Editor's note
The pervasiveness of SolarWinds backdoor attack, the sophistication of the hackers behind it and the number of high-profile victims make it the biggest cyber attack of 2020 -- and possibly the past decade.
The ongoing SolarWinds breach also shines a light on how dangerous a supply chain attack can be and gives infosec pros yet another reason to evaluate their security systems and processes.
FireEye Inc. disclosed in December 2020, that suspected nation-state hackers had successfully carried out a vast supply chain attack on SolarWinds Orion, a popular IT performance monitoring platform. The attack allowed threat actors to access government and enterprise networks worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence said in a joint statement with the FBI in December 2020 that the attacks are ongoing and widespread.
Major tech companies, including Cisco, Intel, Microsoft and Nvidia, reported malicious SolarWinds updates, though the companies say there is no evidence that threat actors breached their networks.
In January 2021, the U.S. Department of Justice published a statement saying the global SolarWinds incident affected multiple federal agencies -- including the Justice Department's Microsoft Office 365 email system. The breach appears to have affected 3% of the Office 365 mailboxes, and the Department said there's no indication that classified information was affected.
Investigations into the SolarWinds backdoor cyber attack so far point to Russian espionage.
Here, we provide everything you need to know about the SolarWinds breach, how it infiltrates systems, and the ongoing response from infosec industry experts and vendors.
1The latest SolarWinds breach news
Victims of the SolarWinds backdoor attack continue to be revealed as big tech companies and organizations discover malware infections and act to mitigate risks.
The SolarWinds backdoor malware hit Orion Platform versions 2019.4 HF5 through 2020.2.1, which were released between March 2020 and June 2020.
In Dec. 2020, SolarWinds disclosed a second backdoor, discovered by Palo Alto Networks researchers, dubbed Supernova. The Supernova malware required the exploitation of a vulnerability in the Orion software platform, which SolarWinds had patched in a recent update. Unlike Sunburst, Supernova was not a supply chain attack.
Here's the latest news on the ongoing SolarWinds backdoor breach.
-
Podcast
Risk & Repeat: Breaking down SEC charges against SolarWinds
This episode covers the SEC charges against SolarWinds and CISO Timothy Brown for allegedly hiding known cybersecurity risks prior to the 2020 supply chain attack it suffered. Listen Now
-
Article
SolarWinds fires back at SEC over fraud charges
SolarWinds said the SEC's lawsuit contains several 'false claims,' including allegations about how Russian nation-state hackers first got inside the company's network Read Now
-
Article
SEC charges SolarWinds for security failures, fraud
The SEC accused SolarWinds and CISO Timothy Brown of hiding known cybersecurity risks that were further highlighted by the supply chain attack revealed in 2020. Read Now
-
Article
SolarWinds hackers still active, using new techniques
CrowdStrike has tracked the latest threat activity and novel techniques from the SolarWinds hackers, a Russian state-sponsored group known as Cozy Bear. Read Now
-
Podcast
SolarWinds attacks come into focus
Several major organizations, including Microsoft and the U.S. Department of Justice, have disclosed breaches due to SolarWinds. TechTarget news editors discuss the scope of the backdoor attacks. Listen Now
-
Article
SolarWinds warns of zero-day vulnerability under attack
SolarWinds says targeted attacks from a single threat actor have been reported on a previously unknown vulnerability in the Serv-U file transfer platform. Read Now
-
Article
Autodesk targeted in SolarWinds hack
Autodesk said in its 10-Q filing released Wednesday that it believes 'no customer operations or Autodesk products were disrupted' in the SolarWinds supply chain attack. Read Now
-
Article
Malwarebytes breached by SolarWinds hackers
Malwarebytes, which is not a SolarWinds customer, confirmed that nation-state actors used an entirely different vector to breach the antimalware vendor and access internal emails. Read Now
-
Article
Mimecast certificate compromised by SolarWinds hackers
Mimecast conducted an investigation after being alerted by Microsoft that a certificate for Microsoft 365 Exchange Web Services authentication was stolen by a sophisticated actor. Read Now
-
Article
SolarWinds Office 365 environment compromised
SolarWinds CEO Sudhakar Ramakrishna said nation-state threat actors first compromised a single email account and later gained access to the company's Orion platform environment. Read Now
-
Article
SolarWinds chases multiple leads in breach investigation
Investigators at SolarWinds are exploring multiple theories as to how the company's systems were compromised. Read Now
-
Article
SolarWinds backdoor infected tech giants, impact unclear
Fallout from the SolarWinds backdoor cyber attack continues as several major tech companies report they were infected by malicious software updates. Read Now
-
Article
SolarWinds hackers Nobelium spotted using a new backdoor
Microsoft researchers believe Nobelium, the Russian-backed group that breached SolarWinds, has been using a backdoor tool called FoggyWeb since at least April. Read Now
-
Article
CISOs on alert following SEC charges against SolarWinds
The Securities and Exchange Commission announced charges against SolarWinds and its CISO in October, but will it help improve transparency or simply scare infosec executives? Read Now
2How the SolarWinds breach happened
Threat actors reportedly began reconnaissance efforts in March 2020 and planted a backdoor in SolarWinds' Orion platform. It was activated when customers updated the software.
FireEye's threat research on the breach shows that a SolarWinds digitally signed component of the Orion software framework contains a backdoor which uses HTTP to communicate with third-party servers. FireEye dubbed the trojanized version of the SolarWinds Orion plugin Sunburst.
"After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs,' that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services," FireEye reported.
The malware "masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers."
-
Article
SolarWinds CEO on life after Sunburst
Last year was dominated by the cyber attack, but the firm has learnt from that experience and has a clear strategy for the future Read Now
-
Article
SolarWinds response team recounts early days of attack
During a webcast, members of the SolarWinds incident response team explained how a lucky break with a virtual machine aided their investigation into the historic breach. Read Now
-
Article
Senate hearing: SolarWinds evidence points to Russia
Executives from Microsoft and FireEye said that there was substantial evidence pointing to Russia's role in the SolarWinds attack and no evidence found leading anywhere else. Read Now
-
Article
SolarWinds hackers stole Mimecast source code
The investigation into a stolen Mimecast-issued digital certificate is now complete, and the vendor said the initial intrusion was Sunburst malware in the SolarWinds Orion platform. Read Now
-
Article
SolarWinds backdoor used in nation-state cyber attacks
U.S. government agencies and security experts urged IT pros to immediately review their networks after a backdoor was discovered in the popular SolarWinds IT monitoring software. Read Now
-
Article
FireEye red team tools stolen in cyber attack
FireEye's testing tools were compromised by SolarWinds attackers who appeared to target information related to certain government customers. Read Now
-
Podcast
SolarWinds backdoor shakes infosec industry
TechTarget's security news editors discuss the massive SolarWinds backdoor supply chain attacks. Listen Now
-
Article
SolarWinds breach highlights dangers of supply chain attacks
A sophisticated supply chain cyber attack targets one link in a software chain, leading to far-reaching and devastating consequences for victims. Read Now
-
Article
SolarWinds attack almost certainly work of Russian spooks
Investigations into the far-reaching SolarWinds Solorigate attack did not let up during the holidays. Read Now
-
Article
SolarWinds confirms supply chain attack began in 2019
SolarWinds and CrowdStrike published updates Monday that added new information for the timeline of the supply chain attack and how threat actors first gained access. Read Now
3IT industry, vendors respond
Once the SolarWinds backdoor was identified, software vendors and IT security experts worked to identify network impacts, issue updates and apply fixes, while marveling at the sophistication and long-term implications of this massive cyber attack.
-
Resource
How SolarWinds attack will change CISOs' priorities
Following cybersecurity best practices used to be enough, but after the SolarWinds supply chain attack, CISOs now have to rethink all their security protocols. Read Now
-
Article
SolarWinds hackers attacking more IT supply chain targets
According to Microsoft, the Russian threat group known as Nobelium has already compromised 14 technology service providers across the United States and Europe. Read Now
-
Article
White House: 100 companies compromised in SolarWinds hack
The White House discussed its response to the SolarWinds attacks, which so far have compromised nine federal agencies and approximately 100 private sector companies. Read Now
-
Article
SolarWinds puts national cybersecurity strategy on display
Biden imposed economic sanctions on Russia for its role in the SolarWinds cyber attack. Experts see the response as just one part of a larger national cybersecurity strategy. Read Now
-
Article
Senate hearing raises questions about SolarWinds backdoors
U.S. Department of Commerce CISO Ryan Higgins said in a Senate committee hearing Tuesday that his department was one of first agencies to detect the systemic compromise. Read Now
-
Article
Microsoft, SolarWinds in dispute over nation-state attacks
The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment. Read Now
-
Article
FireEye releases new tool to fight SolarWinds hackers
The new tool, dubbed Azure AD Investigator, will help audit Microsoft 365 environments for techniques used by the nation-state actors behind the SolarWinds supply chain attack. Read Now
-
Article
Microsoft, FireEye deliver kill switch for SolarWinds backdoor
The kill switch affects new and previous Sunburst infections by disabling Sunburst deployments that beacon to avsvmcloud[.]com. Read Now
-
Article
SolarWinds struggles with response to supply chain attack
SolarWinds took immediate steps to address the breach and issued a cybersecurity advisory, but issues remained in the vendor's response. Read Now
-
Article
Biden picks cyber veteran to reinvigorate security response
The Biden administration is poised to take a hard-line approach to nation-state attackers like Russia, which is suspected to be behind the SolarWinds attack. Read Now
-
Article
SolarWinds attack stumps SecOps pros
SecOps experts are reeling from the sophistication of the attack and its implications for enterprise security. Read Now
-
Article
SolarWinds CEO sets out rescue plan
SolarWinds has called in help, including former U.S. government security lead Chris Krebs and cybersecurity experts with forensics expertise. Read Now