A “very, very large” telecommunications organization, a Fortune 500 company, and multiple government agencies are among the thus far unreported breaches to emerge as a result of the SolarWinds supply chain hack, confirmed a researcher supporting both public and private sector entities in recovery from the devastating attack.
This latest information comes a day after Microsoft confirmed that it notified more than 40 customers of breaches identified off telemetry from its Defender antivirus software.
“There’s a very, very large telecom organization that will have to put its hand up fairly soon, and there’s a very, very large Fortune 500 that will have to put its hand up pretty soon,” said Chris Roberts, virtual CISO and advisor to a number of companies and agencies as part of the HillBilly Hit Squad group of cybersecurity researchers. “From the government agency standpoint, there’s a few of those out there that will have to put their hand up and say, ‘yah we got hit.’”
Roberts, who is the former chief security strategist at Attivo Networks, spoke to SC Media as part of a virtual conference taking place Jan. 26-27, focusing on the tactics of state-sponsored hackers.
The department of Homeland Security, Energy, and Treasury, and FireEye are among the other notable victims affected by the supply chain attack on SolarWinds network monitoring software. SolarWinds estimates that between last March and June, roughly 18,000 user organizations downloaded updates of its Orion software that Russian APT actors allegedly corrupted with Sunburst backdoor malware.
Roberts did not reveal which telecom organization, Fortune 500 company or government agencies are the latest to fall victim to the breach. He did emphasize, however, the significance of the combination of targets.
“You need to take a step back and go ‘hang on, we’re looking at attacks against the backbone of the architecture,’” of the nation’s most critical infrastructure and assets, he said. With that in mind, “can I trust the technology sitting in front of me?”
Indeed, agencies shut down a number of “very secure communications,” unable to know for certain that associated systems were not compromised, Roberts said. And while Microsoft said in its own announcement about the breach that researchers “have not found evidence of access to production services or customer data,” Roberts said much is still unknown. As he put it, “how many millions of lines of code will Microsoft have to go through to go from ‘we don’t think’ to ‘we know?’” He credited both Microsoft and FireEye, which was the first to reveal evidence of a breach, for transparency and efforts to distribute intelligence about the attack.
Vendors may ultimately need to take down portions of services to identify vulnerabilities. Roberts estimates that the malware has been installed on networks a year or longer, and “until you literally start ripping the code to pieces, you don’t know how far down this rabbit hole” companies and agencies will need to travel to figure out what’s infiltrated.
“We’ve got to look in the mirror, we really have to go look in the mirror and ask, ‘why didn’t we see it? We have multi-billion dollar systems in place that should detect this,” Roberts said.