What Is the SolarWinds Cyberattack?
The SolarWinds cyberattack was a software supply chain attack involving the SolarWinds Orion platform, wherein a Russian nation-state adversary gained access to SolarWinds systems and deployed trojanized updates to the Orion software. This, in turn, allowed threat actors to install stealthy malware on SolarWinds customers’ networks.
The SolarWinds hack was disclosed by multiple cybersecurity companies in conjunction with the US Cybersecurity and Infrastructure Security Agency (CISA) in December 2020.
What Is SolarWinds?
SolarWinds is a Texas-based provider of information technology (IT) infrastructure management software solutions that enable organizations to monitor and manage the performance of their IT environments.
SolarWinds Orion, a widely used network infrastructure monitoring and management platform, is designed to give customers visibility into networks from various vendors so they can identify and troubleshoot issues. Orion has more than 33,000 reported customers, including many large private sector enterprises and government agencies. It’s believed the attack in question affected approximately 18,000 of these customers—well over half.
The day after the SolarWinds breach was disclosed, Forbes reported that the attacks could go to the heart of the United States security apparatus: “According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs ... the National Institutes of Health, the Department of Energy, the DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.”
It didn't come with bombs like the attack on Pearl Harbor, but this attack on our national agencies and American Fortune 500 companies may prove to be even more damaging to our national security and our business prosperity.
How Did the SolarWinds Cyberattack Work?
The attack, which came to be known as SUNBURST in SolarWinds communications, affected Orion versions 2019.4 through 2020.2.1, released between March and June 2020. To carry out the attack, the adversary followed this basic process:
- Hackers modified an Orion platform plugin distributed as part of Orion platform updates.
- Attackers performed reconnaissance, evading detection with obfuscation and cleanup techniques.
- Once ready, they entered target environments using a backdoor in the compromised Orion plugin.
- With a foothold established inside a target organizations, attackers could steal data, deploy malicious code, or otherwise disrupt business.
The attack was the work of a sophisticated adversary with deep understanding of operational security. Based on publicly available intel, they used advanced code obfuscation and clean-up techniques such as steganography, fingerprinting techniques to identify target systems and analysis systems, rotating infrastructure with a focus on geolocation proximity, and executing code in memory as much as possible.
These techniques, in combination with using a digitally signed component of a trusted software platform (the compromised plugin) as the initial infection vector, indicate a highly skilled and covert adversary willing to expend resources to assure the success of their operation.
US Response and Sanctions Following the Attack
The attack affected multiple high-profile US federal government agencies, including the Department of Justice (DOJ), the Department of Homeland Security (DHS), and the Department of the Treasury, among others. It exposed the Microsoft 365 email environments of various federal agencies, constituting a “major incident” that warranted a defensive response.
A White House statement in April 2021 affirmed that the Biden administration would “impose costs on Russia for actions by its government and intelligence services against U.S. sovereignty and interests.” These actions targeted Russian government, commerce, and intelligence bodies, including the expulsion of diplomatic representatives of Russian intelligence services from the US.
The same statement formally named the Russian Foreign Intelligence Service (SVR) as the perpetrator of the attack. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint security advisory that contained further details.
[Supply-chain attacks] are some of the hardest types of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.
How Do You Know If You're a Victim of SolarWinds SUNBURST?
To remain undetected, the adversary appears to have only used the backdoor in SolarWinds Orion when the target environment was of specific interest. As such, analyzing your network activity is the only way to know if an attacker sought or obtained access.
The campaign is suspected to have started during or before March 2020 (with possible testing as early as October 2019) and did not involve any known indicators of compromise. Due to the volume of data involved, many organizations don’t keep access logs long enough to determine whether or not a compromise occurred.
If an adversary deploys malware in your environment through a compromised Orion system, they’ll likely use escalated privileges to begin exploring what actions they can take. Keep an eye on the affected Orion system—or other systems that have communicated with it—for behaviors such as:
- Modification of system tasks
- Delete-create-execute-delete-create directory action pattern
- Newly created or unknown local user accounts
- Existence or evidence of usage of Adfind.exe
- Signs of cmd.exe or rundll32.exe spawned from solarwinds.businesslayerhost.exe
- Existence of unknown and/or very broad email forwarding/deleting rules on the email gateway
Compromised Orion Products and Versions
The easiest way to know whether you may have been attacked is to determine whether you’re using a compromised Orion product in your environment. Affected Orion Platform versions include:
- 2019.4 HF5, version 2019.4.5200.9083
- 2020.2 RC1, version 2020.2.100.12219
- 2020.2 RC2, version 2020.2.5200.12394
- 2020.2, version 2020.2.5300.12432
- 2020.2 HF1, version 2020.2.5300.12432
What to Do If Your SolarWinds Orion Platform Is Compromised
If you’re using a compromised version of the Orion Platform:
- Immediately isolate, disconnect, or power down infected systems
- Review logs to identify command-and-control activity or lateral movement from infected systems
- Reset all credentials used by SolarWinds Orion and associated services
- Update Orion to the latest version, according to this advisory
- Determine whether you’re running any other affected SolarWinds products listed in the advisory
Companies, as users of software, should also start thinking about applying zero-trust networking principles and role-based access controls not just to users, but also to applications and servers.
Best Practices for Protecting Your Organization from the SolarWinds Attack
Supply chain attacks are still evolving, and there’s no doubt adversaries will find new ways to compromise the operations and sensitive data of public agencies and private companies alike. To reduce your risk as much as possible, Zscaler recommends taking these steps:
- Eliminate your internet-facing attack surface, stop lateral movement, and block C2 with a zero trust architecture.
- Enable full TLS/SSL inspection and advanced threat prevention on workload-to-internet traffic.
- Run an inline cloud sandbox to identify and stop unknown threats.
- Enforce protections for known C2 traffic with continuous updates as new destinations emerge.
- Limit the impact of lateral movement with identity-based microsegmentation for cloud workloads.
- Choose vendors that can attest to the highest levels of confidentiality, integrity, and availability.
Even if you take no other steps, these two are the most critical, making it far more difficult for an adversary to breach your environment, yet easier for you to detect unexpected activity:
- Enforce least-privileged access to limit adversaries’ abilities to exploit their position.
- Require multifactor authentication for any access to high-value targets.
Supply Chain Attacks: What They Are, How They Work, and How to Protect Your OrganizationRead the blog
How Can Zscaler Help Against Threats Like SolarWinds SUNBURST?
Supply chain attacks like SUNBURST are among the most sophisticated and difficult-to-detect modern cyberthreats. To defend against them with confidence, you need full visibility into all traffic in your environment, multiple layers of security, and a clear understanding of the security posture of all your partner organizations.
The Zscaler Zero Trust Exchange™ protects your organization against advanced supply chain attacks with natively integrated services and powerful, industry-leading capabilities that enable you to:
- Identify and stop malicious activity from compromised servers by routing all server traffic through Zscaler Internet Access™
- Restrict traffic from critical infrastructure to an allowlist of known-good destinations
- Inspect all TLS/SSL traffic with unlimited scale, even if it comes from trusted sources
- Block all known command-and-control (C2) domains with Advanced Threat Protection
- Extend C2 protection to all ports and protocols with Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations
- Prevent delivery of unknown malware as part of a second stage payload with Advanced Cloud Sandbox
- Limit the impact of a potential compromise by restricting lateral movement with identity-based microsegmentation through a zero trust architecture and Zscaler Workload Segmentation
- Protect crown jewel applications by limiting lateral movement with Zscaler Private Access
Visit our SolarWinds Response Center to learn more.
You can also explore the features of the comprehensive Zero Trust Exchange Platform.