On Sunday, December 13 a cybersecurity breach was publicly disclosed which impacted several United States federal agencies. As details began to emerge about the nature of the breach and associated attack, it quickly became clear that something more nefarious and widespread was unfolding.
We have been following the story closely and want to share a brief situation report with DeTech readers.
The breach was first disclosed by one of the customers impacted by the breach, a security services firm called FireEye, who acknowledged that their security tools had been misappropriated and used in additional attacks. Further investigation by FireEye revealed the origin of the attack was initiated through a software update from SolarWinds’ Orion network monitoring software.
SolarWinds provides multiple types of network monitoring tools. One of those tools, Orion, is used in medium and large enterprises to monitor network connections, provide network visualization, and correlate and report on events from many different infrastructure components. Picture a team of people sitting in a room with global maps and lines connecting all their locations. That’s the kind of monitoring Orion performs.
The software is used in many large, complex organizations. The customer list is large, and the potential impact of the breach could be severe. Federal agencies, large tech companies, telecom, Fortune 500 companies all are considered within the “blast radius”. It will takes months for the cybersecurity industry to unravel the impact.
One of the most notable features of this attack is how the payload was deployed. A series of SolarWinds software updates were injected with malicious code, which went undetected, then deployed into companies’ systems. After the malicious code was deployed, it called back to Command and Control servers giving the bad guys the ability to meticulously elevate their privileges and navigate these networks. This is considered a “supply chain” breach because the hack began early in the software supply chain delivery channel.
Here are a few thoughts to consider as this event continues to unfold.
- Every indicator points to a nation-state level attack with sophisticated and patient threat actors. Although the software may have been deployed in many environments, it is likely the goal was not to misappropriate funds, but to gather national and corporate intelligence.
- The nature of the breach undermines the trust we place in our patching and update practices. This may become an even bigger story within cybersecurity community than the data loss itself, and cause the security industry to rethink supply chain security.
For DeTech readers, this story is something you should continue to follow. The implications and consequences of this attack could be even more far reaching than the 2017 Equifax breach. Even if your company does not use Orion, it is likely that cloud services providers or other software providers you use to deliver your services could be within the blast radius.
We have included a series of articles to help you understand the details of the attack. Please contact us with any questions or concerns.
FireEye Research: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc
SolarWinds Security Advisory: Security Advisory | SolarWinds
CISA Emergency Directive: cyber.dhs.gov – Emergency Directive 21-01
KrebsOnSecurity Analysis and Investigation: SolarWinds Hack Could Affect 18K Customers — Krebs on Security
KrebsOnSecurity Analysis and Investigation: SolarWinds Hack Could Affect 18K Customers — Krebs on Security