How to Make Sense of the SolarWinds Hack

SolarWinds hack - An introduction

Earlier this month, the federal government confirmed data breaches in various agencies, including the Treasury and Commerce Departments, due to the SolarWinds hack. Limited knowledge exists about the extent of compromise and the specific information accessed.

Russian hackers are suspected to be responsible for these cyber attacks, making it the largest and most creative attack on the federal government since 2015. These cybersecurity breaches result from SolarWinds’ exposed vulnerabilities. The Orion software seems to have been infected with outside code during an automatic update earlier this year. While the news is still fresh, and organizations are working to determine if their environments are clear of this compromise, the cybersecurity community has several concerns.

This foreign attack was executed by highly skilled hackers who disguised the initial attack within legitimate software updates issued by SolarWinds. Consequently, they remained undetected within these networks for months.

SolarWinds, the Austin, Texas-based company, boasts over 300,000 customers. Initial reports suggest that up to 18,000 customers may have been running the software version containing the vulnerability that allowed hackers to infiltrate these secure networks. In the coming days and weeks, more information will emerge regarding the reach and severity of the SolarWinds hack.

Here’s some information that could be useful if you’re still trying to get your head around the SolarWind hack:

1. If you’re using SolarWinds in your environment, make sure you’ve installed the latest hotfixes for your version, and implement the hardening recommendations from SolarWinds.

2. If you are a former user of SolarWinds, do a sweep of your environment to ensure there are no remnants of the software left on any devices.

3. Review the FireEye indicators and ensure to implement them into your detective controls.

4. The targets in this attack were government agencies and others with highly classified and sensitive information, but the SolarWinds backdoor was widely distributed to any SolarWinds customer running the Orion platform which was updated in March of 2020.

5. If you are a private company doing business with the federal government, you may have been a target, so it’s important to review your systems immediately.

6. If you do not have SolarWinds, and you don’t think you’re a target, this attack could still affect you, as the advanced malware that the attackers used is being reverse engineered and weaponized against networks as we speak.  You should still review the indicators and ensure you have the proper defenses to detect elements of this malware.

If you need help, the team at CDG is available to assist with a compromise assessment.  More information is available on our website, and relevant links are in the comments of this video.

Stay safe.