December 28, 2020//Joel Burleson-DavisLast Updated: May 25, 2022
Just when you thought we had the last major hack of 2020 with the FireEye incident last week, we have discovered just a couple of days later that it stemmed from a massive supply chain attack originating in the Orion network management software from SolarWinds, which affects many other organizations including several large U.S. federal agencies.
The full list of victims is relatively long, and it continues to grow by the day. Currently, it includes the Treasury Department (yeah, where they print the money!), the Commerce Department, the Pentagon and many other agencies and companies that use the software. The details of the hack are technical, complicated and still being investigated, but here is what we know so far and some answers to common questions:
Hackers who appear to be associated with nation-state hacking group Cozy Bear, aka Advanced Persistent Threat (APT) group 29, part of the SVR arm of Russian intelligence services, got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. Once installed, the malware “phoned home” to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action. Since the patch came from the company and was digitally signed by SolarWinds, few companies would have known their software was compromised until now.
Pretty bad. SolarWinds makes a network management system (NMS) software that monitors all the operations of a network and has the capabilities to intercept and examine network traffic and the systems on it. The malware that was delivered with the code was custom-designed for this hack and quite sophisticated. This means any hacker who has control of that software could use it to potentially sniff passwords, find vulnerable machines and attack them to spread throughout a network.
This would be much more valuable than hacking any single machine on the network, or even a server, since the software enables access to attack all the network hosts. The chances are, if a hacker got on your network with control over this software, they would have a high probability of hacking other machines and achieving deeper persistence and control. And given the ubiquity of this software within large enterprises like manufacturing and government, much of our federal government may have been or still be hacked by a powerful nation-state actor, along with many other governments and large companies. The true impact of this event may take years to uncover and some hacks may never be discovered.
First of all, not all customers of SolarWinds are vulnerable to this hack. Only users of the Orion software platform are affected, and only those who loaded the March update. SolarWinds has communicated that the number of customers that have this update is about 18,000.
However, even if your organization has the affected software installed, it may not have been hacked yet; 18,000 is a lot of targets to hack even for a big nation-state group with lots of resources like Cozy Bear. Most likely, the hackers went after the high-value targets first, such as U.S. federal government agencies and large companies, and will work their way down the list.
There is a chance that if your organization are not one of the high-value targets, it has not been compromised. Still, you need to assume it is and take all appropriate steps to limit exposure. Now that their attack is exposed, the hackers may be taking steps to hide their tracks or install back doors for them to return later, so every minute counts in a situation like this.
If your organization meets those criteria, it definitely is at risk and should activate its incident response plan (you do have one of those, right?), decommission the software and begin to look for any Indications of Compromise (IoCs). For more help, Talos has published this useful list. You will probably also want to hire a threat hunting company to get the real pros who have knowledge and experience to assist you. These are sophisticated hackers and they can hide the signs of an attack very well; consider that they had been inside all these high-security organizations for months without being discovered.
Even if your organization isn’t running SolarWinds, it still might not be out of the woods. If a third party or vendor your organization uses runs this software, they might be infected. And if they have access to your network or systems, your organization could be attacked through that connection. If you haven’t already, you should implement a third-party risk management program that covers vendor access of any kind. Even if your organization has a program, it is a good time for an overhaul and improvement.
The bottom line is that if your organization is vetting, monitoring and auditing its vendors properly, it will have a much better chance of stopping or catching attacks coming through third parties, whether it’s from this hack or the next one.