By Felipe Ruiz | January 21, 2021
SolarWinds, an American software company with nearly 300,000 clients, including almost all Fortune 500 companies and multiple federal agencies, received a critical, remarkable and surreptitious cyberattack. Incredibly, it was detected only in mid-December 2020, several months after its start. I’m referring to a 'supply chain attack' which, by its nature, still causes trouble nowadays. Let’s summarize what has happened so far.
SolarWinds is a company focused on developing software for organizations to help manage their systems, networks, and infrastructure. Among its clients are the US Treasury and Commerce departments, which, as reported in Reuters on December 13, had been victims of internal email traffic monitoring by, apparently, a group of Russian hackers. Some people involved then said that that event was related to the hack reported a few days ago by FireEye, a worldwide distinguished cybersecurity company.
FireEye emphasized a 'highly sophisticated' attack where the actors accessed their internal network, looked for data about their government clients, and even stole some of their pentesting tools. It was striking that they talked about observing a novel combination of techniques in this attack. Some sources associated it with the group APT29 or Cozy Bear, linked to the Russian Foreign Intelligence Service (SVR). However, FireEye preferred to be neutral and used the codename UNC2452. An official investigation by CISA and the FBI began because some individuals affected were seeing this whole incident as a cyberespionage campaign.
All of this was part of the sizable SolarWinds breach, which seemed to have started several months ago. The deployment of a malware-laced update of the software Orion (SolarWinds' platform for monitoring and managing enterprise networks) had infected many companies and government agencies' systems and networks. It corresponded to a 'supply chain attack,' where hackers hide a malicious code within a legitimate software update provided to the target by a third party. This kind of attack takes advantage of trust relationships, in this case, specifically the communication between machines for the software updating mechanism that users typically perceive as reliable. SolarWinds confirmed that Orion update versions 2019.4 through 2020.2.1, released in the first half of 2020, had been contaminated with a malware that FireEye called 'Sunburst' and Microsoft 'Solorigate.' Then, as a corrective measure, SolarWinds proposed to have ready by December 15 the new update 2020.2.1 HF2 as a replacement with security improvements.
At that time, it was known that SolarWinds.Orion.Core.BusinessLayer.dll was the Orion plug-in that hackers modified and distributed with the updates. It was digitally signed and had a backdoor for communication with third-party servers managed by them. After a few weeks of inactivity, it executed commands that enabled the use and transfer of files, the disabling of services, as well as other operations on the system. Attackers knew how to avoid detection properly. Inside the target system, they made modifications to legitimate utilities with their malware, executed them, and then returned them to their normal state.
Later, on December 17, Microsoft reported they had distinguished more than 40 of their clients (80% of these companies located in the US) with Orion’s infected versions and intrusions of second-stage payloads to escalate attacks. Besides, they admitted that they were among the victims and that the attack was open-ended, although it was already public and different organizations had taken various protection measures. On the other hand, SolarWinds acknowledged to the SEC that approximately 18,000 of its customers (government and private networks) had installed the 'trojanized' Orion updates.
On December 21, security researchers discovered a second actor threatening SolarWinds with 'Supernova' and 'CosmicGale' malware. Presumably, it was unrelated to Sunburst’s Russian hackers because of its unsophisticated methods. Also, at that time, the next step in escalation after Sunburst’s activity became clearer. As Cimpanu for ZDNet said, "On infected networks, the malware would ping its creators and then download a second stage-phase backdoor trojan named Teardrop that allowed attackers to start a hands-on-keyboard session [or] human-operated attack." The spying powers of hackers were thus expanded, and they could even impersonate legitimate accounts. Regarding their case, Microsoft said that hackers were even able to see, but 'not modify,' part of their source code. Well, this occurrence certainly gave us plenty to ponder over.
By December 24, the media mentioned prominent victims in three groups: (1) US agencies, like the Pentagon, the State Department, and the National Nuclear Security Administration, (2) companies, such as Cisco and Intel, and (3) other organizations, like Kent State University. Days later, at the beginning of 2021, the media reported 250 federal agencies and businesses affected, and the list keeps growing. Data, users, passwords, and source code are the elements to which agents involved may be having access.
Vaughan-Nichols for ZDNet was right on the button when he said, "While you’ve been distracted by the holidays, coronavirus, and politics, the more we learn about the SolarWinds security fiasco, the worse it looks." He didn’t mince his words, further suggesting, instead of an enhanced Orion update, to dump that software promptly and investigate "the SolarWinds' mediocre security record."
On January 5, a joint statement from the FBI, CISA, ODNI, and NSA officially ascribed the threat (labeled "an intelligence gathering effort") to an author "likely Russian in origin." The next day, the US Department of Justice confirmed that the hackers involved in this case had access to some of its employees' email accounts. On January 8, as another curious fact, CISA said these hackers also used brute force attacks to breach targets, not always relying on the trojanized update as the first attack vector.
The following week, CrowdStrike detected a third malware strain, named 'Sunspot.' Surprisingly, this was the first malware used by malicious hackers in this supply chain attack, back in September 2019 (the time when their tests began). So —adding more details to the process—, Sunspot was installed on the build server to watch it for build commands that assembled Orion. Then, it replaced source code files inside the app to make way for Sunburst’s injection and the subsequent collection of data from internal networks. Depending on the importance of the target, the attackers decided whether to proceed using the robust Teardrop.
Moreover, on January 19, Symantec reported a fourth malware called 'Raindrop' (similar to Teardrop), which appeared in the last stages of intrusion into exclusive networks. Undeniably, this SolarWinds issue doesn’t end here. And senior writers like Constantin warn of a possible increase in the number of software supply chain attacks. In this advanced digital age, it seems that many organizations hadn’t paid heed to this as a threat model.
Investigations and countermeasures continue in several organizations; even the incoming Biden government in the US is already committed to making cybersecurity a top priority and investing in a "Rescue Plan." Beyond this extraordinary impact on systems and networks, confidence in cybersecurity has been widely affected without any doubt. In the midst of so much uncertainty about what lies ahead, the only thing that is clear for now is that much effort will be required to revitalize such confidence.
Corporate member of The OWASP Foundation