Hackers successfully compromised the SolarWinds Orion software solution and incorporated a backdoor dubbed SUNBURST that has been downloaded by up to 18,000 of its customers, including many large enterprises and government agencies.
SolarWinds Orion is a software solution used by large enterprises and government agencies to manage their IT networks and IT infrastructure. The software is used by all five branches of the U.S. military, the Pentagon, State Department, Department of Homeland Security, National Security Agency, NASA and the National Institutes of Health. Currently, 5 U.S. government agencies are known to have installed the backdoor – the U.S. Treasury, Department of Homeland Security, U.S. Commerce Department, State Department, and the National Institutes of Health. The attack has potentially given the attackers access to highly sensitive data, including government emails.
The campaign was first identified by the cybersecurity firm FireEye when investigating its own breach, which led to the identification of the SUNBURST backdoor. The investigation traced the attack to a Trojanized SolarWinds Orion product, which was created in the spring of 2020. Software updates from March 2020 through June 2020 included the SUNBURST backdoor and all customers who installed those updates have likely been compromised ever since.
According to SolarWinds, around 33,000 of its customers used the Orion product during the period when the Trojanized version was available for download, but the company believes fewer than 18,000 of those customers have an installation of the Trojanized version. Those customers span a range of industry sectors, from government to consulting, technology, telecoms, healthcare, and cybersecurity, across North America, Europe, Asia, and the Middle East.
Supply chain attacks such as this are the holy grail for hackers. Compromising a product such as SolarWinds Orion allows them to infect huge numbers of high-profile targets, which would otherwise be extremely difficult to hack. The hackers were highly skilled, disciplined, and operated with a high level of security. They were able to evade security solutions and operate undetected and were it not for the attack on FireEye, the hackers may still be operating totally undetected.
The highly sophisticated, targeted, manual supply chain attack has the hallmarks of a nation state hacking group rather than a cybercriminal operation. The group behind the attack has yet to be confirmed, but Washington Post sources have stated the attack was conducted by the Advanced Persistent Threat group known as APT29 – Cozy Bear. APT29 is associated with the Russian Foreign Intelligence Service (SVR), although a Kremlin spokesperson has denied Russian involvement in the attacks.
The hackers appear to have had full access to SolarWinds software development environment, although it is currently unclear how that access was gained. That allowed them to insert their backdoor code which was pushed out to its clients through the normal software update process. The software updates were signed using public key cryptography, and the valid keys would mean those updates were accepted by customers.
A similar method of attack occurred in the NotPetya wiper malware attacks in 2017, where the attackers compromised the accounting software (M.E. Doc) of a Ukrainian software vendor and added a backdoor, allowing them to install the wiper on the systems of its customers.
Once the SUNBURST backdoor is installed detection is difficult. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” said FireEye.
Once installed, the hackers move laterally and steal data. It is also possible that they have compromised customers’ Microsoft Office 365 productivity tools. Microsoft is currently working to remove that attack vector.
FireEye has identified indicators of compromise and signatures for the backdoor are now being incorporated into anti-virus and anti-malware engines. Microsoft reports that all its anti-virus products now detect the backdoor, although full scans will need to be performed to determine whether the backdoor has been installed.
SolarWinds has contacted all customers believed to have been affected. A hotfix has been released that partly addresses the vulnerability and mitigation steps have been provided to help customers secure their environments. A second hotfix that removes the compromised component is expected to be released by SolarWinds on Tuesday December 15, 2020.
Orion Platform version 2020.2.1 HF 1 will allow admins to secure their systems running compromised versions of the software (from 2019.4 HF 5 to 2020.2.1), and version 2020.2.1 HF 2 removes the compromised component. These updates should be applied immediately.
Mitigation steps and further information on the attack can be obtained from SolarWinds, and the indicators of Compromise have been published by FireEye.