On Sunday, December 13, 2020, SolarWinds announced that it had learned of a “highly sophisticated, manual supply chain attack” by a nation state affecting its Orion Platform, which is used by a wide variety of public and private sector organizations for IT infrastructure monitoring and management. In this attack, adversaries were able to compromise the Orion software build system for certain versions of the software, and trojanized software updates were distributed to customers between March and June 2020. According to SolarWinds, this attack may affect as many as 18,000 customers. As a result of this attack, several key government agencies have reported that hackers were able to break into their networks, including the Department of Homeland Security (DHS), as well as the Commerce and Treasury Departments. The Cybersecurity and Infrastructure Security Agency (CISA) within DHS has advised that both public and private sector organizations using certain Orion products may be at risk of compromise.
Public and Private Sector Organizations Encouraged to Take Action
As details regarding the full impact and scope of this attack unfold, on December 13, CISA issued Emergency Directive 21-01, requiring agencies to immediately take certain actions to combat the threat posed by the SolarWinds compromise. Although the Emergency Directive only requires action by federal civilian Executive Branch agencies, in announcing the Directive and on their Twitter page, CISA called on their partners in both the public and private sector “to assess their exposure to this compromise and to secure their networks against any exploitation,” recommending that “all organizations” review Emergency Directive 21-01. CISA also published an alert encouraging affected organizations to consult advisories from both SolarWinds and FireEye, a security firm that had released its threat research on the hacking campaign earlier that day, including details on notable stealthy techniques used by the attackers.
The SolarWinds attack is reportedly related to the recent attack on FireEye, which announced on December 8, 2020 that it had been compromised by a highly sophisticated threat actor, resulting in the theft of proprietary tools used by FireEye to help its customers locate and remediate network vulnerabilities.
A Supply Chain Attack with Far Reaching Consequences
In a supply chain attack, hackers infiltrate an organization’s systems by exploiting connections between the victim company and a service provider, such as a software provider. Once the threat actors have gained access to the service provider’s systems, they can leverage this access to attack the systems of the service provider’s business partners, such as those who purchase and install the provider’s software.
In the SolarWinds’ Security Advisory cited by CISA, SolarWinds stated that the hackers, believed by SolarWinds to be associated with a nation state, were able to compromise the Orion software build system for certain versions of the software by inserting a backdoor in specific software updates released between March and June 2020. Once SolarWinds customers downloaded and implemented the compromised Orion versions, a backdoor would be opened to the adversaries, allowing them to take control of the server on which the Orion product was installed. Notably, according to FireEye, the back door disguises its network traffic as the “Orion Improvement Program” protocol and stores its reconnaissance results within legitimate configuration files, allowing it to blend in with normal SolarWinds activity.
Broad media reporting and several security firms have attributed this activity to a hacking group linked to SVR, a Russian intelligence agency, which is also known as Cozy Bear or APT29. Cozy Bear/APT29 was previously linked to the attack against the DNC’s networks during the 2016 election cycle. No official attribution for this attack, however, has been confirmed.
Public and Private Sector Cooperation in Response to the Attack
The response to the SolarWinds hack has featured significant cooperation not only across the federal government (see the December 16 joint statement by the FBI, CISA and the Office of the Director of National Intelligence (ODNI)), but between the public and private sectors, as organizations act quickly to investigate the techniques used by the hackers and mitigate potential damage. Following CISA’s initial alert, which encouraged affected organizations to refer to FireEye’s advisories for more information and to FireEye’s GitHub page for detection countermeasures, FireEye has stated that they are continuing to take action, in conjunction with other private sector partners, to protect organizations from the SolarWinds attack. Notably, on December 16, FireEye announced on their Twitter page and in an email statement that they had cooperated with GoDaddy and Microsoft, which has also published detailed guidance on the attack, to develop a “killswitch” that would prevent the backdoor from continuing to operate. However, it is important to note that if the adversary has already established other backdoors or a deep presence in an organization’s environment, this step alone would not remove the malicious actors from the victim’s networks.
Steps to Take Now
CISA has encouraged their public and private sector partners to begin investigating their systems for signs of unauthorized activity. In addition to consulting resources made available by CISA (see the December 13 alert here and the December 17 alert here), FireEye, and other experts, organizations should stay tuned for additional updates from CISA regarding indicators of compromise and techniques used by the attackers.