More Worrying ‘SolarWinds’ Discoveries Surface in the U.S.

  • The U.S. Department of Justice admits that state-supported hackers accessed some of its email accounts.
  • The agency says only 3% of its Microsoft 0365 accounts were impacted, and none of it concerned classified information.
  • At the same time, vulnerable Orion servers pullulate possibly due to misconfigurations and honeypots.

The U.S. Department of Justice has issued a short statement via its Chief Information Officer, Marc Raimondi, admitting that their internal investigation has confirmed that the threat actors behind the ‘SolarWinds’ attacks have accessed about 3% of the DoJ’s email accounts on the Microsoft 0365 email environment.

As the announcement clarifies, nothing of what was accessed was classified information, so the impact is not considered critical for national security, although still very serious. OCIO adds that upon discovering the malicious activity, they moved to eliminate the infiltrator’s presence and plugged the hole used for entrance.

This immediate and decisive response on December 24, 2020, is allegedly what helped keep the infection rates down to 3%. However, this cannot be determined with absolute certainty before the investigations are concluded.

As we discussed yesterday, there’s a new task force dedicated to speeding up all investigations around the ‘SolarWinds’ attacks in the U.S., called the “Cyber Unified Coordination Group” (UCG). With all that is going on right now, we’re pretty sure that the UCG is feeling already overwhelmed.

Meanwhile, researchers and intelligence firms are still trying to estimate the infected systems that can still serve as backdoors for the actors to engage in cyber-espionage operations - and weirdly, the number is growing. According to Censys, back on December 28, their scan revealed 1,200 exposed SolarWinds Orion servers, and this number grew to 1,550 on January 4, 2021.

A possible explanation for this is that system admins rushed to update their systems and apply fixing patches when the “sunburst” problem became widely known, falling to common misconfiguration errors. Another potential cause could be the setting up of “honeypots” to attract hackers and investigate their operations and activity.

The only number that is still valid beyond any doubt is the 18,000 systems that received the malicious Orion update, but that doesn’t mean that all of them have been compromised. The hackers couldn’t have engaged in all these endpoints but instead opted to focus on the most critical ones. One way to deal with this uncertainty would be to treat them all as compromised and take all the required clean-up action that would follow such a situation.

REVIEW OVERVIEW

Latest

Microsoft Launches a Redesigned Notepad for Windows 11

The redesigned Notepad for Windows 11 is now rolling out to Windows Insiders. In its new design, Notepad is aligned with the new...

Instagram Reveals New Tools to Keep Teens Safe, Including Parental Controls

Instagram announced its intent to take a 'stricter approach' regarding the content it shows to teen users. As part of Instagram's new tools,...

Microsoft Seizes Chinese-Based Hacker Group’s Websites

Microsoft has taken down several websites used by the China-backed hacker group called Nickel.The seized websites were used to gather information from...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari