Staring at the Sun: Thoughts on UNC2452, SUNBURST, SolarWinds and Road Ahead

20 January 2021

Introduction: Cyber- Photokeratitis

Like many who have worked in the threat research & intelligence, forensics, and incident response space some time, when I became aware of FireEye’s

public breach disclosure earlier this month (09 DEC 2020), it gave me pause. FireEye is without question a global leader in the development and acquisition of technology, services, and intelligence (e.g., Mandiant, iSIGHT Partners, etc.,). Few can or would debate that and even fewer would debate the organization’s knowledge and understanding of the threat landscape. During my time at TippingPoint and NetWitness, we were keenly aware of the organization’s movements and acquisitions along the way that further established FireEye as a noteworthy player and competitor in the space. Few know and understand the space the way that FireEye as a whole does. The organization’s understanding of threat actors/adversaries, their TTPs (Mandiant & iSIGHT Partners heritage, in particular, come into play here), and how best to monitor for, and to defend against them through the use and employment of offensive means and intelligence is undisputed. Simply put, FireEye is not unaware of the weight and magnitude associated with its decision to announce that it had been compromised and breached by what appears to be a highly motivated, presumably, nation-state grade (though which nation-state and group remains unclear at the time of this writing) actor via what we know (through said disclosure and blogs such as this one. Of course, there were and are legal requirements to do so when an organization such as FireEye is publicly traded, however, the degree and level of transparency demonstrated by the FireEye organization is beyond what is typically observed in situations of this sort further underscoring their professionalism and role as a leader in the industry.

 

At the time of this writing, a great deal of information and associated intelligence has been revealed and shared. I will not attempt to address it all in this blog but will encourage the reader to see visit the following link to the blog that FireEye released on 13 DEC 2020 for more details. That link can be found here. The vector in question came in the form of a trojanized software update related to the SolarWinds Orion framework and platform. The trojanization of these updates enabled the adversary in question to distribute malware to FireEye (which they refer to as SUNBURST), in addition to a possible 18,000 organizations including a veritable ‘Whose Who’ of government and non-government organizations alike. When viewing even a partial list of the victims, one is struck by the gravity of what a motivated, sophisticated, well-funded adversary might be able to accomplish while operating with impunity within a victim and beyond them. It is a staggering thought.

 

 

As those organizations work to understand address how and where they may have been compromised, firms such as our own have engaged in analyzing the IOCs and other information related to this campaign. To say that the last week and a half was busy (especially given the time of year we find ourselves in), would be nothing short of a gross understatement. I likened the feeling that I and many of my colleagues in the industry have at the moment to the phenomenon that occurs when one stares at the sun resulting in a painful “sunburn” of the corneas known as photokeratitis. It will heal and pass (provided we do not stare too long and lost sight of our tactical and strategic goals), but it will smart for a time.

 

The Prevailion Intelligence Team has been working diligently on collections related to this campaign and intends on publishing its findings at some point soon – I will not steal their thunder in this blog but will say that the team is working in earnest on some looking at its collections in a multi-dimensional sense and believes that the outcome will be both fruitful and beneficial to its customers and the industry as a whole. I and my colleagues are looking forward to the time when we can share (in its completed form) what we have in respect to this. The next few weeks, if not days will be telling in respect to this campaign and the emerging operational elements associated with it. Much good guidance has been given broadly in respect to the importance of basic information technology hygiene and security practices in staving off threats and threat actors. But what to do when the vector chosen for exploitation; the vulnerability is unknown to the producer itself?

 

At Prevailion, we specialize in compromise and breach intelligence. We are an intelligence company; that is what we do and that is who we are. Our foundation was built upon the hypothesis that the integrity of the supply chain (or lack thereof), could and does result in myriad compromises and breaches. I hope that in the wake of this campaign organizations (large and small) will pay greater heed to the importance of supply chain security and third-party compromise intelligence versus being yet another aspect of business that is weighted and scored based on point in time assessments, vulnerability scans, and questionnaire analysis. We support our colleagues and FireEye in addition to all of the organizations impacted by UNC2452. This campaign has the potential to be one of the single greatest and most impactful of its kind of all time. It is not solely the concern of those directly and indirectly. It is all of our concern. Together we can and will prevail.

 

The Latest

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Introduction: Prevailion’s Adversarial Counterintelligence Team (PACT) is using advanced infrastructure hunting techniques and Prevailion’s unparalleled visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign.  UNC1151 is likely a state-backed threat actor [1] waging an ongoing and far-reaching influence campaign that has targeted numerous countries across […]

Prevailion CEO, Karim Hijazi- Biden’s Cybersecurity Strategy

Prevailion CEO, Karim Hijazi, comments on lacking White House cybersecurity efforts Karim Hijazi lays out why Biden’s cybersecurity strategy lacks innovation and effectiveness to deal with modern adversaries already inside companies around the globe.    

Prevailion CEO, Karim Hijazi- Tmobile Hack

Prevailion CEO, Karim Hijazi, talks about the T-Mobile hack and cloned SIM cards Karim Hijazi says T-Mobile’s breach is the largest in carrier history and discusses SIM swapping and other forms of identity theft.    

Copyright 2021 Prevailion, Inc. All rights reserved.    

Disclaimer: Gartner “Cool Vendors in Security Operations and Threat Intelligence,” Mitchell Schneider, Ruggero Contu, John Watts, Craig Lawson, October 13, 2020. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Gartner Disclaimer: The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.