While the government response teams are closed on SolarWinds, the analysis continues. Turns out, the effort is a lot bigger than first believed. Researchers at RiskIQ published a report on the network infrastructure footprint of the attackers, labeling it as “significantly larger than previously identified.” RiskIQ’s Team Atlas has identified an additional 18 servers linked to the SolarWinds espionage campaign, a number the firm says represents a “56% increase in the size of the adversary’s known command-and-control footprint.” This was discovered by mapping the beacons in the command and control network. This network had significant numbers hosted within the US by cloud infrastructure providers, including AWS.
To be clear – CNN sourcing is also reporting that Russia’s SVR intelligence agency is “likely” still in the networks, with access to breached networks. This is considered consistent with previous history.
Why do we care?
I was taught early in my career that once you’re breached, you can never fully trust the system again without starting over. That rings in my ears around these breaches.
We likely will never know the full extent of this breach – the lesson is that you never know fully the extent, and it’s always more than you think.