The US intelligence community says a sophisticated attack on IT vendor SolarWinds was by "likely Russian in origin" in a new joint statement on the incident that suggested around nine US agencies were compromised by "follow-on activity on their systems".
The comment Tuesday from the Cybersecurity Infrastructure and Security Agency (CISA), the FBI, the Office of the Director of National Intelligence (ODNI) and the NSA comes after President Donald Trump suggested that China may have been behind the incident.
"Of the approximately 18,000 affected public and private sector customers of Solar Winds’ Orion product, a much smaller number have been compromised by follow-on activity on their systems", the so-called Cyber Unified Coordination Group said Tuesday.
"We have so far identified fewer than ten U.S. government agencies that fall into this category, and are working to identify and notify the nongovernment entities who also may be impacted," the agencies said on January 5, adding that "this is a serious compromise that will require a sustained and dedicated effort to remediate."
The update comes as shareholders sued the vendor over the security breach, and after -- as The Register earlier reported -- security researcher Vinoth Kumar allegedly found that SolarWinds' update server was at one time only protected by the password "solarwinds123".
"The insidiousness of a malicious contamination in a major software vendor’s supply chain is forcing organizations to recognize new regions of their threat landscape", noted Signal Hill Technologies founder Steve Jones meanwhile this week, pointing to the way the attackers chained vulnerabilities to gain "illicit consent" to cloud tenants.
CISA has pushed out a tool called "Sparrow" to help track such potential cloud compromise. This helps users check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise (IoC’s), list Azure AD domains, and sAzure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.
Security firm CrowdStrike also earlier released its own tool for similar purposes, warning that Microsoft Azure’s own administrative tools are inadequate for those wanting to review permissions across Active Directory environments. The endpoint protection specialist hit out at a lack of clear documentation, an inability to audit via API, and warning that “auditing Azure AD permissions… is a time-consuming and complex process”