What Is the SolarWinds Cyberattack?

What Is SolarWinds?

SolarWinds is a Texas-based provider of information technology (IT) infrastructure management software solutions that enable organizations to monitor and manage the performance of their IT environments.

SolarWinds Orion, a widely used network infrastructure monitoring and management platform, is designed to give customers visibility into networks from various vendors so they can identify and troubleshoot issues. Orion has more than 33,000 reported customers, including many large private sector enterprises and government agencies. It’s believed the attack in question affected approximately 18,000 of these customers—well over half.

The day after the SolarWinds breach was disclosed, Forbes reported that the attacks could go to the heart of the United States security apparatus: “According to a review of public records, the range of U.S. government customers who’ve previously bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the Army and the Navy being big users. The Department of Veterans Affairs ... the National Institutes of Health, the Department of Energy, the DHS and the FBI are also amongst the many branches of the U.S. government that have previously bought the tool.”

How Did the SolarWinds Cyberattack Work?

The attack, which came to be known as SUNBURST in SolarWinds communications, affected Orion versions 2019.4 through 2020.2.1, released between March and June 2020.

To carry out the attack, hackers modified an Orion platform plugin distributed as part of Orion platform updates. Digitally signed by SolarWinds, it contains a backdoor that communicates with third-party servers under the attackers’ control. Once the attackers established a foothold in impacted organizations, they could steal data, deploy malicious code, or otherwise disrupt business.

The attack was the work of a sophisticated adversary with deep understanding of operational security. Based on publicly available data, this adversary demonstrated significant efforts to evade detection, including code obfuscation and clean-up techniques such as steganography, fingerprinting techniques to identify target systems and analysis systems, rotating infrastructure with a focus on geolocation proximity, and executing code in memory as much as possible.

These techniques, in combination with using a digitally signed component of a trusted software platform as the initial infection vector, indicate a highly skilled and covert adversary willing to expend resources to assure the success of their operation.

US Response and Sanctions Following the Attack

The attack affected multiple high-profile US federal government agencies, including the Department of Justice (DOJ), the Department of Homeland Security (DHS), and the Department of the Treasury, among others. It exposed the Microsoft 365 email environments of various federal agencies, constituting a “major incident” that warranted a defensive response.

A White House statement in April 2021 affirmed that the Biden administration would “impose costs on Russia for actions by its government and intelligence services against U.S. sovereignty and interests.” These actions targeted Russian government, commerce, and intelligence bodies, including the expulsion of diplomatic representatives of Russian intelligence services from the US.

The same statement formally named the Russian Foreign Intelligence Service (SVR) as the perpetrator of the attack. CISA, the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) released a joint security advisory that contained further details.

How Do You Know If You’ve Been Attacked?

To remain undetected, the adversary appears to have only used the backdoor in SolarWinds Orion when the target environment was of specific interest. As such, analyzing your network activity is the only way to know if an attacker sought or obtained access.

The campaign is suspected to have started during or before March 2020 (with possible testing as early as October 2019) and did not involve any known indicators of compromise. Due to the volume of data involved, many organizations don’t keep access logs long enough to determine whether or not a compromise occurred.

If an adversary deploys malware in your environment through a compromised Orion system, they’ll likely use escalated privileges to begin exploring what actions they can take. Keep an eye on the affected Orion system—or other systems that have communicated with it—for behaviors such as:

• Modification of system tasks
• Delete-create-execute-delete-create directory action pattern
• Newly created or unknown local user accounts
• Existence or evidence of usage of Adfind.exe
• Signs of cmd.exe or rundll32.exe spawned from solarwinds.businesslayerhost.exe
• Existence of unknown and/or very broad email forwarding/deleting rules on the email gateway

Compromised Orion Products and Versions

The easiest way to know whether you may have been attacked is to determine whether you’re using a compromised Orion product in your environment. Affected Orion Platform versions include:

• 2019.4 HF5, version 2019.4.5200.9083
• 2020.2 RC1, version 2020.2.100.12219
• 2020.2 RC2, version 2020.2.5200.12394
• 2020.2, version 2020.2.5300.12432
• 2020.2 HF1, version 2020.2.5300.12432

What to Do If You’re at Risk

If you’re using a compromised version of the Orion Platform:

1. Immediately isolate, disconnect, or power down infected systems
2. Review logs to identify command-and-control activity or lateral movement from infected systems
3. Reset all credentials used by SolarWinds Orion and associated services
4. Update Orion to the latest version, according to this advisory
5. Determine whether you’re running any other affected SolarWinds products listed in the advisory

Best Practices for Protecting Your Organization

Supply chain attacks are still evolving, and there’s no doubt adversaries will find new ways to compromise the operations and sensitive data of public agencies and private companies alike. To reduce your risk as much as possible, Zscaler recommends taking these steps:

• Eliminate your internet-facing attack surface, stop lateral movement, and block C2 with a zero trust architecture.
• Enable full TLS/SSL inspection and advanced threat prevention on workload-to-internet traffic.
• Run an inline cloud sandbox to identify and stop unknown threats.
• Enforce protections for known C2 traffic with continuous updates as new destinations emerge.
• Limit the impact of lateral movement with identity-based microsegmentation for cloud workloads.
• Choose vendors that can attest to the highest levels of confidentiality, integrity, and availability.

Even if you take no other steps, these two are the most critical, making it far more difficult for an adversary to breach your environment, yet easier for you to detect unexpected activity:

• Enforce least-privileged access to limit adversaries’ abilities to exploit their position.
• Require multifactor authentication for any access to high-value targets.

How Can Zscaler Help?

Supply chain attacks are among the most sophisticated and difficult-to-detect modern cyberthreats. To defend against them with confidence, you need full visibility into all traffic in your environment, multiple layers of security, and a clear understanding of the security posture of all your partner organizations.

The Zscaler Zero Trust Exchange™ protects your organization against advanced supply chain attacks with natively integrated services and powerful, industry-leading capabilities that enable you to:

• Identify and stop malicious activity from compromised servers by routing all server traffic through Zscaler Internet Access™
• Restrict traffic from critical infrastructure to an allowlist of known-good destinations
• Inspect all TLS/SSL traffic with unlimited scale, even if it comes from trusted sources
• Block all known command-and-control (C2) domains with Advanced Threat Protection
• Extend C2 protection to all ports and protocols with Advanced Cloud Firewall (Cloud IPS module), including emerging C2 destinations
• Prevent delivery of unknown malware as part of a second stage payload with Advanced Cloud Sandbox
• Limit the impact of a potential compromise by restricting lateral movement with identity-based microsegmentation through a zero trust architecture and Zscaler Workload Segmentation
• Protect crown jewel applications by limiting lateral movement with Zscaler Private Access