Member News

FTI | Nation-State Cyber Attacks: Immediate Intelligence & Actionable Guidance

Nation-state actors often leverage the effects of cyber operations to achieve their strategic objectives on the world’s stage.

The latest example of this type of advanced persistent threat (APT) cyber attack involves U.S. federal agencies and highprofile companies that were breached via a compromised and weaponized version of a software update from a connected third party. Publicly reported information indicates that a vendor was infiltrated by a sophisticated nation-state cyber attack, which allowed for malware to be embedded and hidden in software updates that were legitimate, creating an entry point to any machine that installed the updates. These types of breaches often proliferate for weeks or months before being discovered because the targeted company does not realize that their vendor has been compromised. We also understand that there may be other vectors of compromise implicated in this campaign that may not be made public, such that all entities must be on high alert.

The Cybersecurity and Infrastructure Security Agency (CISA) has shared guidance on this “active exploitation” and released an Emergency Directive 21-01, offering immediate recommendations.

Why This Matters To You

You may need to assume a breach at your organization.Issues caused by vendor software can create significant problems, from monitoring email traffic and collecting sensitive and valuable information, to severely interrupting business operations. Further, nationstate actors can steal proprietary tools and use them to benefit their own cause, whether that’s launching additional cyber attacks, or leveraging intellectual property to create products of their own.

Immediate Recommendations

  • Block all domains and IP addresses associated with the incident on your network perimeter.
  • Ensure the antivirus and intrusion detection solution deployed has detections in place for the indicators of compromise included in the appendix.
  • Conduct hunt team searches against your network infrastructure to determine if any endpoints have established communications associated with this incident.
  • Ensure servers, workstations, and applications are all operating with the latest patches applied.
  • Run up-to-date antivirus or endpoint detection and response products that detect compromised SolarWinds’ libraries and potentially anomalous process behavior by these binaries.
  • Follow the best practices of your identity federation technology provider in securing your Security Assertion Markup Language token signing keys, such as hardware security for your SAML token signing certificates if supported.
  • Ensure user accounts with administrative rights follow best practices. Administrators should reduce the number of users that are members of highly privileged Directory Roles.
  • Ensure service accounts and service principals with administrative rights are monitored for changes or unauthorized access.
  • Reduce surface area by removing/disabling unused or unnecessary applications, servers, or redundant infrastructure.
  • Update software that is being trojanized and isolate the infected software from the environment.
  • Consider engaging an independent, external firm with experience in identifying and addressing sophisticated cyber threats.

Issued Advisories

  • Active Exploitation of SolarWinds Software
  • Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise
  • SolarWinds Security Advisory
  • Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
  • SunBurst Countermeasures

Compliments of FTI Consulting – a member of the EACCNY.