Time for this week in SolarWinds.
President Biden has ordered the full scale intelligence review of the incident. This is interpreted as the administration’s interest in cybersecurity. Authorities in Russia are warning businesses there about the risk of US retaliation.
SolarWinds itself has brought on a team of lobbyists themselves to help handle the information to Congress.
Researchers continue to learn more about the attackers methods. The command and control infrastructure was very loose, designed to avoid detection and avoid those traditional Indicators of Compromise (or IoCs). However, those researchers note that watching network traffic for looking for unusual mixes of domains, providers, hosting locations and other information would reveal more. An underutilized but not new idea.
Researchers have now revealed all internal AD domains for the Sunburst deployment, and other researchers have revealed more targets, including cybersecurity companies Qualys and Fidelis, and the Virginia State Corporation Commission. Fidelis was a target due to a trial of the Orion software in May.
Targets are not always victims, as the NSA and Army National Guard were targeted… but not breached.
Mimecast, previously known as a victim, revealed that one of their digital certificates was stolen. Researchers reveal that this compromise was used in a very targeted way – just a small hand-picked number in the single digits.
Why do we care?
I’m approaching this entirely from the perspective of what can we learn. That’s why we care, because the size and scale are so massive. Often I’m citing the organized nature of the opponents. Nothing more organized than this level of espionage.
Monitor the monitor is a quip, but true. Fits in with trust but verify. I’m learning a lot tracking this, and I hope you are too.