binaries, by DomainTools and ReversingLabs respectively, revealed additional details about the attacker's timeline.
July 2021 analysis published by the Google Threat Analysis Group found that a "likely Russian government-backed actor" exploited a zero-day vulnerability in fully-updated iPhones to steal authentication credentials by sending messages to government officials on LinkedIn.