In the Eye of the Storm – The Story of the SolarWinds Hack as it Unfolds
Sometimes it can be a stroke of luck when threat actors target a cybersecurity firm. Without FireEye discovering that its defenses had been breached and launching an investigation, the SolarWinds global intrusion attack may have continued undetected for weeks, if not months, more. Prodigiously skilled nation-state actors were apparently behind orchestrating the attack and the motive seems to have been cyber-espionage. The perpetrators took extreme precautions to go undetected.
Given the scale of potential victims in the hack, (including nearly 400 Fortune 500 companies, the U.S. military (all divisions), the Centers for Disease Control and Prevention (CDC), major American telecom companies, the Department of Justice, the Office of the President, NASA, reputed educational institutions globally and many more), the impact of further delay can only be imagined.
How did the SolarWinds Hack happen?
The SolarWinds hack has been categorized as a supply chain attack that according to the company was “extremely targeted and manually executed attack, as opposed to a broad, system-wide attack.”
In a supply chain attack scenario, cyber criminals don’t try to target organizations that they are trying to gain a foothold in individually. In the case of SolarWinds, the threat actors accessed the updating system of Orion (a SolarWind product widely used by its customers) and inserted malicious code into the software update. This kind of attack is called supply chain attack as it targets software under assembly. The booby-trapped updates were pushed out to SolarWinds customers to distribute a type of malware called Sunburst.
SHA256 Hash: c45c9bda8db1d470f1fd0dcc346dc449839eb5ce9a948c70369230af0b3ef168
CrowdStrike estimates the payload was built on Feb 20th 2020 and likely first deployed in March 2020.
Sunburst can stay dormant in the victim’s systems for up to two weeks, following which it starts to “retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.” The malware is capable of hiding its own footprint by disguising the network traffic under the Orion Improvement Program (OIP) protocol and storing espionage files inside the Orion plugin configuration files so it’s completely assimilated within the actual activity generated by the SolarWinds program. This ‘backdoor’ could even “uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers.”
FireEye’s GitHub page lists the list of known malicious infrastructure.
The impact of the SolarWinds attack
As difficult as supply chain attacks are to pull off, the rewards are concomitantly huge as the infected code is placed within a trusted piece of software. This eliminates the need for attackers to perform phishing attempts against individual targets and allows them to target multinational companies, government agencies, and public institutions alike as they unwittingly install the software update – as suggested by SolarWind.
SolarWind has a client base of over 300,000 businesses globally. 18,000 of these entities could have been compromised by the hack and the effects are ‘ongoing’. The list of victims comprise of governments, consulting, technology, and telecom companies in North America, Europe, Asia and the Middle East. More countries and verticals are being added to the list as the extent of the breach finally unfolds.
It’s hard to grasp the extent of the attack as the threat actors left an extremely light malware footprint, and were careful enough to use legitimate credentials, IP addresses located in the same country as the targeted entity (making use of Virtual Private Servers) and used remote access to gain entry into targeted environments.
FireEye went through 50,000 lines of source code and was the first to detect the vulnerability in Orion, a popular product made by the Texas-based SolarWinds Corp. Hackers seemed to have exploited this vulnerability to plant the malicious codes that were distributed as and when SolarWinds customers updated their systems on prompting. FireEye immediately alerted both SolarWind and the authorities. The impact of the long undetected attack, however, keeps unfolding. Once the breach happened, the compromised supply chain resulted in ‘lateral movement and data theft’ – the details of which are still not entirely clear yet.
Who is behind the SolarWinds attack?
The entire operation was managed with high degrees of precision and skillset and was the work of actors who worked with ‘significant operational security’. Analysis of multiple SUNBURST samples delivering different payloads by FireEye has shown at least a single instance of “a previously unseen memory-only dropper we’ve dubbed TEARDROP to deploy Cobalt Strike BEACON.”
FireEye has refused to name a specific nation actor responsible for the attack, choosing only to state that it was the act of a nation with “with top-tier offensive capabilities,” and that “the attacker primarily sought information related to certain government customers.”
According to the Emergency Directive 21-01 issued by the US Cybersecurity and Infrastructure Security Agency (CISA), it has requested all “federal civilian agencies to review their networks” and to further “disconnect or power down SolarWinds Orion products immediately.”
Further, the FBI, CISA and the National Intelligence Agency has coordinated their efforts to launch the ‘Cyber Unified Coordination Group (UCG)” to try and coordinate government response to the attack and has dubbed it a “significant and ongoing cyber security campaign.”
The former Homeland Security Adviser for President Donald Trump, Thomas P Bossert, has alleged that Russia was behind the attack in an opinion piece written for The New York Times. According to Bossert, “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”
Many US intelligence officials have publicly pointed fingers at Russia as well. On December 18, Secretary of State Mike Pompeo, said in a radio interview “we can say pretty clearly that it was the Russians that engaged in this activity.” A joint statement from the FBI, NSA, CISA and the ODNI made on January 5 has also pointed to Russia as the most likely threat actor. Many news outlets have pointed to a Russian hacking group, nicknamed APT29 or CozyBear, to be responsible for the attack.
However, in a Dec. 13 statement on Facebook, the Russian embassy in the US, denied any involvement in the attack stating that “Malicious activities in the information space contradict the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” further adding that, “Russia does not conduct offensive operations in the cyber domain.”