More Worrying ‘SolarWinds’ Discoveries Surface in the U.S.

• The U.S. Department of Justice admits that state-supported hackers accessed some of its email accounts.
• The agency says only 3% of its Microsoft 0365 accounts were impacted, and none of it concerned classified information.
• At the same time, vulnerable Orion servers pullulate possibly due to misconfigurations and honeypots.

The U.S. Department of Justice has issued a short statement via its Chief Information Officer, Marc Raimondi, admitting that their internal investigation has confirmed that the threat actors behind the ‘SolarWinds’ attacks have accessed about 3% of the DoJ’s email accounts on the Microsoft 0365 email environment.

As the announcement clarifies, nothing of what was accessed was classified information, so the impact is not considered critical for national security, although still very serious. OCIO adds that upon discovering the malicious activity, they moved to eliminate the infiltrator’s presence and plugged the hole used for entrance.

This immediate and decisive response on December 24, 2020, is allegedly what helped keep the infection rates down to 3%. However, this cannot be determined with absolute certainty before the investigations are concluded.

As we discussed yesterday, there’s a new task force dedicated to speeding up all investigations around the ‘SolarWinds’ attacks in the U.S., called the “Cyber Unified Coordination Group” (UCG). With all that is going on right now, we’re pretty sure that the UCG is feeling already overwhelmed.

Meanwhile, researchers and intelligence firms are still trying to estimate the infected systems that can still serve as backdoors for the actors to engage in cyber-espionage operations - and weirdly, the number is growing. According to Censys, back on December 28, their scan revealed 1,200 exposed SolarWinds Orion servers, and this number grew to 1,550 on January 4, 2021.

Through our ongoing investigation, we've observed more Orion hosts coming back online in the new year. Read more and stay up-to-date through our blog!

Total Unique Orion Hosts: 1,551
As of Date: January 4, 2021https://t.co/GFPUmljxPW pic.twitter.com/HWvpOC8tmN

— Censys (@censysio) January 6, 2021

A possible explanation for this is that system admins rushed to update their systems and apply fixing patches when the “sunburst” problem became widely known, falling to common misconfiguration errors. Another potential cause could be the setting up of “honeypots” to attract hackers and investigate their operations and activity.

The only number that is still valid beyond any doubt is the 18,000 systems that received the malicious Orion update, but that doesn’t mean that all of them have been compromised. The hackers couldn’t have engaged in all these endpoints but instead opted to focus on the most critical ones. One way to deal with this uncertainty would be to treat them all as compromised and take all the required clean-up action that would follow such a situation.