SolarWinds Supply Chain Attack Leads to Dozens of High-Profile Compromises
This week it was revealed that malicious updates from a widely used IT solutions vendor, SolarWinds, were leveraged in advanced cyberattacks against high-profile organizations that include the cybersecurity vendor FireEye, the U.S.Departments of Commerce, Defense, Homeland Security, and Treasury, the U.S. Postal Service, and the National Institutes of Health.
On Thursday, December 17, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said that the intrusion “poses a grave risk” to federal, state and local governments as well as private companies and organizations.
Initially, attackers compromised networks belonging to SolarWinds, which develops software for businesses to help manage their networks, systems, and information technology infrastructure. One of SolarWinds’ products, Orion, was targeted for the attack.
Beginning in March 2020, the attackers replaced legitimate Orion network monitoring platform updates with malicious packages containing a backdoor, which allowed attackers access to victim networks. By targeting the supply chain of a widely used information technology product, attackers turned a compromise at one company into an ocean of opportunity. SolarWinds Orion network monitoring tools are used by over 300,000 customers worldwide, including the compromised organization listed above, all five branches of the U.S. military, and more than 425 of the Fortune 500 companies.
On Monday, December 14, CISA issued an emergency directive to U.S. government organizations requiring them to isolate affected SolarWinds systems by the end of the day, and to assume any vulnerable system was compromised. The CISA directive also suggests any systems monitored by the affected SolarWinds device or accounts used by it should be treated as if they are compromised.
In addition to the many known Federal government victims in the attack, security firm FireEye announced that its internal systems had been compromised, with attackers stealing proprietary offensive cyber tools the company uses for penetration testing engagements. Because these tools can be used by adversaries to compromise vulnerable targets, FireEye immediately released countermeasures network defenders can use to identify attacks.
Despite the fact that thousands of organizations were made vulnerable by this attack, experts think it’s likely that only several dozen organizations were compromised in follow-on attacks. The attack was carried out by a very sophisticated adversary and targeted high-profile American organizations of geopolitical importance, indicating a high likelihood the attack was carried out by an advanced persistent threat (APT) on behalf of a national government. More information about the various entities compromised and the extent to which their networks were compromised is sure to emerge in the coming weeks.
References
Krebs on Security
https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/
NPR: U.S. Cyber Agency: Computer Hack Poses ‘Grave Risk’
https://www.npr.org/2020/12/15/946776718/u-s-scrambles-to-understand-major-computer-hack-but-says-little
DHS:Emergency Directive 21-01
https://cyber.dhs.gov/ed/21-01/
Reuters: Suspected Russian hackers spied on U.S. Treasury emails – sources