June 1, 2021
In light of recent global press coverage of nation-state cyber attacks, SUNBURST/Solarigate, and third-party application security concerns, FTI Cybersecurity is issuing immediate actionable intelligence.
Many organizations are vulnerable to third-party application risks, and the latest example of this type of cyber attack involves U.S. federal agencies and high-profile companies that were breached via a connected third-party.
Given the significant risk potential in this evolving situation, FTI Cybersecurity encourages all clients to take a proactive stance in addressing this threat, and all entities that currently use this third-party product should assume they have been breached. We also understand that there may be other vectors of compromise implicated in this campaign that may not be made public, such that all entities must be on high alert.
FTI Cybersecurity has issued immediate actionable intelligence advising steps you can take to remain secure and resilient in the face of this ongoing threat.
As we learn more about the cyber attack, what was impacted, and how to mitigate risks, we will list new updates and developments here:
Recent Developments
- June 1, 2021 | Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and NGOs: This joint advisory details that “a sophisticated cyber threat actor leveraged a compromised end-user account from…a legitimate email marketing software company…to spoof a U.S.-based government organization and distribute links to malicious URLs.” This alert shares background information on the attack, associated malware, and an indicators of compromise list.
- April 26, 2021 | Russian Foreign Intelligence Service (SVR) Cyber Operations: Trends and Best Practices for Network Defenders: This joint alert details the ongoing operations of sophisticated cyber actors, including recommended techniques to defend against threats.
- January 27, 2021 | CISA Malware Analysis on Supernova: This alert highlights malware that affects SolarWinds Orion software and “is not part of the SolarWinds supply chain attack.”
- January 20, 2021 | Raindrop Malware: An additional malware variant has been identified as being used in the SolarWinds cyber attack.
- January 6, 2021 | Sparrow.ps1: This tool, created by CISA, helps identify compromised accounts and applications. FTI Cybersecurity recommends that incident responders use this tool to assist with their investigations.
- January 6, 2021 | CISA Updates Emergency Directive 21-01 Supplemental Guidance and Activity Alert on SolarWinds Orion Compromise: This alert provides “guidance that supersedes Required Action 4 of ED 21-01 and Supplemental Guidance versions 1 and 2.”
- December 17, 2020 | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations: This alert provides key takeaways and additional guidance.
Download IOC Sources