On December 14, 2020, SolarWinds announced that its network management software, Orion, had been targeted by a cyberespionage operation. The hackers inserted malicious code into Orion software updates rolled out to nearly 18,000 customers. The initial reports confirmed that the scope of the breach includes the U.S. Treasury Department and the Department of Commerce. On December 15, 2020, SolarWinds reported the incident to the U.S. Securities and Exchange Commission. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive in response to the supply chain attack. Here’s the story so far.

1. What is SolarWinds?

SolarWinds Inc., based in Austin, Texas, develops commercial software for the management of networks, systems and information technology infrastructure. It has about 300,000 customers including nearly all Fortune 500 companies as well as various U.S. federal government agencies. Its network management software, Orion, is used by about 33,000 public and private sector customers. Over the last ten years, SolarWinds acquired various companies engaged in virtual management, web monitoring, email security and threat management. It was named number 10 on Forbes magazine’s list of the fastest growing technology companies in 2011. (here and here)

2. Initial Reports

On December 8, 2020, FireEye, one of the largest cybersecurity companies in the United States, reported that foreign government hackers with “world-class capabilities” broke into its network and stole tools used to test the defences of its customers including governments and global corporations. According to FireEye CEO, Kevin Mandia, the hackers primarily sought information related to government customers. “I’ve concluded we are witnessing an attack by a nation with top-tier offensive capabilities,” Mandia said, “different from the tens of thousands of incidents we have responded to throughout the years.” Former National Security Agency hacker, Jake Williams, president of Rendition Infosec, characterized the operation as “consistent with a Russian state actor”. (here)

On December 15, 2020, investigative reporter, Brian Krebs, summarized the fast evolving story in a post to KrebsOnSecurity titled SolarWinds Hack Could Affect 18K Customers. (here) The key developments during the five days since the FireEye disclosure are:

• December 13, 2020. SolarWinds acknowledged that hackers had inserted malware into a service that provided software updates for its Orion platform, a suite of products broadly used across the U.S. federal government and Fortune 500 firms to monitor the health of their IT networks.
• December 13, 2020. FireEye published a detailed writeup on the malware infrastructure used in the SolarWinds compromise, presenting evidence that the Orion software was first compromised back in March 2020. FireEye didn’t explicitly say its own intrusion was the result of the SolarWinds hack, but the company confirmed as much to KrebsOnSecurity today.
• December 13, 2020. News broke that the SolarWinds hack resulted in attackers reading the email communications at the U.S. Treasury and Commerce departments.
• December 14, 2020. In a filing with the U.S. Securities and Exchange Commission (SEC), SolarWinds said roughly 33,000 of its more than 300,000 customers were Orion customers, and that fewer than 18,000 customers may have had an installation of the Orion product that contained the malicious code. SolarWinds said the intrusion also compromised its Microsoft Office 365 accounts. The initial breach disclosure from SolarWinds came five days after cybersecurity incident response firm FireEye announced it had suffered an intrusion that resulted in the theft of some 300 proprietary software tools the company provides to clients to help secure their IT operations.
• December 14, 2020. Reuters reported the SolarWinds intrusion also had been used to infiltrate computer networks at the U.S. Department of Homeland Security (DHS). That disclosure came less than 24 hours after DHS’s Cybersecurity and Infrastructure Security Agency (CISA) took the unusual step of issuing an emergency directive ordering all federal agencies to immediately disconnect the affected Orion products from their networks.

Mr. Krebs went on to say that Microsoft might be in the best position to assess the damage. On December 14, 2020, the tech giant “took control over a key domain name – avsvmcloud[.]com – used by the SolarWinds hackers” to communicate with systems that were compromised by the “backdoored Orion product updates.” Mr. Krebs concluded that, based on the timeline known so far, “the perpetrators of this elaborate hack would have had a fairly good idea back in March which of SolarWinds’ 18,000 Orion customers were worth targeting, and perhaps even in what order.”

The malicious updates, sent between March and June, when the United States was in the throws of the first wave of the Covid-19 pandemic, was “perfect timing for a perfect storm” said Kim Peretti , the co-chair of the cybersecurity preparedness and response team at Alston & Bird, a law firm based in Atlanta, Georgia. (here) Assessing the widespread damage will be difficult – and a long haul.

3. Killswitch

When asked about the seizure of the domain name – avsvmcloud[.]com – Mocrosoft has referred questions to FireEye and GoDaddy, the domain registrar for the malicious site. According to Mr. Krebs, in a follow-up post titled Malicious Domain in SolarWinds Hack Turned into ‘Killswitch’, the domain name “was commandeered by security experts and used as a ‘killswitch’ designed to turn the sprawling operation against itself”. FireEye has confirmed that “the domain seizure was part of a collaborative effort to prevent networks that may have been affected  […] from communicating with the attackers.” (here) In a statement released on December 16, 2020, FireEye said SUNBURST is the malware distributed through SolarWinds software. An analysis of SUNBURST identified a killswitch that would prevent SUNBURST from continuing to operate. The statement continued as follows:

“Depending on the IP address returned when the malware resolves avsamcloud[.]com, under certain conditions, the malware would terminate itself and prevent further execution. FireEye collaborated with GoDaddy and Microsoft to deactivate SUNBURST infections. This killswitch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com. However, in the intrusions FireEye has seen, this actor moved quickly to establish additional persistent mechanisms to access victim networks beyond the SUNBURST backdoor. This killswitch will not remove the actor from victim networks where they have established other backdoors. However, it will make it more difficult for the actor to leverage the previously distributed versions of SUNBURST.”

The FireEye statement contains an important limitation that should be emphasized. The actor moved quickly to establish mechanisms beyond the SUNBURST backdoor and the killswitch will not remove the actor from networks where other backdoors have been established. However, Mr. Krebs concluded that, given the control over the malicious domain, Microsoft, FireEye and GoDaddy “now have a decent idea which companies may still be struggling with SUNBURST infections.”

4. Scope of the Hack

The early assessments of the infections, believed to be the work of Russia’s Foreign Intelligence Service (SVR), a successor to the KGB, suggest that the hackers were selective about their targets. Investigators believe that multiple entry points were used in addition to the compromised Orion software. The Treasury Department and the Department of Commerce were just the first agencies to report the breach. The U.S. State Department and parts of the Pentagon have also been compromised. The Department of Justice, the National Security Agency and the Centers for Disease Control and Prevention also use SolarWind software. In an article published in The New York Times edition of December 16, 2020, titled Scope of Russian Hack Becomes Clear: Multiple U.S. Agencies Were Hit, David E. Sanger, Nicole Perlroth and Eric Schmidt described the emerging picture as complex and sophisticated while government officials try to assess the scope of the damage. Sarah Bloom Raskin, the Deputy Secretary of the Treasury during the Obama administration, called it “the day you prepare against”. (here)

5. Conclusion

In the immediate days and weeks, U.S. government agencies will struggle with unravelling the SolarWinds hack with “limited visibility”. Ben Johnson, a former NSA hacker, told Sanger, Perlroth and Schmidt that analysts are “flying blind”. By shutting down SolarWinds, a necessity to prevent future intrusions, many agencies have lost “visibility into their own networks.” Mr. Williams of Rendition Infosec described it as a “reckoning” to Lily Hay Newman in a piece titled Russia’s Hacking Frenzy Is a Reckoning published by WIRED on December 16, 2020. “It’s inherently so hard to address,” he said, “because supply chain attacks are ridiculously difficult to detect. It’s like the attacker teleports in there out of nowhere.” (here) Although it appears that the hackers only accessed unclassified systems, “some individual pieces of unclassified information connect enough dots to rise to the level of classified material.” And because the scale of the attack has not been fully analyzed, it is not yet possible to know how grim it is.