About one-fifth of victims of the December 2020 SolarWinds Solorigate/Sunburst cyber attack – some 3,600 out of 18,000 organisations identified so far – work in the manufacturing vertical, according to Kaspersky ICS Cert researchers, who have been among those trying to piece together what really happened over the past year, and how wide-ranging the breach really is.
The apparent focus of the Russia-linked cyber attack – perpetrated by an advanced persistent threat (APT) espionage group that is now known as UNC2452 – was chiefly US government organisations, but the collateral damage extends far and wide and, according to Kaspersky, there has been limited information so far as to who else was using the backdoored SolarWinds products in their organisations.
“The SolarWinds software is highly integrated into many systems around the globe in different industries and, as a result, the scale of the Sunburst attack is unparalleled – a lot of organisations that had been affected might not have been of interest to the attackers initially,” said Maria Garnaeva, a senior security researcher at Kaspersky.
“While we do not have evidence of a second-stage attack among these victims, we should not rule out the possibility that it may come in the future. Therefore, it is crucial for organisations that may be victims of the attack to rule out the infection and make sure they have the right incident response procedures in place.”
To resolve this question, Kaspersky researchers have been poring over internal and publicly available information.
They first analysed all available decoded internal domain names obtained from DNS names that were generated by the SunBurst DomainName Generation Algorithm, and from this pieced together a list of about 2,000 readable, attributable domains.
Extrapolating from this data, they calculated that the overall percentage of industrial organisations is around 32.4%, with manufacturing hit the most (18.11% of victims), followed by utilities (3.24%) and construction (3.03%). Kaspersky also found high numbers of transport and logistics firms (2.97% of victims) and oil and gas companies (1.35%).
These companies are based all over the world, including in Benin, Canada, Chile, Djibouti, Indonesia, Iran, Malaysia, Mexico, the Netherlands, the Philippines, Portugal, Russia, Saudi Arabia, Taiwan, Uganda and the US.
Concerned organisations should first check whether they were operating any of the impacted versions of the SolarWinds Orion platform – known affected versions include software builds 2019.4 HF 5 with no hotfix, and 2020.2 HF 1. They should then check for known indicators of compromise (IOCs) against CISA’s advisory.
If these two steps produce any “positive” results, immediately launch an investigation and activate your incident response procedure. Isolate any assets you know to be compromised (while keeping your systems operable), and prevent IOCs that might be needed for your investigation from being deleted.
Then, check all network logs for any suspicious-looking activity, as well as system logs and journals for any illegitimate account authentication.
Also, any suspicious process activity should be located and memory dumps and associated files investigated, and historical command-line data checked for any suspicious activity.