Four Solution Providers Breached By SolarWinds Hackers: Researchers

The SolarWinds hackers called for proceeding with the second stage of their attack on Stratus Networks, ITPS and Netdecisions, and had an unknown response to compromising Deloitte, Truesec says.

Deloitte, Stratus Networks, ITPS and Netdecisions were breached via SolarWinds and then specifically targeted by the hackers for additional internal compromise, according to a cybersecurity consultancy.

The Sweden-based firm, Truesec, analyzed the malware — as well as historical network data — to determine which firms were explicitly selected by the SolarWinds hackers for further activities, meaning that additional internal compromise could have taken place. Nearly 18,000 firms were compromised via SolarWinds Orion, but many fewer were targeted in the attack’s second stage.

“The impact of this attack is likely to be of gigantic proportions,” Fabio Viggiani, technical lead for Truesec security team, wrote in a blog post Thursday. “The full extent of this breach will most likely never be communicated to the public, and instead will be restricted to trusted parts of the intelligence community.”

[Related: Top Treasury Email Accounts Exposed In SolarWinds Hack: Report]

Deloitte, Stratus Networks, ITPS and Netdecisions did not immediately respond to requests for comment from CRN. The Wall Street Journal reported Monday that Deloitte was infected in late June by a malicious SolarWinds Orion update, and the company told CRN that it “has taken steps to address” the malware but hasn’t “observed indications of unauthorized access to our systems at this time.”

Viggiani told CRN that the nearly 18,000 SolarWinds Orion backdoors have a certain communication protocol based on logic the hackers implemented in the malware. Based on requests made and responses sent over the network, Viggiani said Truesec could in certain cases figure out the internal name of the infected system as well as the responses sent back from the hacker’s servers.

Truesec took 1,500 DNS cache requests from the past few months to determine the internal domain the system was registered as well as how the hackers responded to the intrusion. The hackers most commonly gave three instructions, Viggiani said: terminate the execution when the target isn’t of interest; hold off and wait for further instruction; and proceed to the second stage of the attack.

The suspected Russian hackers called for proceeding with the second stage of the attack on Stratus Networks, ITPS and Netdecisions on April 17, Aug. 11 and Oct. 4, respectively, according to Truesec. Truesec is currently unable to determine what the hacker’s July 8 response to the Deloitte intrusion means, and Viggiani said more investigation is needed to properly decipher the response.

The hackers will often drop additional malware during the second stage of the attack to establish a deeper presence, Viggiani said. Beyond that, Viggiani said there is significant variation from one intrusion to the next based on the victim’s infrastructure and what interests the hackers at the victim organization.

In some cases, even though the hackers proceeded to the second stage, Viggiani said the hacker activity might have been limited to some initial scraping or filtering before deciding to terminate the operation. “With this much access, it’s not feasible to go through all the victims,” Viggiani told CRN.

Companies targeted in the second stage of the attack should conduct a proper forensic investigation on all their infected Orion servers, examine their firewall and DNS logs, and ensure none of their accounts were compromised by looking for account creation and misuse, according to Viggiani. These companies should consider themselves compromised and conduct a full incident response investigation, he said.

“Supply chain attacks are not new,” Viggiani said. “But the scale and the sophistication level of actually injecting the backdoor into SolarWinds software is highly unusual.”

The internal name of the victim’s network is likely also the name of the company, but Viggiani cautioned that it’s not a guarantee.

There are two companies operating under the Stratus Networks name, neither of which responded to CRN requests for comment. One is a Peoria Heights, Ill.-based carrier and telecommunication services provider that works closely with AT&T and Cisco. The other is a Hopkinton, Mass.-based managed IT services and outsourcing company that partners with Microsoft, Dell, Symantec, Fortinet and VMware.

Gateshead, England-based ITPS is a data center partner founded in 2000 specializing in IT managed services, IT consultancy and implementation, unified communications, support services and workspace and disaster recovery. Some of ITPS’ vendor partners include Cisco, Zerto, Citrix, NetApp, Trend Micro, Barracuda, HP, Samsung, VMware, IBM, Microsoft, Dell and Veeam, according to the firm’s website.

Netdecisions was founded in 1998, and renamed its IT services business Agilisys in 2004 with a focus on outsourcing in the technology, media and public sector arenas. The investment arm of Netdecisions was renamed Blenheim Chalcot and operates a portfolio across the technology, financial services and media sectors in both the UK and India. Neither Agilisys nor Blenheim Chalcot responded to CRN inquiries.