FERC, E-ISAC Report Details Reach of SolarWinds Compromise

Initial Breach Led to Multiple Subsequent Attacks

Jul 7, 2021 | Holden Mann

A new report from FERC and the E-ISAC details the ongoing cost of last year's breach of the SolarWinds Orion platform, which affected thousands of companies.

Electric utilities must step up their cybersecurity best practices or risk further software supply chain security breaches like last year’s SolarWinds hack, according to a report released this week by FERC and the Electricity Information Sharing and Analysis Center (E-ISAC).

The SolarWinds and Related Supply Chain Compromise paper summarizes both the original hack of SolarWinds’ Orion network management software — along with vulnerabilities later discovered in other common industry tools such as Microsoft 365 and Exchange, and computer services provider Pulse Connect Secure — and recommended mitigation measures. FERC and the E-ISAC aimed the white paper at electric industry stakeholders but suggested that “members of other critical infrastructure sectors may also find [it] of interest.”

Security vendor FireEye first reported the breach of the Orion platform in December 2020, and “nearly 18,000 SolarWinds Customers” were initially thought to have been compromised. (SolarWinds now claims “the actual number of customers who were hacked … to be fewer than 100.”) Victims identified in the first days after discovery included the Department of Energy and FERC itself. (See FERC Pushes Cybersecurity Incentives.)

In April, the U.S. formally accused Russia’s Foreign Intelligence Service (SVR) of perpetrating the attack as part of a “broad-scope cyber espionage campaign that exploited [Orion] and other information technology infrastructures.”

The report’s account of the hackers’ operation aligns with other reporting: after SVR gained access to the SolarWinds production environment, it subverted the company’s update process to push malicious code to customers that enabled the hackers to gain remote access to their systems. At the same time, the attackers were able to leverage their access to SolarWinds’ servers to “gain network privileges” on the company’s Microsoft 365 and Azure Cloud environments.

According to a timeline of the attack compiled by SolarWinds in January, the malicious code — nicknamed “Sunburst” by analysts — was compiled and deployed in February 2020, but the company’s CEO admitted in May that the attackers “were doing very early [reconnaissance] activities in January of 2019.”

Shortly after FireEye announced its discovery of the malicious software, the E-ISAC published an all-points bulletin on the breach; the following week NERC issued a private Level 2 alert. The E-ISAC and Electricity Subsector Coordinating Council have since held “a series of restricted webinars to provide additional insights to electric utilities with key vendors involved in the response.”

Orion the Foundation for Further Attacks

Along with the Orion hack, the report provides more detail on other recent, related supply chain attacks. In the Pulse Connect Secure event, attackers used “Supernova” — a small piece of malicious code implanted through flaws in the Orion software — to gain access to the company’s virtual private network (VPN) servers. In addition, Microsoft recently reported a “wide-scale malicious email campaign” in which “Nobelium,” Microsoft’s name for the SolarWinds hackers, posed as a U.S.-based development organization to “distribute malicious URLs to a wide variety of organizations and industry verticals.”

Microsoft also revealed earlier this year that Hafnium, a group of hackers believed to be sponsored by China, has been using multiple weaknesses in the company’s products to attack on-premise versions of Microsoft Exchange Server at target companies that “may have allowed remote, unauthorized access, arbitrary write-to-file paths, and potential exfiltration of data on vulnerable Exchange servers.”

While this last breach does not appear to be linked to the SolarWinds compromise, it bolsters the report’s conclusion that “geopolitical competitors” are trying to use cyberattacks against critical infrastructure “to advance their interests.” The authors “strongly recommend” a number of steps, including:

- - looking for indicators of compromise (IOC) noted by the Cybersecurity and Infrastructure Security Agency (CISA). This should be done even if utilities do not use SolarWinds products because the attackers may have been able to move laterally through the systems of affected vendors or other companies;
  - requiring key vendors to report their use of SolarWinds and — whether they do or not — if they have checked for the IOCs or other warning signs;
  - if still using patched SolarWinds software, implementing the mitigation measures recommended in CISA’s previous emergency directives; and
  - considering participating in the Cyber Mutual Assistance Program with peer utilities “to ensure a collective response during a cyber threat.”

“In the coming months the E-ISAC anticipates supplementing its current information sharing with new CRISP capabilities, enhanced cross-border sharing, and collaboration with the U.S. Department of Energy’s office of Cybersecurity, Energy Security and Emergency Response,” the report says. “Likewise, FERC staff stands ready to assist in the dissemination of actionable information that supports the electric industry in proactively responding to cyberattacks and other cyber vulnerabilities.”

FERC & Federal