Visit our SolarWinds Response Center to learn more.
You can also explore the features of the comprehensive Zero Trust Exchange platform.
The SolarWinds cyberattack was a software supply chain attack involving the SolarWinds Orion platform, wherein a Russian nation-state adversary gained access to SolarWinds systems and deployed trojanized updates to the Orion software. This, in turn, allowed threat actors to install stealthy malware on SolarWinds customers’ networks. The SolarWinds hack was disclosed by multiple cybersecurity companies in conjunction with the US Cybersecurity and Infrastructure Security Agency (CISA) in December 2020.
SolarWinds is a Texas-based provider of information technology (IT) infrastructure management software solutions that enable organizations to monitor and manage the performance of their IT environments.
SolarWinds Orion, a widely used network infrastructure monitoring and management platform, is designed to give customers visibility into networks from various vendors so they can identify and troubleshoot issues. Orion has more than 33,000 reported customers, including many large private sector enterprises and government agencies. It’s believed the attack in question affected approximately 18,000 of these customers—well over half.
The day after the SolarWinds breach was disclosed, Forbes reported that the attacks could go to the heart of the United States security apparatus: “According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs ... the National Institutes of Health, the Department of Energy, the DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.”
Steven J. Vaughan-Nichols, ZD-Net, January 4, 2021
The attack, which came to be known as SUNBURST in SolarWinds communications, affected Orion versions 2019.4 through 2020.2.1, released between March and June 2020.
To carry out the attack, hackers modified an Orion platform plugin distributed as part of Orion platform updates. Digitally signed by SolarWinds, it contains a backdoor that communicates with third-party servers under the attackers’ control. Once the attackers established a foothold in impacted organizations, they could steal data, deploy malicious code, or otherwise disrupt business.
The attack was the work of a sophisticated adversary with deep understanding of operational security. Based on publicly available data, this adversary demonstrated significant efforts to evade detection, including code obfuscation and clean-up techniques such as steganography, fingerprinting techniques to identify target systems and analysis systems, rotating infrastructure with a focus on geolocation proximity, and executing code in memory as much as possible.
These techniques, in combination with using a digitally signed component of a trusted software platform as the initial infection vector, indicate a highly skilled and covert adversary willing to expend resources to assure the success of their operation.
The attack affected multiple high-profile US federal government agencies, including the Department of Justice (DOJ), the Department of Homeland Security (DHS), and the Department of the Treasury, among others. It exposed the Microsoft 365 email environments of various federal agencies, constituting a “major incident” that warranted a defensive response.
A White House statement in April 2021 affirmed that the Biden administration would “impose costs on Russia for actions by its government and intelligence services against U.S. sovereignty and interests.” These actions targeted Russian government, commerce, and intelligence bodies, including the expulsion of diplomatic representatives of Russian intelligence services from the US.
The same statement formally named the Russian Foreign Intelligence Service (SVR) as the perpetrator of the attack. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint security advisory that contained further details.
Lucian Constantin, CSO Online, December 15, 2020
To remain undetected, the adversary appears to have only used the backdoor in SolarWinds Orion when the target environment was of specific interest. As such, analyzing your network activity is the only way to know if an attacker sought or obtained access.
The campaign is suspected to have started during or before March 2020 (with possible testing as early as October 2019) and did not involve any known indicators of compromise. Due to the volume of data involved, many organizations don’t keep access logs long enough to determine whether or not a compromise occurred.
If an adversary deploys malware in your environment through a compromised Orion system, they’ll likely use escalated privileges to begin exploring what actions they can take. Keep an eye on the affected Orion system—or other systems that have communicated with it—for behaviors such as:
The easiest way to know whether you may have been attacked is to determine whether you’re using a compromised Orion product in your environment. Affected Orion Platform versions include:
If you’re using a compromised version of the Orion Platform:
Lucian Constantin, CSO Online, December 15, 2020
Supply chain attacks are still evolving, and there’s no doubt adversaries will find new ways to compromise the operations and sensitive data of public agencies and private companies alike. To reduce your risk as much as possible, Zscaler recommends taking these steps:
Even if you take no other steps, these two are the most critical, making it far more difficult for an adversary to breach your environment, yet easier for you to detect unexpected activity:
Supply chain attacks are among the most sophisticated and difficult-to-detect modern cyberthreats. To defend against them with confidence, you need full visibility into all traffic in your environment, multiple layers of security, and a clear understanding of the security posture of all your partner organizations.
The Zscaler Zero Trust Exchange™ protects your organization against advanced supply chain attacks with natively integrated services and powerful, industry-leading capabilities that enable you to:
Zscaler ThreatLabz: SolarWinds Response CenterFind resources
Supply Chain Attacks: What They Are, How They Work, and How to Protect Your OrganizationRead the blog
The Hitchhiker’s Guide to SolarWinds Incident ResponseRead the blog
Zscaler Coverage for SolarWinds Cyberattacks and FireEye Red Team Tools TheftRead the blog
Are You Prepared for Russian Cyberwarfare Attacks?Read the blog