Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:26 PM
Connect Directly

18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack

Nation-state attackers used poisoned SolarWinds network management software updates to distribute malware; US government orders federal civilian agencies to immediately power down the technology.

In what may well turn out to be one of the most significant supply-chain attacks in recent years, a likely nation-state backed group compromised systems at SolarWinds and inserted malware into updates of the company's widely used Orion network management products that were released between March and June 2020.

In total, about 33,000 of SolarWinds' 300,000 customers — which include numerous government agencies, 499 of the Fortune 500 companies, and over 22,000 managed service providers — could have potentially received the compromised software updates. Some 18,000 organizations worldwide may have actually installed the poisoned software on their systems, SolarWinds said in a SEC filing Monday.

The filing suggested that attackers might have initially broken into SolarWinds' systems by compromising the company's emails and using that to access other data in its Microsoft Office 365 environment.

Related Content:

FireEye Breach Fallout Yet to Be Felt

Building an Effective Cybersecurity Incident Response Team

New From The Edge: 2021 Security Budgets: Top Priorities, New Realities

Victims of the massive breach are believed to include the US Treasury Department, the National Telecommunications and Infrastructure Administration, and security vendor FireEye, which last week disclosed a breach involving the theft of the company's red team tools.

In a measure of the widespread concern the breach has stoked, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive Sunday urging all federal civilian agencies using SolarWinds' Orion products to immediately power down or disconnect the technology. The Emergency Directive, only the fifth since 2015, described the SolarWinds compromise as posing an unacceptable risk to the security of federal networks. It ordered all federal civilian agencies to provide a report to CISA no later than 12:00 p.m. Eastern Standard Time Monday showing that they had shut down the SolarWinds Orion technology on their networks.

In a security advisory, SolarWinds said software builds for versions 2019.4 HF 5 through 2020.1.1 of its Orion Platforms released between March and June this year were impacted in the breach. The company asked its customers to immediately upgrade to Orion Platform version 2020.2.1 HF 1 where possible. An additional hotfix released will likely be released on Dec 15, 2020, and the company released guidelines for organizations who cannot immediately apply the update.

"Infecting the legitimate software updates of a widely used vendor can be an effective way to covertly inject malware into a large number of organizations," says Hank Schless, senior manager of security solutions at Lookout. "If successful, this form of supply chain attack can be used to attack an entire industry in one swoop."

SolarWinds' recommendations for those who cannot immediately update are: ensure the Orion platform is installed behind firewalls, disable Internet access to the platform, and limit port access to only what is strictly necessary. 

In its security advisory, FireEye described several methods for detecting post compromise activity on their networks. These include querying Internet-wide scan data for malicious IP addresses that might be masquerading as an organization's legitimate IP addresses and geolocating IP addresses that are used for remote access. That will identify compromised accounts that are being used from different locations. The security vendor also recommended that organizations "use HX’s LogonTracker module to graph all logon activity and analyze systems displaying a one-to-many relationship between source systems and accounts."


FireEye, which discovered the breach, said the actors behind it, tracked as UNC2452, had trojanized SolarWinds' Orion business software updates to distribute malware FireEye has dubbed SUNBURST. Ben Read, senior manager analysis at FireEye's Mandiant group says UNC2452 is a distinct threat group that is not linked to any other tracked group at this time. The backdoor itself exists in a digitally signed component of the Orion software framework and is designed to communicate via HTTP to attacker-controlled servers.

According to FireEye, once installed on a system via the SolarWinds update, the malware lies dormant for up to two weeks before it begins retrieving and executing commands. Its capabilities include the ability to transfer and execute files, profile systems, disable system services, and to reboot an inected system.

"The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity," FireEye said. The malware uses multiple techniques to identify anti-virus and other malware detection tools.

FireEye CEO Kevin Mandia described the campaign as likely the work of a sophisticated state-sponsored threat actor with top-tier resourcing and operational skills. Some within the industry have pointed to Russian intelligence agencies as being behind the attacks.

The attackers appear to have gone to significant length to observe traffic on victim networks and to blend signs of their own activity into normal network activity, Mandia said in a blog. The security vendor has released indicators of compromise and signatures for detecting SUNBURST threat activity on its public GitHub page.

Matt Walmsley, EMEA director at Vectra, says the attackers likely manipulated Security Assertion Mark-up Language (SAML) authentication tokens used in Single Sign On to try and escalate privileges in the early stages of the campaign. They could have then used the illicitly gained privileges to move to SolarWinds' Microsoft 365 instance and use the built-in tools there to set up new privileged accounts, define email routing rules, conduct reconnaissance, gather data from SharePoint and OneDrive repositiores, and set up automated workflows for running such malicious activities autonomously.

"IT administrators and security teams have access to highly privileged credentials as part of their legitimate work," Walmsley says. "Attacking the digital supply chain of their software tools is an attempt to gain penetration and persistence right at the heart of their operations."

The SolarWinds breach is the not the first time that attackers have broken into a technology vendor's software update servers and used it to distribute malware. In 2018, attackers belonging to a malware campaign dubbed Operation ShadowHammer, broke into one such server belonging to Taiwanese hardware maker ASUS and used their access to distribute malware disguised as legitimate software updates to ASUS customers that had enabled automatic updates. Security vendor Kaspersky disclosed the breach in March 2019 and described it as impacting hundreds of thousands of ASUS users though it actually targeted only a very small percentage of them.

Security experts consider such attacks particularly dangerous because organizations often tend to treat patches, software updates, and other products from their technology vendors as trusted and secure. Very few actually go through the extra step of vetting updates or products from their trusted vendors for security issues, though experts have long cautioned they should.

Ayal Yogev, CEO of Anjuna Security, says the targeting of SolarWinds' Orion technology is significant because hundreds of thousands of organizations in government, banking, healthcare, and other critical industries use it to monitor their network.

"The technology is typically bought by network managers, and in many cases may be purchased online at a price that does not require standard software procurement practices," Yogev says.

In fact, many organizations may not even realize they have it, he says.

"The good news is that SolarWinds does not directly contain confidential information," he says. "The bad news is that it provides a map to many components in an enterprise that may have vulnerabilities."

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Moderator
12/15/2020 | 4:19:42 PM
Solar Winds Orion compromise
Thanks for this very informative article!

I learned from it what happened and it jogged my memory: I had worked on a project years ago where the client was using Solar Winds. I reached out to the then project manager and he confirmed that they had just installed the new security patch AND their antivirus has already detected attempts to reinstall the hacked software components.

That means that the hackers have had plenty of time to shotgun multiple malware hacks onto their network in order to be able to re-establish their network compromises if some are detected & removed.

So, patched networks are likely far from fully recovered. Now begins the hard work of finding all the other compromises lurking in every nook & cranny, and probably playing wack-a-mole for a while until full integrity is restored.

Like teams already dealing with Covid need yet another source of stress around the holidays...
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.