What is The SolarWinds Cyberattack?

The SolarWinds cyberattack, which occurred in December 2020, was a supply chain attack targeting the SolarWinds Orion platform. It involved a Russian nation-state adversary infiltrating SolarWinds systems and distributing malicious updates to the Orion software. As a result, threat actors could covertly implant malware on the networks of SolarWinds customers. The disclosure of the SolarWinds hack was made by various cybersecurity firms in collaboration with the US Cybersecurity and Infrastructure Security Agency (CISA).

What Is SolarWinds?

SolarWinds, headquartered in Texas, provides IT infrastructure management software solutions that enable organizations to monitor and control the performance of their IT environments.

SolarWinds Orion, a widely utilized platform for monitoring and managing network infrastructure, is designed to offer customers visibility into networks from various vendors to help them identify and resolve issues. Orion boasts more than 33,000 reported customers, including numerous large private sector enterprises and government agencies. It is estimated that the attack in question impacted around 18,000 of these customers—significantly more than half.

The day after the SolarWinds breach was disclosed, Forbes highlighted the potential severity of the attacks on the United States security apparatus: “Public records indicate that SolarWinds Orion has been purchased by a wide range of U.S. government customers. The Pentagon, along with the Army and Navy, are significant users. Additionally, the Department of Veterans Affairs, the National Institutes of Health, the Department of Energy, DHS, and the FBI are among the many branches of the U.S. government that have utilized this tool.”

How Did the SolarWinds Cyberattack Work?

The attack, dubbed SUNBURST in SolarWinds communications, impacted Orion versions 2019.4 through 2020.2.1, which were released between March and June 2020.

To execute the attack, hackers altered a plugin within the Orion platform that was distributed as part of platform updates. This plugin, bearing SolarWinds’ digital signature, contained a backdoor enabling communication with third-party servers controlled by the attackers. Once the hackers gained access to affected organizations, they could steal data, deploy malicious code, or disrupt business operations.

The attack was orchestrated by a sophisticated adversary possessing a deep understanding of operational security. Based on publicly available information, this adversary demonstrated extensive efforts to avoid detection, employing techniques such as code obfuscation, steganography for cleanup, fingerprinting to identify target and analysis systems, utilizing infrastructure located near targeted geolocations, and favoring in-memory code execution.

These tactics, combined with using a digitally signed component of a trusted software platform for the initial infection, underscore the capability and determination of a highly skilled and covert adversary willing to invest significant resources to ensure the success of their operation.

How Do You Know If You’ve Been Attacked?

To maintain stealth, the adversary seems to have activated the backdoor in SolarWinds Orion selectively, particularly when targeting specific environments. Consequently, scrutinizing network activity is essential to ascertain whether an attacker has sought or gained access.

The campaign is believed to have commenced in or before March 2020, with potential testing as early as October 2019, and did not leave behind any discernible indicators of compromise. Given the extensive data involved, many organizations lack access logs of sufficient duration to confirm if a compromise occurred.

Should an adversary introduce malware into your environment via a compromised Orion system, they are likely to exploit elevated privileges to explore available actions. Monitor the affected Orion system—or other systems that have interacted with it—for signs such as:

• Alteration of system tasks
• Patterns of directory actions such as delete-create-execute-delete-create
• Identification of newly generated or unfamiliar local user accounts
• Presence or usage indications of Adfind.exe
• Instances of cmd.exe or rundll32.exe initiated from solarwinds.businesslayerhost.exe
• Existence of unfamiliar and/or broadly defined email forwarding/deleting rules on the email gateway

Compromised Orion Products and Versions

Determining whether you’ve been targeted is relatively straightforward: check if you’re using a compromised Orion product in your environment. The affected versions of the Orion Platform include:

• 2019.4 HF5, version 2019.4.5200.9083
• 2020.2 RC1, version 2020.2.100.12219
• 2020.2 RC2, version 2020.2.5200.12394
• 2020.2, version 2020.2.5300.12432
• 2020.2 HF1, version 2020.2.5300.12432

What to Do If You’re at Risk

If you suspect that you are using a compromised version of the Orion Platform:

• Take immediate action to isolate, disconnect, or power down affected systems.
• Review logs thoroughly to detect any command-and-control activity or lateral movement originating from the affected systems.
• Reset all credentials utilized by SolarWinds Orion and related services.
• Update Orion to the most recent version as advised in the advisory.
• Verify whether any other SolarWinds products listed in the advisory are also installed and potentially affected.

Best Practices for Protecting Your Organization

Supply chain attacks are continuously evolving, presenting a persistent threat to the operations and confidential data of both public agencies and private enterprises. To mitigate this risk, we recommends the following actions:

• Reduce your exposure to internet-based attacks, prevent lateral movement within your network, and block command-and-control (C2) communications by implementing a zero-trust architecture.
• Enhance security by enabling comprehensive TLS/SSL inspection and advanced threat prevention for traffic between workloads and the internet.
• Deploy an inline cloud sandbox to detect and thwart unknown threats effectively.
• Continuously update protections against known C2 traffic to adapt to emerging threat landscapes.
• Minimize the impact of lateral movement by implementing identity-based micro segmentation for cloud workloads.
• Prioritize vendors with a proven track record of ensuring the highest levels of confidentiality, integrity, and availability.

Even if you’re unable to implement additional measures, focus on these two crucial steps, which significantly increase the difficulty for adversaries to infiltrate your environment and enhance your ability to detect unauthorized activities:

• Implement least-privileged access controls to restrict adversaries’ capabilities to exploit their foothold.
• Mandate multifactor authentication for accessing high-value assets to bolster security further.

FAQ’s

What Is SolarWinds?

SolarWinds provides IT infrastructure management software, including the widely used SolarWinds Orion platform for network monitoring.

How Did the SolarWinds Cyberattack Work?

The attack, named SUNBURST, targeted specific Orion versions released between March and June 2020. Hackers exploited a backdoor in a plugin distributed with platform updates, allowing them to infiltrate organizations, steal data, and deploy malware.

How Can You Identify If You’ve Been Attacked?

Monitor for suspicious network activity, such as altered system tasks or unusual user account creation, especially if using affected Orion versions listed.

What Should You Do If You Suspect You’re at Risk?

Isolate affected systems, review logs for signs of compromise, reset SolarWinds Orion credentials, update to the latest version, and check other potentially impacted SolarWinds products.

Best Practices for Protecting Your Organization

Implement a zero-trust architecture, enable TLS/SSL inspection, use advanced threat prevention measures, deploy a cloud sandbox, update protections against known threats, implement microsegmentation, enforce least-privileged access, and mandate multifactor authentication.

Conclusion

The SolarWinds cyberattack underscores the ever-present threat of supply chain vulnerabilities. By understanding the attack, staying vigilant for signs of compromise, and implementing robust security measures, organizations can mitigate risks. Through proactive defense strategies and ongoing adaptation, businesses can protect their networks and data from evolving cyber threats, ensuring resilience in the face of future challenges.