SolaWinds Hack

Responding to the SolarWinds Hack

Recent cybersecurity attacks have security companies working at high speeds to intercept attacks that occur within hours and even zero-day attacks. In an unexpected turn, the current attack that has everyone’s attention, and prompted an emergency weekend meeting of the U.S. National Security Council, is one that took several months to complete.  

The SolarWinds Attack was first disclosed on December 14, 2020, but it likely actually began in September 2019. Victims of the attack included government agencies and private companies. Among the government agencies attacked were parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury. Notable private companies, like Microsoft, Cisco, Intel, and Deloitte were also affected. Other organizations include the California Department of State Hospitals and Kent State University.

Notably, not every customer using the Orion platform installed the infected update. It’s estimated that 18,000 (six percent) of the company’s 33,000 Orion product customers installed the update that left networks vulnerable to hackers from March 2020 until mid-December. Furthermore, it’s estimated that the early stages of the investigation haven’t revealed the true extent of the attack. 

Now, government agencies and a variety of other companies and organizations are striving to understand exactly what happened and how to avoid becoming a victim of a more advanced threat in the future. Learning from such an advanced attack begins with careful inspection of how the attack was carried out and why.

New call-to-action

What is the SolarWinds Hack?

The SolarWinds hack is an advanced supply-chain attack carried out over a period of several months targeting U.S. government agencies and high profile private companies with extensive customer bases. The full extent and motive of the attack are unclear as the investigation has just begun. However, it’s widely suspected that the attack was carried out by Russia’s foreign intelligence service (SVR) often referred to as Cozy Bear.

In mid-December 2020, security company FireEye recognized and reported a data breach that included access to the company’s suite of Red Team hacking tools. As the company investigated further into the origin of the attack, the connection to SolarWind’s Orion IT platform was discovered. In a stealthy backdoor attack that spanned across several months, hackers infiltrated the software update platform for Orion products, gaining access to thousands of high profile customers of the company. Despite some similarities used in supply chain and lateral movement attacks, this hack was totally unique in nature and has prompted discussion about the need for stronger cybersecurity legislative action and penalties for attackers.

How it Happened

When cyberattacks are carried out quickly, as with recent ransomware attacks, a visible timeline of hacker behavior is tracked over a period of hours or days that results in discovery or contact when the attack is complete. The timeline for the SolarWinds attack is much different and includes long waiting periods where the hackers patiently watched a trojanized Orion IT update make its way to the intended victims. 

On December 8, 2020, FireEye discovered and reported a system breach and the theft of security tools. After launching an investigation, the following timeline was revealed.

  • September 4, 2019: A threat actor accessed SolarWinds.
  • September 12, 2019: Test code is injected, beginning a trial run designed to test the hacker’s ability to insert code into upcoming updates.
  • November 4, 2019: Trial run ends.
  • February 20, 2020: An updated version of the malicious code (later dubbed Sunburst) is deployed into the Orion product software update platform.
  • March 26, 2020: Hotfix 5 DLL update becomes available to customers.
  • June 4, 2020: After remaining undetected in the system, the perpetrators removed the Sunburst code from the SolarWinds network. 
  • December 8, 2020: FireEye suffers an attack and discloses the details of the theft of Red Team penetration testing tools.
  • December 11, 2020: During the investigation of their own attack, FireEye discovers SolarWinds Orion updates were corrupted and weaponized by hackers.
  • December 12, 2020: SolarWinds is informed of the attack and discloses the details to customers. The National Security Council holds an emergency meeting at the White House to discuss the breach of multiple government agencies.
  • December 13, 2020: Immediate action takes place in an effort to minimize the threat. The Cybersecurity and Infrastructure Security Agency (CISA) orders federal agencies to power down SolarWinds Orion. SolarWinds outlines the attack and provides defensive measures. Microsoft offers guidance to explain and defend against attacks. The first media coverage emerges from Reuters.
  • December 15, 2020: SolarWinds releases a software fix to update affected programs. U.S. lawmakers request an investigation from the FBI and CISA.
  • December 24, 2020: SolarWinds issues new patches and fixes for the attack.
  • December 30. 2020: CISA updated guidance, requiring all federal agencies operating versions of SolarWinds Orion to update to version 2020.2.1HF2.
  • December 31, 2020: Microsoft reports that hackers were unable to access their products or software after the initial infiltration.
  • January 5, 2021: U.S. intelligence agencies formally accuse Russia of being linked to the SolarWinds hack.
  • January 14, 2020: U.S. Labor Department reports their data wasn’t corrupted or lost after the initial breach.
  • January 18, 2020: An additional piece of malware from the attack is recognized. Raindrop is a loader that delivered Cobalt Strike to specific victims of the attack.
  • January 22, 2020: President Joe Biden hires cybersecurity experts. 

High Profile Victims

The SolarWinds attack wasn’t a random hack designed to affect every person using the service. It wasn’t even devised to impact the SolarWinds company or Orion products. The purpose was to use Orion as a vessel to target specific organizations through a software update set to occur between February and June 2020. Although roughly 18,000 customers applied the update, far fewer organizations were actually infiltrated using the malicious code included in the update.

Threat actors applied a malicious code, later named Sunburst, in Orion product updates before the updates were set to occur, then removed the code from the SolarWinds network to remain undetected. When the update was installed, hackers could then use the code within a variety of organizations to gain entry into these networks and move laterally through the systems. It’s estimated that malicious action was taken in approximately 200 organizations, including government agencies, universities, health care facilities, and high tech companies.

Microsoft identified more than 40 customers targeted by the attack. While about 80% of these customers were located in the U.S., seven additional countries were affected. This includes Canada, Mexico, Belgium, Spain, United Kingdom, Israel, and The United Arab Emirates. While government agencies were included in the attack, 44% of targeted organizations were IT companies that provide software and equipment to other customers.

Notable organizations and companies hit by the attack include:

  • FireEye
  • Microsoft
  • Cisco
  • U.S. Department of Treasury
  • U.S. Department of State
  • U.S. National Telecommunications and Information Administration (NTIA)
  • U.S. Department of Homeland Security (DHS)
  • U.S. Department of Energy (DOE)
  • National Institutes of Health (NIH)
  • Some U.S. states

How the SolarWinds Hack is Different

From the massive high-profile victim list to the extremely covert nature of the attack, the SolarWinds hack reveals cybersecurity vulnerabilities that haven’t been thoroughly explored before. 

SolarWinds is a large IT company with a massive customer base. The company’s advertising techniques likely made it a perfect target for hackers seeking a comprehensive list of high profile victims. In a page that has been removed from the website, SolarWinds listed customers to include most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, the top 5 U.S. accounting firms, hundreds of colleges and universities, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States. Attacking any of these organizations separately would have been a massive undertaking, but the use of one agency for a supply chain attack eliminated much of the legwork and potential for exposure. However, that’s not the only distinction when it comes to this attack. In fact, a series of well-planned actions led to a nearly invisible attack that could have serious implications for the future of national cybersecurity regulations.

A Stealthy Attack

Threat actors were able to perform a trial run and successfully inject malware into the SolarWinds network without being recognized due to a combination of techniques. Hackers began with a trial run to access the Orion product update platform. The attack was then modified to include malicious code that could be inserted into SolarWinds’ build servers. Since the code masqueraded as part of the program, it was able to remain undetected until the full-scale attack would be initialized. When the update went out to thousands of customers months later, a backdoor entry point was created within networks of organizations that installed the update.

Instead of taking action immediately, hackers allowed a dormancy period to exist in the new victim’s network before performing any activity within the system. Since the hacker’s activity within new networks masqueraded as normal activity from the Orion software, malicious activity could potentially go undetected until the objective was complete.

A Deliberate Time Frame

Rapid-fire attacks are difficult to identify and stop due to the speed at which the attack is introduced and carried out. This attack was planned with the ability to remain invisible for months at a time and included a dormant period when it was introduced to targeted victims. The ability for the code to remain undetected within the SolarWinds platform for months throughout routine security procedures opens up new fears to the potential that other threats could be occurring beneath the radar of vital organizations. Additionally, the fact that Sunburst was introduced to target networks only to lie dormant for weeks means deeper investigation was required to discover the origin of the threat.

Ongoing Supply Chains

IT companies that were unaware of the hack and continued to provide services and products to their own customers have added another layer of potential victims to the attack. While the main objective in the SolarWinds hack seems to be directed at high profile targets, the threat for third parties using compromised software still exists. 

All too often, cybersecurity is aimed at avoiding direct threats by way of phishing or other similar methods. When the attack comes from trusted software, target organizations need a new method of protection. With the introduction of this attack, organizations realize they can’t assume vendors and core partners are performing necessary security protocols.

The FireEye Factor

Cybersecurity company FireEye uncovered and revealed the source of the attack, but not before advanced hacking security tools were stolen. Even while the complete impact of the attack is being determined, hackers can utilize the FireEye tools for other types of covert attacks within networks that are unprepared for this new threat. While FireEye has been refreshingly transparent about the hack and related actions to prevent further damage, there’s no doubt these new tools will improve the ability of hackers attempting to access and corrupt victim networks.

What Happens Now?

As organizations struggle to recover from the attack and prepare for the future, many steps are being taken to prepare for possible actions hackers may take in the future. This sobering look at how easily accessible government agencies can be to hackers might finally lead to stricter legislation regarding cybersecurity regulations and the punishment for nation-state threat actors. Without certain restrictions and resulting actions in place, organizing effective international cybersecurity policies will be practically impossible.

Affected companies responded immediately with timely reports to customers and ongoing transparency regarding the attack. SolarWinds released a software fix within days of being notified of the breach. FireEye teamed up with Microsoft and GoDaddy to create a kill switch that causes the malware to terminate and prevent further execution. However, these actions don’t address the larger need for protection against new and growing threats.

An attack of this magnitude expands the ways hackers can carry out a variety of cyberattacks with differing objectives. While entry methods would have to be modified, such a wide-scale attack would conceivably offer up a massive payday for ransomware operators. The success of this hack makes it essential for companies, security agencies, and government organizations to prepare for the next threat on the horizon.

After the attack, incoming president Joe Biden promised to make cybersecurity a top priority for the administration. He went on to say the administration would elevate cybersecurity as an imperative across the government, strengthen partnerships with the private sector, and invest in the infrastructure and people needed to protect against cyberattacks. Promising the administration would not stand idly by in the face of cyberattacks against the nation, Biden said the administration will impose substantial costs on individuals responsible for malicious attacks to deter such activity. 

During President Biden’s first week in office, he seems to be making good on that promise. Quickly filling key roles with world-class cybersecurity experts and including more than $10 billion in cybersecurity and IT funds in the upcoming COVID-19 relief proposal are among the actions taken during the president’s first week in office. Compared to recent U.S. efforts in cybersecurity, this seems like a monumental effort, but many experts agree it’s only the beginning steps in what needs to be done for adequate cybersecurity.

Avoiding Future Cyber Attacks

Perhaps the biggest question now is whether similar attacks could be occurring beneath the radar. Given what we’ve learned about the SolarWinds hack, it’s virtually impossible to know if similar attacks aren’t already in progress. While it’s alarming to learn government agencies and Fortune 500 companies have been compromised, individuals and businesses need to remember that cybersecurity efforts aren’t in vain. After all, even though the government earmarks billions of dollars for cybersecurity, a private security firm recognized the breach within its own system. FireEye went further to recognize the origin of the attack and alert a long list of victims. This might not seem like a big deal, but it means traditional and emerging cybersecurity techniques are working.

There’s no single solution to avoiding any type of cyber threat, but routine management and a strong defense are the best tools to prepare for potential breaches. For instance, companies affected by the SolarWinds hack that already utilized services like SIEM and logging techniques in place were better prepared to utilize defenses recommended against the attack.

SIEM monitors all suspicious activity within a network. While this code was covert enough to go undetected within multiple organizations, additional activity by the hackers likely triggered the alarm that alerted FireEye to the breach. SIEM often detects a breach and creates an alert immediately. Unfortunately, sometimes a breach successfully gets past a security system. However, additional actions by threat actors provide another opportunity for detection. 

When the threat was detected, FireEye’s investigation quickly tracked back to SolarWinds. Without the right security measures in place, tracking these movements would likely be impossible. It’s true that a variety of steps need to be taken for effective cybersecurity for both private companies and government agencies, there will always be a need for individual security protections.

Security Measures Every Organization Should Take to Avoid a Breach

So, what does this mean companies and local governments should be doing to avoid future attacks? For organizations with systems running Solarwinds Orion, it’s essential to install the recommended updates and patches to avoid potential corruption. However, organizations using Orion aren’t the only ones affected by a breach of this complexity and magnitude. It should serve as a wake-up call that all agencies and companies must make cybersecurity, and the ability to identify and eliminate new threats as they arise, a priority. Automated security tactics combined with the efforts of cybersecurity experts provide the most comprehensive protection available against potential cyberattacks of the future.

  • SIEM: SIEM software collects and categorizes all data across an organization’s entire network. This ability also allows the software to recognize threats and send out alerts. If a system is breached, SIEM provides IT professionals with the data to track malicious movement through the network.  
  • Cyber Threat Hunting: It’s not enough to assume your security system is keeping out every new threat that arises. This breach has proven that successful obfuscation tactics allow threats to hide within networks for long periods of time. Cyber threat hunting covers potential attacks, ones already in progress, and ones that have already taken advantage of vulnerabilities in the network. Potential attackers are aware of the capabilities of cybersecurity software and are always developing new ways to surpass it and find vulnerabilities. Cyber threat hunting adds a human element to seeking new threats and finding existing vulnerabilities and dangers that have already breached the network.
  • Zero Trust: Your network’s security is only as strong as its weakest link. Effective security requires an agency to take responsibility for everything that enters the network. This means you can’t assume vendors and providers are using high quality security methods to protect the software and updates installed by your organization. A zero trust policy requires your security system to verify everything that enters or already exists within your network.
  • Security Patches: It’s easy to put off manual maintenance like updates and security patches. Unfortunately, anything less than the most updated technology within all areas of your network makes your organization more vulnerable to breaches. Security patches and updates provide a more secure system with advancements designed to secure your network against new, existing threats. Software developers continually update platforms to provide customers with advanced protection against potential attacks.

Advanced cyberattacks can make maintaining a network seem impossible. It’s important to remember that as attackers take advantage of advanced technology to attempt to breach vital systems and access sensitive information, cybersecurity experts are learning new ways to halt this action in its tracks. BitLyft is an advanced cybersecurity company accustomed to the demands of organizations that must protect large amounts of sensitive customer information. Get in touch today to learn more about the most advanced ways you can protect your network.

New call-to-action 

Jason Miller

Jason Miller, Founder and CEO of BitLyft Cybersecurity, has dedicated his 20-year IT career, including co-founding SaaS pioneer Reviora, to removing cybersecurity barriers for mid-sized enterprises. Establishing BitLyft in 2016, Jason set out to unburden security teams with innovative, approachable, and affordable solutions, a vision which has made BitLyft a respected managed detection and response provider. Outside his cybersecurity pursuits, Jason is an avid tree farmer and outdoor enthusiast, planting nearly 300 trees on his ten-acre plot and finding joy in hiking, and hunting. His diverse passions mirror the balanced blend of expertise, dedication, and joy he brings to BitLyft.

More Reading

Cyber attacks on electric grid
Cyber Attacks on Utilities: Why Municipal Utilities Are at High Risk
It's no secret cyber attacks are becoming more advanced and more frequent, affecting a variety of high-profile targets. Financial institutions, healthcare facilities, universities, and government...
circuit board with a red bug or virus
The True Cost of SamSam Ransomware
Last year, the city of Atlanta was attacked by a group of hackers who had infiltrated their system and effectively crippled large parts of it.
Manufacturing Cyber Attacks
Popular Types of Cyber Attacks In Manufacturing
Cyber attacks are on the rise with one report suggesting that they have increased by 59%. Cyber attacks in manufacturing do not gain as much news coverage or discussion as attacks on retail stores or...