The ‘SolarWinds hack’, a cyberattack recently discovered in the US, has emerged as one of the biggest ever targeted against the US government, its agencies and several other private companies.
It is likely a global cyberattack.
It was first discovered by US cybersecurity company FireEye, and since then more developments continue to come to light each day. The sheer scale of the cyber-attack remains unknown, although the US Treasury, Department of Homeland Security, Department of Commerce, parts of the Pentagon are all believed to have been impacted.
Security Adviser for President Donald Trump, has named Russia for the attack. Saying “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”
Q. So, what is this ‘SolarWinds hack’?
News of the cyberattack technically first broke on December 8, when FireEye put out a blog detecting an attack on its systems. The firm helps with security management of several big private companies and federal government agencies.
FireEye CEO said that the company was “attacked by a highly sophisticated threat actor”, calling it a state-sponsored attack, although it did not name Russia. It said the attack was carried out by a nation “with top-tier offensive capabilities”, and “the attacker primarily sought information related to certain government customers.” It also said the methods used by the attackers were novel.
FireEye said cyberattack, which it named Campaign UNC2452, was not limited to the company but had targeted various “public and private organisations around the world”. The campaign likely began in “March 2020 and has been ongoing for months”, the post said. Worse, the extent of data stolen or compromised is still unknown, given the scale of the attack is still being discovered. After systems were compromised, “lateral movement and data theft” took place.
Q. How did so many US government agencies and companies get attacked?
This is being called a ‘Supply Chain’ attack: Instead of directly attacking the federal government or a private organisation’s network, the hackers target a third-party vendor, which supplies software to them. In this case, the target was an IT management software called Orion, supplied by the Texas-based company SolarWinds.
Orion has been a dominant software from SolarWinds with clients, which include over 33,000 companies. SolarWinds says 18,000 of its clients have been impacted. Incidentally, the company has deleted the list of clients from its official websites.
According to the page, which has also been scrubbed from Google’s Web Archives, the list includes 425 companies in Fortune 500, the top 10 telecom operators in the US. A New York Times report said parts of the Pentagon, Centres for Disease Control and Prevention, the State Department, the Justice Department, and others, were all impacted.
Microsoft confirmed it has found evidence of the malware on their systems, although it added there was no evidence of “access to production services or customer data”, or that its “systems were used to attack others”. Microsoft president said that the company has begun to “notify more than 40 customers that the attackers targeted more precisely and compromised”.
Q. How did they gain access?
According to FireEye, the hackers gained “access to victims via trojanized updates to SolarWinds’ Orion IT monitoring and management software”. Basically, a software update was exploited to install the ‘Sunburst’ malware into Orion, which was then installed by more than 17,000 customers.
FireEye says the attackers relied on “multiple techniques” to avoid being detected and “obscure their activity”. The malware was capable of accessing the system files. What worked in the malware’s favour was it was able to “blend in with legitimate SolarWinds activity”, according to FireEye.
Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers. More importantly, the malware was also able to thwart tools such as anti-virus that could detect it.
Q. What has SolarWinds and the US government said about the hacks?
Right now, SolarWinds is recommending that all customers immediately update the existing Orion platform, which has a patch for this malware.
“If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment,” it has said.
Those unable to update are told to isolate “SolarWinds servers” and it should “include blocking all Internet egress from SolarWinds servers”. The bare minimum suggestion is the “changing passwords for accounts that have access to SolarWinds servers / infrastructure”.
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive 21-01, asking all “federal civilian agencies to review their networks” for indicators of compromise. It has asked them to “disconnect or power down SolarWinds Orion products immediately”.
