A highly sophisticated actor has taken advantage of SolarWinds security flaws to infiltrate governments and businesses around the world. Here's what you need to know. 

What

On December 8th, FireEye (a global cybersecurity firm based in California) revealed that they had been the victim of a highly sophisticated and damaging cyber-attack. The attackers were able to obtain FireEye's suite of penetration testing tools, including the toolkit they use in their Red Team exercises conducted for national security agencies. These toolkits are customized digital weapons built from popular strains of malware from around the world in order to test how well FireEye's clients hold up against state-of-the-art attacks. Consequently, concerns that these tools have fallen into foreign hands set off a wide-ranging investigation by the FBI and others to determine what other attacks might be underway.

Less than a week later, on December 13th, it was confirmed that the foreign actor had indeed gained extensive access to a number of federal agencies including the Treasury and Commerce departments, and has been monitoring staff emails for several months after breaking into the federal government's Microsoft 360 Office platform.

While the federal government is currently at the center of the investigation, SolarWinds serves hundreds of thousands of organizations worldwide and is urging all of their clients to immediately upgrade their software and conduct a comprehensive system audit.

Confirmed victims include government, consulting, technology, and telecom entities in North America, Europe, Asia and the Middle East. We anticipate that there are additional victims in other countries and verticals. That being said, initial findings suggest that the operation was narrowly targeted and therefore has not affected the vast majority of SolarWinds customers.

SolarWinds also services the Pentagon, White House, and NASA, but it is still unclear whether these agencies have been similarly compromised.

When

According to preliminary investigations conducted by the FBI, Silent Breach, and the compromised security firms (including SolarWinds, Microsoft, and FireEye), the attack has been ongoing since at least Spring 2020, but likely began much earlier. We've previously covered how malicious cyber actors have been leveraging the COVID pandemic to ramp up their attacks.

What is clear is that the SolarWinds Orion backdoor which lies at the root of the attack was in place globally between March and June of 2020 (versions 2019.4 HF 5 through 2020.2.1).

Who

All clues point to S.V.R., one of Russia's leading intelligence agencies, often referred to as Cozy Bear or A.P.T. 29. So far, however, relevant agencies and organizations have been reluctant to name Russia explicitly and have instead resorted to pointing to a "sophisticated nation state." If confirmed, this would be Russia's most disruptive campaign since a 2014-2015 blitz that compromised the White House, State Department and the Joint Chiefs of Staff.

The Russian embassy to the US has denied any part in the attack and claims that Russia "does not conduct offensive operations in the cyber domain."

How

While many details related to the cyber attack are still under review, we can confirm the following:

• The initial intrusion was made via malicious code inserted into SolarWinds Orion product by embedding backdoor code into a legitimate SolarWinds library with the file name SolarWinds.Orion.Core.BusinessLayer.dll and downloaded to users' computers through automated updates.

• The attackers then used the newly acquired admin access to forge SAML tokens, enabling them to impersonate existing or created user accounts across all levels.

• Using these SAML tokens, the attackers then accessed internal organizational resources and services (including emailing systems, cloud environments, and protected databases) as well as third-party tools, enabling them to call APIs with the permission assigned to that application.

What To Do

If your organization uses SolarWinds' Orion Platform, we recommend the following steps to be taken immediately:

• Ensure that SolarWinds servers are isolated from the rest of your network. This includes blocking all internet egress from the servers.

• If your SolarWinds infrastructure cannot be completely isolated, consider restricting the scope of connectivity from/to those servers as well as the scope of accounts that have admin access on SolarWinds.

• Consider changing passwords for accounts that are connected to SolarWinds.

• Run up to date antivirus or EDR products that detect compromised SolarWinds libraries.

• We recommend upgrading to Orion Platform version 2020.2.1 HF 1 as soon as possible.

Indicators of Compromise (IOCs), Detection Opportunities, and Mitigation Recommendations are being documented by Microsoft, SolarWinds, and FireEye.

How We Can Help

Once immediate triage has been completed, Silent Breach can help conduct a full audit of your infrastructure to determine whether any malicious activity took place and, if so, how you should respond.

Our security team is fully briefed on the SolarWinds attacker's strategies, IOCs, and fingerprints. This ensures that if there is anything to be found, we'll be able to locate it. This is particularly important with attacks of this level of sophistication, where extreme care is spent not only in penetrating the target, but also in hiding all traces of an attack.

At the same time, it's important to evaluate the risks and impacts of a potential attack. Importantly, even if SolarWinds mitigates their own vulnerabilities, attackers may still retain access to your networks. Consequently, a BIA and Cyber Incident Response Plan must be created, reviewed, and/or evaluated in tandem with the above security audit.

In the event that malicious activity is identified on your network, our forensics team will be able to carefully capture and preserve that evidence for further analyses and legal processes. And, in either case, a full report detailing steps taken, discoveries made, and recommended mitigation steps (both short term quick wins and a long term roadmap) will be compiled for internal guidance as well as external stakeholder reassurance.

For more detailed descriptions of Silent Breach's Incident Response programs, please see our Incident Response and Managed Response pages. Or, for more information on how your organization may be impacted by the SolarWinds Hack or for additional guidance, please contact Silent Breach at contact@silentbreach.com.


Additional Resources:
Cybersecurity Survival Guide for Remote Working
Guide to Business Continuity Planning
How to Prepare for the Inevitable Global Cyberattack