Updated: Mar 28
By Caelyn A. Palmer, Associate Attorney, Floom Energy Law PLLC
On December 13, cybersecurity giant FireEye disclosed an unprecedented and ongoing cyber attack targeting major public and private entities, including oil and gas companies.
FireEye reported that “extractive entities” – oil and gas companies – were targeted in the attack. Affected entities use software from the SolarWinds Orion IT monitoring and management product. There is no clear information yet on how this software was used in targeting oil and gas companies.
In the electric industry, one potential route for hackers to gain access to systems is through the SolarWinds Security Event Manager (SEM) software, which is managed by the affected Orion software. SEM software is typically used for monitoring network security, and for managing compliance with the North American Electric Reliability Corporation’s Critical Infrastructure Protection (CIP) standards in the electric industry.
Energy companies using the affected Orion product should exercise caution during this critical time and follow all recommendations as more information develops. While FireEye has notified known affected entities, the full extent of the attack is still unknown at this time.
The attack, which FireEye is tracking as UNC2452/SUNBURST, reportedly originated in Spring 2020 through an exploit (known as a “backdoor”) in the Orion product. The backdoor allowed a trojan to attach to standard business software updates, effectively guiding unsuspecting administrators to install the malware through routine updates. The sophisticated nature of this long-term attack is a hallmark of nation-state actors, and early reports attribute it to the Russian hacking group known in cybersecurity circles as APT29/Cozy Bear.
Initial reports suggest that the hackers focused on gaining information and access to credentials. Once inside management systems, the hackers effectively gained full administrative access, including the ability to transfer and execute files, and to disable system services.
The malware went undetected for months until hackers, presumably APT29/Cozy Bear, infiltrated FireEye’s own systems. The hackers stole FireEye’s “red team” tools, which are the diagnostic systems used by cybersecurity firms to detect and assess threats. FireEye’s subsequent investigation quickly revealed the global intrusion scheme.
Government and private sector entities are scrambling to assess damage, but attempts to mitigate the threat are hampered by the attackers’ unusual persistence. Despite detection and media coverage, the hackers remain overtly active and continue to exploit infected systems. This unexpected behavior suggests that the hackers continue to benefit from their presence within the system. Further, FireEye reports that the hackers are actively evading removal.
The Cybersecurity and Infrastructure Security Agency (CISA) has stated that the only known mitigation technique is to disconnect from the affected Orion software. In addition, SolarWinds continues to update information on mitigating patches and strongly advises users to update to the latest version of the software. Microsoft further advises entities to scan systems and update antivirus software even if no anomalies are detected.
For further information:
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor, FireEye: Threat Research (Dec. 13, 2020)
SolarWinds Security Advisory, SolarWinds (Dec. 14, 2020)
Important Steps For Customers To Protect Themselves From Recent Nation-State Cyber attacks, Microsoft Corporation (Dec. 13, 2020)
Mitigate SolarWinds Orion Code Compromise, Emergency Directive 21-01, Cybersecurity and Infrastructure Security Agency, (Dec. 13, 2020)
Customer Guidance on Recent Nation-State Cyber Attacks, Microsoft Security Response Center (Dec. 13, 2020)
The information provided on this website does not, and is not intended to, constitute legal advice. All information, content, and materials available on this site are for general informational purposes only. The content on this posting is provided "as is" without representation that the content is error-free. This website contains links to other third-party websites. Such links are only for the convenience of the reader, user, or browser; Floom Energy Law PLLC does not recommend or endorse the contents of the third-party sites. Use of, and access to, this website or any of the links or resources contained within the site do not create an attorney-client relationship between the reader, user, or browser and website authors, contributors, or employees of Floom Energy Law PLLC.