There is currently no evidence, however, that the hackers used the backdoor in the SolarWinds software to gain access into the 15 electric, oil, gas, and manufacturing entities that were infected with the software. Lee said the infections in the critical infrastructure sector occurred not just on companies’ IT networks but also sometimes on actual industrial control system networks that manage critical functions. Kevin Mandia, CEO of FireEye, has said the attackers only entered about 50 of the thousands of entities that were infected with the backdoor. Once inside an infected system, the hackers could download more malicious tools and steal employee credentials to gain access to more critical parts of the network - collecting information or altering data or processes there. The hackers would have used that information to determine which targets they wanted to burrow into further. The backdoor, which security researchers at cybersecurity company FireEye have dubbed SUNBURST, gathers information about the infected network, then waits about two weeks before sending a beacon to a server owned by the hackers, along with information about the infected network, to signal that the infected system is open for them to surreptitiously enter. Government officials have linked the hack to Russia. SolarWinds was compromised in March, modified with a so-called “backdoor” to provide an attacker access to the network of anyone who downloaded it. Lee wouldn’t identify the OEMs and doesn’t know if the SolarWinds hackers took an interest in them. That’s because some of them use SolarWinds not just on their own networks, but also have installed it on customer networks to manage and monitor those, sometimes without the customers being aware this was done. Lee notes that in some cases the OEMs don’t just have access to customer networks - they actually directly infected their customers with the SolarWinds software.
“Two of the … OEMs that have been compromised … have access to hundreds of ICS networks around the world.” “t’s particularly concerning because … compromising one OEM, depending on where you compromise them, could lead to access to thousands of organizations,” said Lee, a former critical infrastructure threat intelligence analyst for the NSA. It doesn’t mean they can then flip off the lights they have to do more after that.”īut compromising an OEM does magnify the potential risks to infrastructure.
“But just because you have access doesn’t mean you know what to do or how to do it. “If an OEM has access to a network, and it’s bi-directional, it’s usually for more sensitive equipment like turbine control, and you could actually do disruptive actions,” Lee told The Intercept. This means that hackers who breached the OEMs could potentially use their credentials to control critical customer processes.
They sometimes have remote access to critical parts of customer networks, as well as privileges that let them make changes to those networks, install new software, or even control critical operations. The service companies are known within the industry as original equipment manufacturers, or OEMs.