Application Security , Cyberwarfare / Nation-State Attacks , Forensics
Was JetBrains Tool an Infection Vector for SolarWinds Hack?
JetBrains CEO Says Investigators Have Not Contacted CompanyReacting to news reports claiming hackers may have used Czech software firm JetBrains’ TeamCity tool as an initial infection vector during the attack against SolarWinds, JetBrains CEO Maxim Shafirov says the company has not been contacted by investigators. But he says customer misconfiguration of TeamCity could have enabled a hack.
See Also: Network Threat Trends Research Report
"JetBrains has not taken part or been involved in this attack in any way," the CEO says. He adds, however, that "it’s important to stress that TeamCity is a complex product that requires proper configuration. If TeamCity has somehow been used in this [SolarWinds breach] process, it could very well be due to misconfiguration, and not a specific vulnerability."
On Wednesday, the New York Times and Reuters reported that U.S. authorities are investigating the possibility that the hackers who breached SolarWinds abused JetBrains' TeamCity, which is used for continuous integration/continuous development as part of the DevOps process.
Citing sources with knowledge of the investigation, the reports note that U.S. intelligence authorities and security experts believe the hackers may have compromised TeamCity to implant a backdoor that would then lead to the compromise of SolarWinds - a JetBrains customer (see: Severe SolarWinds Hacking: 250 Organizations Affected?).
JetBrains says it has about 300,000 customers worldwide, including 95 Fortune 100 companies. Besides SolarWinds, other customers including Twitter, Google, Siemens and Citibank, according to the company's website.
JetBrains’ CEO Responds
Responding to the news reports, Shafirov says: "SolarWinds has not contacted us with any details regarding the breach, and the only information we have is what has been made publicly available. … We have not been contacted by any government or security agency regarding this matter, nor are we aware of being under any investigation. If such an investigation is undertaken, the authorities can count on our full cooperation."
The New York Times reported some security experts believe that hackers could have compromised TeamCity by exploiting unpatched vulnerabilities in the application or through stealing credentials. The attacker could have then proceeded to implant a backdoor to infect JetBrains' customers.
Ties to Russia
On Tuesday, the Cyber Unified Coordination Group task force set up by the U.S. government to investigate the SolarWinds breach said it was likely an intelligence operation carried out by an advanced persistent threat group with ties to Russia (see: SolarWinds Attack: Pointing a Finger at Russia).
The attack campaign was discovered by security firm FireEye on Dec. 13 after the firm found that it was also a victim of a supply chain attack and had its penetration testing tools stolen (see: FireEye: SolarWinds Hack 'Genuinely Impacted' 50 Victims).
Further analysis revealed that during March, the attackers snuck a backdoor into SolarWinds' Orion network monitoring tool, which is widely used both across the private sector and in U.S. government agencies. For up to nine months, about 18,000 organizations installed versions of Orion containing the backdoor, known as Sunburst, which enabled attackers to remotely access some infected systems as well as push more malware and exfiltrate data (see: US Treasury Suffered 'Significant' SolarWinds Breach).
On Wednesday, the Justice Department joined the list of government agencies affected by the SolarWinds hack. But the department reports it has "no indication" that any classified systems were compromised.
The Justice Department says it discovered on Dec. 24 malicious activity involving access to its Microsoft Office 365 email environment. "At this point, the number of potentially accessed O365 mailboxes appears limited to around 3%," according to the statement.
Other U.S. government agencies that have been affected by the SolarWinds breach include the Commerce, Homeland Security, State, Energy and Treasury departments as well as some branches of the Pentagon.
Amazon's intelligence team estimates that up to 250 organizations may have been compromised as part of the second-stage supply chain attacks, The New York Times reports.