SolarWinds hacker attack: 300 German targets in focus

On: March 22, 2021

The so-called SolarWinds hack by alleged Russian attackers is slowly shedding light. It was first mentioned that around six authorities in Germany were victims of the SolarBurst hack, but now it is assumed that there are 300 successfully attacked German targets. After all, there is now a response from 13 posts out of 300 people written to.


The hack and the aftermath

It felt like light years ago when the Solarigate incident moved the minds of the IT world. Presumably, Russian state hackers have succeeded in compromising the Orion software from the US manufacturer SolarWinds. The Trojan and its backdoor were then infiltrated into tens of thousands of computers by an update rolled out by SolarWinds. This made it possible to attack authorities, organizations, and companies via the SUNBURST vulnerability. In addition, other attackers succeeded in penetrating the networks of SolarWinds customers through open vulnerabilities and spying on the IT infrastructure.

SolarWinds network and security products are used by more than 300,000 customers worldwide, including top corporations, government agencies, and educational institutions. SolarWinds also serves the major U.S. telecommunications companies, all five branches of the U.S. military, and other prominent government organizations such as the Pentagon, State Department, NASA, National Security Agency (NSA), the Post Office, NOAA, the Department of Justice, and the President's Office of the United States.

In the USA, hundreds of authorities and large companies were victims of mass hacking - the processing is still ongoing (see also the article at the end of the post). The BSI said that allegedly only six authorities in Germany were the focus of the hackers. A fallacy, as it now turns out.

Around 300 German destinations

The Green MP Konstantin von Notz had made a small request to the German federal government and got an answer. Von Notz presented this information to the Spiegel for inspection. The German government does not name any names but assumes that around 300 locations in Germany could be affected by the attack. These are SolarWinds customers who had Orion software installed on their IT systems. The list was sent to the Germans from the USA.

The BSI and the German stubbornness

The Federal Office for Information Security (BSI) informed all German parties concerned about this finding on February 11, 2021 - in other words: that there is a back door on the systems in question. Hackers can use these to enter and exit the IT systems of these locations and, if necessary, also access data or install additional malware.

It is therefore interesting whether the IT systems were actually accessed using the backdoor. Can be determined with access logs. The problem is the “seen, laughed, punched and filed” effect in obscure German authorities and large companies. Of the 300 who were explicitly informed, an incredible 13 positions have reported back to the BSI, according to the Federal Government's answer. All respondents were able to give the all-clear because they were not attacked via the existing backdoor.

The federal government has probably addressed this in the Federal Chancellery. But you don't really find out whether something happened at all - Official Mikado: Whoever twitches first, has lost. The decision-makers may still have the Exchange shock in their bones, or they are currently digging through the contracts in order to finally be able to migrate to Microsoft 365. Konstantin von Notz criticizes:

In view of these two devastating IT security incidents within a very short time, all of the federal government's alarm lights must be on. Instead, Horst Seehofer goes completely underground, documenting that one of the most important security issues of our time is in extremely bad hands with him.

Well, on the one hand (Q) is an election campaign - and Hotte Seehofer only has to survive a few more days "on retirement". Then the cards will be reshuffled anyway. Depending on the constellation chosen in September, the “Antigen Test Taskforce”, which consists of agile young politicians such as Scheuer and Spahn, will be given a new purpose. Ok, it was now an unfair dialectic, I got carried away as a corona vaccination expectant. In any case, the Greens politician von Notz's wish for more clarification is more than justified for me. The government refused to give a substantial answer to many of his questions - including what was discussed in the Chancellery about the incident, the Green politician complained to Der Spiegel.

The good news of the day: According to the information in Spiegel, there are several investigations in Germany because of the hacking attack. Investigations are being carried out both with the cybercrime experts at the Central Office for Combating Internet Crime in Frankfurt am Main and with other public prosecutor's offices at the state level - says the federal government - and they should know.

CISA releases SolarWinds detection tool

Finally, a piece of information for administrators who are responsible for Orion systems from Solarwinds. Something that has more hands and feet: The US Cybersecurity and Infrastructure Security Agency (CISA) has released a tool called the CISA Hunt and Incident Response Program (CHIRP). CHIRP is a Python-based forensic collection tool that can track down post-compromised malicious activity in connection with the SolarWinds hackers in on-premises corporate environments.

Bleeping Computer published further details on this tool in this article last week. This carries out the following operations after the start:

  • Examine the Windows event logs for artifacts associated with Solarigate activity;
  • Examine the Windows registry for signs of intrusion;
  • Query of Windows network artifacts;
  • and application of YARA rules to detect malware, backdoors or implants.

CHIRP generates JSON-formatted data for further analysis in a SIEM or similar tool. Maybe it will help you with monitoring the IT infrastructure.

Post a Comment

0 Comments