Who Is Solarwinds?
Solarwinds is one of many seemingly innocuous network monitoring softwares. With revenues just under a billion dollars, this is not a behemoth of industry like IBM or Microsoft. And yet, Solarwinds was the catalyst for a string of network breaches the likes of which hasn’t been seen in a long time, if ever.
What happened?
Several departments of the government were compromised, including the treasury, homeland security, commerce, defense, energy, state, and health departments. FireEye, a large cybersecurity firm, was also compromised. In the private sector, Cisco, Intel, VMware, Microsoft, and Nvidia, among others, were also breached. In total, potentially thousands of organizations have been penetrated by the malware. It was not limited to the United States; Europe, Asia, and the middle east were also affected.
What does this mean for you and I?
Unless you’re in cybersecurity ops (and if you are… you have our condolences), the primary concerns are: interference with the government, theft of intellectual property, and disruption of operations. Specifically, hardware data follows employee data which follows company data. With hardware access, bad actors can do things like interfere with energy infrastructure, for example.
But perhaps the greatest takeaway is that even a top cybersecurity firm was breached. They win points for detecting the breach when no one else did, but if they couldn’t prevent it, what chance do average teams have?
In that respect, I think it’s valuable to review how it happened.
The actors created a Windows Installer Patch file including a backdoored version of a standard solarwinds update file. They proceeded to post these corrupted updates to the SolarWinds site with a legitimate signature. Once SolarWinds downloaded the update to their Orion software, the (normal) BusinessLayerHost.exe would load the trojanized DLL file. After a couple weeks, the trojan tries to resolve a avsvmcloud[.]com subdomain. The DNS then responds with a CNAME record aimed at a Command and Control server. Essentially, they used the host names of valid services. The traffic to the malicious domains is disguised as SolarWinds API data.
From there, they had access to software which inherently provides them access to network communications of SolarWinds clients.
Why didn’t they get detected?
They were classified as highly skilled hackers for a reason. They waited for two weeks before attacking. They used routine maintenance tasks to slip in. After breaching deeper, they would insert memory only code to normal processes to replace a part of the system, obtain uncompromised credentials, then replace their malicious part with the normal part.
If there was a technique to cover their tracks, they used it. They evaluated the security of each of SW’s clients’ systems individually, one at a time, then tailored each breach to the client.
The Attack Timeline
2019: Preparing to Attack
September 4
Unknown, highly skilled cyber attackers access SolarWinds.
September 12
Bad actors inject their SUNBURST code into the Orion Platform Software as an initial test. Using US servers and highly disguised network traffic, they avoided detection by every network using the Orion platform.
2020: Attack Begins
February 20
After updating the SUNBURST code, the bad actors carry out their attack. Over the following months, they manage to penetrate the individual networks of many Orion users.
June 4
The hackers extract their trojan code from SolarWinds, covering their tracks.
December 8
A Cybersecurity company, FireEye, announces that hackers stole their penetration testing tools (“red team” tools used to test the cybersecurity defenses of their clients) and warns other companies of the corresponding risk if those tools were turned against them.
December 11
FireEye investigates further and determines that SolarWinds was the root cause of the breach. They discovered that the Orion Platform’s updates were trojanized, which allowed them to infiltrate SolarWinds clients from any of the software releases from March 2020 to June.
December 12
FireEye discloses to SolarWinds that their Orion platform was breached by hackers. The White House and the NSC conduct a meeting to determine the extent of the hack into government organizations.
December 13
After reviewing the situation, the CISA (Cybersecurity and Infrastructure Security Agency) declares an emergency mandate for all government institutions to remove all SolarWinds Orion activity due to the ongoing dangers to national security.
FireEye reports that a cyber attacker weaponized the SolarWinds update supply chain and subsequently breached clients globally.
SolarWinds describes the breach of their Orion platform and provides methods for their customers to defend their networks. Microsoft also makes a statement about the implications of the SolarWinds hack for their base of customers.
Reuters breaks the SolarWinds story to the public, detailing Russia as a prime suspect and the undetermined extent of the attack on the US federal government.
December 15
The senate requests that the FBI and CISA probe the SolarWinds issue and provide more information about the cyberattack on the government to congress.
A software patch is provided by SolarWinds; they convey additional information about the attack.
Journalists release information that Homeland security, the NIH, the DHS, among others were victimized.
December 16
The cybersecurity community determines the domain used by the cyber attackers along with a kill switch to deactivate the SUNBURST code.
The FBI begins their probe into the origins of the attack to mitigate future risk of attack.
The New York Times explains the risk to the security of our nation.
SolarWinds elaborates on the attack; they explain that their managed service provider tools were not compromised, though steps were taken to prevent further breaches, as all partners were notified to reset their digitally signed certificates as the SolarWinds revoked old credentials.
December 17
Microsoft’s infosec team announces that their orion software was compromised, but that the risk has been eliminated. They report that their system did not appear to be compromised.
December 19
According to announcements by the media and cybersecurity analysts, the defenses of roughly 200 companies and institutions were compromised.
December 22
More SolarWinds security updates become available.
Christmas Eve
SolarWinds explains how its latest security patches and fixes address the Orion Supernova attack.
December 30
The Cybersecurity and Infrastructure agency directs the other government departments to update their Orion software to the 2020.2.1HF2 update version.
2021: SolarWinds Aftermath
January 5
January 5
US intelligence identifies Russia as the presumed culprit of the SolarWinds breach.
January 6
A reporter for the NYT writes that the JetBrians TeamCity CI/CD platform may be implicated in the Russian cyberattack. Specifically it, the TeamCity server helps developers build finalized software, one of which being SolarWinds software.
JetBrians CEO denies that any investigation has been under way, and proclaims that user error and misconfiguration very well may have lead to a breach.
SolarWinds brings its prior CEO on for interim consulting to manage the fallout from the attack.
January 8
SolarWinds expands PR efforts to mitigate backlash, states they will deepen cybersecurity resources and expand efforts. SolarWinds brings on infosec consultants who formally worked for Facebook and the CISA.
January 11
Kaspersky draws a comparison between the SolarWinds attack and prior activity of the Russian security service’s cyber warfare accomplice, the Turla group.
Crowdstrike details how the Russian attackers used a tool called SUNSPOT to attack the SolarWinds systems and create their SUNBURST backdoor.
SolarWinds hires more InfoSec team members and further information about the attack is released.
SolarWinds: Future Implications on Data Security and the InfoSec industry.
There has not been a cyber attack as high profile as the SolarWinds breach in many years (that we know of).
While we may never know the full extent of how the attack was carried out, the consensus seems to be that this was a multifaceted supply chain attack. CI/CD server infiltration into the software build of solarwinds –> access to update software –> Access to Orion Platform of clients –> Manually infiltrate the client networks.
Federal governments were compromised. Companies all over the globe were compromised. To prevent future attacks, we need better communication between cybersecurity teams. By sharing ongoing threat information, we can prevent attacks like this from escalating.
Supply chain attacks aren’t going anywhere; 3rd party software is easily manipulated to infiltrate the applications they interface with. It’s also less routinely investigated and considered than in-house software. As a result, companies will surely beef up defenses to 3rd-party vendor access. It remains to be seen if this will be enough to prevent similar attacks.
While JetBrains has not been formally designated as one of the attack vectors, the fact that they can’t be ruled out reinforces the importance of protecting the software development environment. SAST, DAST, and SCA tools for security testing will expand and become more ubiquitous to nip risks in the bud before they can become a larger problem.
As hypersegmentation and zero trust policies are implemented, teams will have to adapt to the new restrictions and find new ways to maintain operations and communications within the network.
Finally, it is critical to maintain secure IT lifecycle operations to protect physical data bearing media from data leaks. In the course of helping our ITAD clients, we have found and secured numerous logins and digital certificates on innocuous media like flash drives left within servers by accident. Reach out for a free quote to protect your brand and regain capital from your IT assets.