According to multiple reports, SolarWinds suffered from a supply chain attack that affected multiple U.S. government departments.
According to reports from Microsoft and FireEye, a hacking group began with a malware intrusion and a privilege escalation attack once in the network. Then, the hackers used these admin privileges to insert a backdoor into a SolarWinds DLL folder, using legitimate certificates. From there, hackers conducted lateral movements and data thefts via malicious, malware-laden updates.
In a statement, Microsoft notes, “Although we do not know how the backdoor code made it into the library, from the recent campaigns, research indicates that the attackers might have compromised internal build or distribution systems of SolarWinds.”
In a filing with the SEC, SolarWinds confirmed the compromise and the release of a clean version of the Orion software. SolarWinds specified that the source code did not become compromised in the attack.
As a result of the SolarWinds supply chain attack, numerous government and private sector entities suffered at the hands of the hacking group. These include the U.S. Treasury Department, the U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA), and FireEye. The attack appears connected to multiple network intrusions and the theft of cybersecurity tools from FireEye.
SolarWinds disclosed in a security advisory, “We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.” This would make it one of the most devastating and dangerous nation0state attacks ever conducted.
A upply chain attack involves hackers looking for and exploiting vulnerabilities in the supply network of a buisness. While the specifics can vary from attack to attack, the core of all such attacks involves planting hard-to-detect malware earlier in the chain to attack the real targets further down the chain.
SolarWinds Supply Chain Attack Expert Commentary
Ekaterina Khrustaleva, Chief Operating Officer at ImmuniWeb, shared these thoughts.
“Supply chain attacks have surged in 2020: they offer rapid and inexpensive access to valuable data held by VIP victims. The victims, like has happened in the SolarWinds case, usually have no technical means to detect intrusion in a timely manner unless the breached supplier informs them.”
“Most of the suppliers cannot afford the same level of incident detection and response (IDR) as their clients for financial and organizational reasons. Eventually, hackers and nation-state threat actors deliberately target the weakest link, get fast results, frequently remain undetected and unpunished. Attribution of sophisticated APT attacks, as reportedly affected SolarWinds and subsequently its customers, remains a highly complicated, time-consuming, and costly task. Global cooperation in cybercrime prosecution is vital to break the impasse and make computer crime investigable.”
Thanks to Ekaterina Khrustaleva for her time and expertise. Learn more in our SIEM Buyer’s Guide.
- More Expert Commentary and Coverage of the GetHealth Exposure - September 14, 2021
- GetHealth Platform Misconfiguration Exposes 61 Million Fitness-Tracking Records - September 13, 2021
- Panther Labs Releases State of SIEM 2021 Report - September 13, 2021