SolarWinds Hack - An Introduction
Earlier this month, the federal government acknowledged that data breaches had occurred at multiple agencies including the Treasury and Commerce Departments. In the wake of these events, little is still known regarding who all was compromised, and what information has been accessed.
Russian hackers are suspected to be responsible for these cyber attacks, marking this attack as the largest and most creative attack on the federal government since 2015. These cybersecurity breaches are the result of SolarWinds’ exposed vulnerabilities. The Orion software appears to have been infected with outside code during a periodic automatic update in the early spring of this year. While the news is still fresh – and many organizations are scrambling to determine if their environments are clear of this compromise – the cybersecurity community is concerned for a number of reasons.
This foreign attack was conducted by hackers with incredible skill and proficiency, as they were able to disguise the initial attack within legitimate software updates issued by SolarWinds. In doing so, they were able to live within these networks for months without detection.
SolarWinds, the Austin, Texas-based company has more than 300,000 customers. Initial reports are claiming that as many as 18,000 customers may have been running the software version containing the vulnerability that allowed the hackers into these secure networks. In the coming days and weeks, more information will come out regarding the reach and severity of these attacks.
Here’s some information that could be useful if you’re still trying to get your head around this:
If you’re using SolarWinds in your environment, make sure you’ve installed the latest hotfixes for your version, and implement the hardening recommendations from SolarWinds.
If you are a former user of SolarWinds, do a sweep of your environment to ensure there are no remnants of the software left on any devices.
Review the FireEye indicators and ensure to implement them into your detective controls.
The targets in this attack were government agencies and others with highly classified and sensitive information, but the SolarWinds backdoor was widely distributed to any SolarWinds customer running the Orion platform which was updated in March of 2020.
If you are a private company doing business with the federal government, you may have been a target, so it’s important to review your systems immediately.
If you do not have SolarWinds, and you don’t think you’re a target, this attack could still affect you, as the advanced malware that the attackers used is being reverse engineered and weaponized against networks as we speak. You should still review the indicators and ensure you have the proper defenses to detect elements of this malware.
If you need help, the team at CDG is available to assist with a compromise assessment. More information is available on our website, and relevant links are in the comments of this video.