E-Handbook: SolarWinds supply chain attack explained: Need-to-know info Article 3 of 4

Brian Jackson - Fotolia

The SolarWinds attacks: What we know so far

The SolarWinds attacks have left a massive impact on security, tech and the world at large, and events are still unfolding nearly a month after the initial disclosure.

While there are still many unanswered questions about the devastating SolarWinds backdoor attacks, the scope and impact of the attacks came further into focus over the holidays.

On Sunday, Dec. 13, it was revealed that the Austin-based IT management software company SolarWinds was hit by a supply chain attack that compromised updates for its Orion software platform. As part of this attack, threat actors inserted their own malware, now known as Sunburst or Solorigate, into the updates, which were distributed to many SolarWinds customers.

The first confirmed victim of this backdoor was FireEye, which disclosed on Dec. 8 that it had been breached by suspected nation-state hackers. But it was soon revealed that that SolarWinds attacks affected other organizations, including tech giants and U.S. government agencies. Thankfully, the immediate threat of the attack has since been mitigated by a fast response from multiple companies and agencies, as well as a kill switch created by Microsoft and FireEye.

In recent weeks, there have been additional developments that have shed light on the nature of the attacks as well as the U.S. government's response to them. Here's a look at some of those recent developments.

Editor's note: This article will be updated with future developments as they occur.

5/7/21 – SolarWinds: Fewer than 100 customers breached

In an SEC filing and accompanying blog post from CEO Sudhakar Ramakrishna, SolarWinds said it now estimates that fewer than 100 customers were affected by the supply chain attacks.

The company also revised its timeline of events regarding the breach of its network; earlier this year, Ramakrishna said investigators believed the suspicious activity began in September 2019, but SolarWinds said threat actors had access to its software development environment and internal systems nine months before they conducted a test run of the Sunburst malware on the Orion platform. Ramakrishna said the investigation still hasn't determine when the threat actors first breached SolarWinds' network, or how.

4/14/21 – Biden administration blames Russian government

The Biden administration formally attributed the SolarWinds attacks to the Russian government's Foreign Intelligence Service (SVR). In a related announcement, the FBI, NSA and CISA issued a joint advisory warning that state-sponsored threat actors associated with the SVR were actively exploiting known vulnerabilities in widely-used VPN and remote access programs to gain access to national security and government-affiliated networks.

2/25/21 – Microsoft releases open source tools for SolarWinds investigations

On Thursday, Microsoft announced the release of open source CodeQL queries used in its SolarWinds investigations (Microsoft refers to the threat activity as "Solorigate"). In a blog post announcing the move, Microsoft said that in the spirit of transparency, the company open sourced its queries "so that other organizations may perform a similar analysis." The queries are available on GitHub along with a readme on working with Solorigate queries.

2/23/21 – Senate hearing discusses Russia attribution

A Senate Intelligence Committee hearing on the SolarWinds investigation Tuesday added weight to allegation that Russian state-sponsored hackers were behind the SolarWinds breach and subsequent supply chain attacks. The hearing also discussed how the threat actors used AWS cloud services to launch the attacks from inside the U.S.; Amazon declined to participate in the hearing and was criticized by several senators.

2/18/21 – Microsoft completes internal investigation

Microsoft announced the final results of its internal investigation of the SolarWinds attack, which the company refers to as Solarigate. While Microsoft previously stated the threat actors viewed – but did not obtain – source code for several products, the completed investigation determined that "small subsets" of Azure, Exchange and Intune component source code had been downloaded by attackers. In addition, Microsoft said the threat actors continued to try to breach the company's network into early January, but that those attempts were unsuccessful.  

2/17/21 – White House discusses SolarWinds response

In her first public statements about the SolarWinds attacks, Anne Neuberger, deputy national security adviser for cyber and emerging technology at the White House, told reporters during a press briefing that nine federal agencies and approximately 100 companies were compromised by nation-state threat actors. Neuberger was tapped by President Biden earlier this month to lead the U.S. government's investigation and response into the massive supply chain attack.

Neuberger also said the threat actors were "likely of Russian origin," echoing previous statements for the U.S. government.

2/3/21 – SolarWinds says Office 365 environment compromised

In a blog post, SolarWinds CEO Sudhakar Ramakrishna said the nation-state threat actors first compromised the company's Office 365 environment before gaining access to the company's Orion platform environment. Ramakrishna said SolarWinds' investigation has not determined the exact date the attackers first gained access to the environment, or how. He said the attackers most likely breached the Office 365 environment through compromised credentials or a possible zero-day vulnerability, though he added that investigators have not found a specific Office 365 vulnerability.

1/20/21 -- Microsoft publishes new Solorigate/Sunburst deep dive

Microsoft published a new deep dive on the Sunburst (referred to by Microsoft as Solorigate) malware on Jan. 20.

The blog post acts as a follow-up to the original published Dec. 18. While the previous post touched on the malware in a general sense, the new post focused primarily on all related second-stage malware, as well as how attackers avoided detection between the different stages of the attack.

For one, the attackers carefully belended into the victims' environments in between stages by camouflaging their actions. "Tools and binaries used by the attackers (e.g., ADFIND legit tool) were always renamed and placed in folders that mimicked existing programs and files already present on a machine. This blending was not just used for files, but for other elements. For example, WMI persistence filters were created with names and queries matching other scripts present in affected organizations," the blog reads.

In addition, threat actors used Auditpol, a Windows command line tool, to disable event logging before re-enabling it when they were done.

1/20/21 -- FireEye releases open source security tool

FireEye released an open source tool, dubbed Azure AD Investigator, to stop the SolarWinds attackers. The tool audits Microsoft 365 environments for techniques used by the nation-state actors behind the SolarWinds supply chain attack. The security vendor also published new tactics, techniques and procedures (TTP) used by the attackers to infiltrate Microsoft 365 environments.

1/19/21 -- Malwarebytes breached by SolarWinds attackers

Malwarebytes disclosed that it had been breached by the nation-state threat actors behind the SolarWinds attacks. However, Malwarebytes, which is not a SolarWinds customer, said the attackers used a completely different vector than the malicious Orion software updates.

1/11/21 -- SolarWinds updates attack timeline

SolarWinds president and CEO Sudhakar Ramakrishna published an update Jan. 11 that confirmed the supply chain attack began in September 2019 when nation-state threat actors gained access to an internal development environment for the company's Orion software platform.

In addition, Ramakrishna said investigators discovered "a highly sophisticated and novel malicious code injection source" on the development server. CrowdStrike, which is assisting SolarWinds with the investigation and incident response, published research on Jan. 11 that provided additional details about the code injection malware, which the vendor called "Sunspot."

1/7/21 -- Chris Krebs, Alex Stamos hired by SolarWinds

SolarWinds has hired a new consultancy, created by former Cybersecurity and Infrastructure Security Agency (CISA) director Chris Krebs and former Facebook CISO Alex Stamos, to assist with the response to the supply chain attack. The hires were first reported by Financial Times on Jan. 7 and confirmed in tweets by Krebs and Stamos on Jan. 8.

The consultancy, named the Krebs Stamos Group, was founded to "help businesses manage cybersecurity risk as business risk, making the Internet a safer place in the meantime," according to Krebs' tweet.

Stamos tweeted that "We have already engaged in helping understand and recover from what looks to be one of the most serious foreign intrusion campaigns in history, and we will be helping others learn from this attack."

In a blog post by SolarWinds president and CEO Sudhakar Ramakrishna published the same day, he didn't mention specifics, but did say that the company has "engaged several leading cybersecurity experts to assist us in this journey."

SearchSecurity has reached out to SolarWinds for comment.

1/6/21 -- Department of Justice confirms breach

The U.S. Department of Justice (DOJ) spokesman Marc Raimondi issued a statement on Jan. 6 revealing that threat actors behind the SolarWinds attacks accessed the DOJ's Office 365 email environment. Moreover, this activity was unknown until Dec. 24 -- well over a week after the initial disclosure.

"On Dec. 24, 2020, the Department of Justice's Office of the Chief Information Officer (OCIO) learned of previously unknown malicious activity linked to the global SolarWinds incident that has affected multiple federal agencies and technology contractors, among others.  This activity involved access to the Department’s Microsoft O365 email environment," the statement read.

According to Raimondi, after the means of threat actors accessing the environment was eliminated, the department found that "the number of potentially accessed O365 mailboxes appears limited to around 3-percent and we have no indication that any classified systems were impacted."

Raimondi said that the activity "constitutes a major incident under the Federal Information Security Modernization Act," and that the DOJ is taking steps "consistent with that determination" in response.

1/5/21 -- U.S. government acknowledges Russia's likely involvement

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the NSA released a joint statement on Jan. 5 discussing the President Trump-backed Cyber Unified Coordination Group (UCG), a task force formed in December involving all four organizations and created to investigate and remediate the SolarWinds hack that compromised multiple government networks.

For the first time, the government publicly suggested that Russian threat actors were responsible in the statement.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly," the statement reads.

In addition, the statement says that, regarding those impacted by the attack, they have "so far identified fewer than ten U.S. government agencies that fall into this category."

12/31/20 -- Microsoft announces breach

The Microsoft Security Response Center released a blog post on Dec. 31 that provided an update on its investigation of Sunburst (referred to by the company as Solorigate) malware, the malware used in the SolarWinds attack that impacted victims including FireEye and the U.S. government. The post reveals that a presumably rogue internal account was used to "view source code in a number of source code repositories."

The post points out in bold text that first and foremost, Microsoft customer data is safe.

"Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others," it read.

The blog goes on to say that while malicious SolarWinds applications were detected internally and subsequently removed, Microsoft's investigation revealed that there was unusual activity detected in a small number of accounts, including the aforementioned source code viewing.

"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated," the post read.

According to Microsoft, there is no increase in risk associated with viewing source code because their threat models "assume that attackers have knowledge of source code." Moreover, while they don't generally share source code publicly, their "inner source" culture suggests that the source code isn't necessarily a massive secret inside of Microsoft.

12/30/20 -- CISA updates directive for federal agencies

CISA added a new supplemental guidance to its SolarWinds hack mitigation directive on Dec. 30.

Federal agencies are required to use "at least SolarWinds Orion Platform version 2020.2.1HF2" (the current version of the platform) as "The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code."

In addition, it reaffirms that machines using Orion Platform Version 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 are not currently permitted to be active, and should be shut down or removed from networks.

12/29/20 -- SolarWinds statement mentions that there may be other victims

In a Dec. 29 statement by SolarWinds, the company discussed its "commitment to cooperation." Much of the statement broadly discussed the attack and a promise to continue working with enterprises and government authorities in ongoing investigations.

"In response to this attack, we are supporting our customers, hardening our products and systems, working with industry-leading third-party cybersecurity experts, and collaborating with our partners, vendors, law enforcement, and intelligence agencies around the world," the statement reads.

In addition, the first paragraph of the statement refers to other potential victims, though it does not suggest any internal knowledge (as of its publishing) that confirms such targets.

"SolarWinds customers in both the private and public sectors also were victims of this Sunburst attack, and there have been media reports that other software companies may have been targeted as well. We are currently the most visible victim of this attack, but we are likely not alone," it reads.

12/24/20 -- SolarWinds addresses 'Supernova' backdoor

On Dec. 24, SolarWinds released an updated security advisory regarding the second backdoor discovered by Palo Alto Networks researchers, dubbed Supernova. In addition to the .Net webshell, SolarWinds' investigation found the Supernova malware required the exploitation of a vulnerability in the Orion software platform, which the vendor patched in the most recent updates. In addition, SolarWinds said unlike Sunburst, Supernova was not the result of a supply chain attack.

"Supernova is not malicious code embedded within the builds of our Orion Platform as a supply chain attack," the advisory said. "It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."

12/17/20 -- Second backdoor discovered in SolarWinds

On Dec. 17, Palo Alto Networks published research that identified a second backdoor, dubbed "Supernova," inside SolarWinds' Orion platform. During an analysis of Orion artifacts used in the Sunburst attacks, Palo Alto Networks researchers discovered a sophisticated .NET DLL file that allowed threat actors to arbitrarily configure Orion platforms and run malicious code on vulnerable systems. Perhaps more importantly, the researchers believed the Supernova backdoor was implanted by different threat actors than the nation-state adversaries that conducted the initial supply chain attacks, which Palo Alto Networks called "SolarStorm."

"The Supernova webshell's association with the SolarStorm actors is now questionable due to the aforementioned .DLL not being digitally signed, unlike the Sunburst .DLL," the researchers wrote. This may indicate that the webshell was not implanted early in SolarWinds' software development pipeline as was Sunburst, and was instead dropped by a third party."

On Dec. 18, Microsoft posted similar findings about the second DLL file and backdoor, which "has been determined to be likely unrelated to this compromise and used by a different threat actor." It's unclear who that threat actor is and what their goals were.

Additional coverage

  • Starting on Dec. 18, several major technologies companies, including Cisco, VMware and Intel, confirm they were infected by the malicious SolarWinds updates. However, the companies say they've found no evidence that the Sunburst backdoor was exploited by threat actors.
  • The FBI, CISA and ODNI released a joint statement on Dec. 16 saying the SolarWinds attacks are "ongoing" and confirms that several networks of federal agencies have been breached by threat actors. The agencies also announced the formation of the UCG to address the attacks.
  • Following the disclosure of the SolarWinds supply chain attack, several security researchers discovered the malicious DLL component containing the backdoor used was still present in updates on SolarWinds' website the day after the supply chain attack was revealed. Other issues with SolarWinds' response were also discovered.

Security news editor Rob Wright contributed to this report.

Next Steps

SolarWinds response team recounts early days of attack

SolarWinds fires back at SEC over fraud charges

Dig Deeper on Threats and vulnerabilities

Networking
CIO
Enterprise Desktop
Cloud Computing
ComputerWeekly.com
Close