Article

Solarwinds Attack

Published: Jun. 21, 2021

A review of our current cyber incident response

Summary of the incident

In early 2020, hackers infiltrated SolarWinds, a Texas-based software company, and slipped malicious code into its network management software, Orion. This allowed the hackers to turn a routine software update into a vehicle for a massive cyber attack. When the 18,000 SolarWinds customers that utilized Orion updated their systems in March 2020, they unknowingly created a backdoor. Hackers used this opening to install malware that enabled them to spy on users' networks. Fortune 500 companies, as well as numerous government agencies, were among the organizations breached through SolarWinds. FireEye, a cybersecurity firm, was the first to notice the hack when it realized its systems had been breached.

Investigations

On April 15, 2021, the Biden administration officially attributed the attack to Russia’s Foreign Intelligence Service (SVR) and issued sanctions against Russian technology companies and government officials. The repercussions of the attack and its implications for the cybersecurity of American federal agencies are still being examined.

On April 27, 2021, the New York Department of Financial Services released its report into the SolarWinds attack. It found that the attack's first phase took place around September 2019, when hackers first accessed Orion and tested their ability to insert malicious code into the software. After this initial test run, the hackers inserted the Sunburst malware into Orion on February 20, 2020. Between March and June of that year, SolarWinds disseminated corrupted updates for Orion to its 18,000 Orion customers.

On December 12, 2020, FireEye notified SolarWinds about the existence of Sunburst. SolarWinds responded by issuing patches that removed Sunburst on December 14 and 15. On December 24, SolarWinds announced another vulnerability, Supernova, that was found in version of Orion that had Sunburst and in those that did not.On January 25, 2021, SolarWinds released two more patches that addressed both Sunburst and Supernova.

The New York Department of Financial Services concluded that both vulnerabilities allowed hackers to access an Orion customer's internal network and its non-pubic information. The Department alerted companies about the SolarWinds hack on December 18, 2020, and advised companies to assess the risk to their systems from the SolarWinds attack and instructed its regulated companies to notify DFS, pursuant to its Cybersecurity Regulation, if they were using, or had used, any of the corrupted Orion products.

SentinelOne's Threat Intelligence and Malware Analysis Division, SentinelLabs, published an analysis of Sunburst, the trojanized version of the SolarWinds Orion plug-in that was used as a backdoor in the SolarWinds hack. They discovered that Sunburst waits 12 days before it executes. After the 12-day period, Sunburst looks for a list of processes, services, and drivers before taking action. If the code identifies any of the process on the list, namely monitoring and research tools, Sunburst exists and does not run. If Sunburst identifies any services on the list, it goes into the registry and tries to disable them. The third list contains drivers that, if identified, tell Sunburst to exit before initiating any C2 communication or enabling additional payloads.

On February 23, 2021, the House Committees on Oversight and Reform and Homeland Security held a hearing that included Sudhakar Ramakrishna, CEO of SolarWinds,Kevin Mandia,CEO of FireEye, and Brad Smith, President of Microsoft. That same day, the Senate Intelligence Committee held a hearing on the SolarWinds hack.

Recommendations and Policy Changes

In response to the SolarWinds attack, the Biden administration launched a course for policymakers worldwide on the policy and technical aspects of publicly attributing cyber incidents, which will be inaugurated in 2021 at the George C. Marshall Center in Garmisch, Germany. The administration also instructed the Department of Defense to incorporate additional allies, including the UK, France, Denmark, and Estonia, into the planning for CYBER FLAG 21-1, which is an exercise designed to improve the U.S.' defensive capabilities and resiliency in cyberspace.

The New York Department of Financial Services implored companies to fully access and address third party risk; adopt a "zero trust" approach and implement multiple layers of security; implement a vulnerability management program that prioritizes the organization’s patch testing, validation processes, and deployment – including which systems to patch and in what order they should be patched; and address supply chain compromises in incident response plans.

Government Reports

The New York State Department of Financial Services (DFS) called the SolarWinds attack the most "visible, widespread, and intrusive information technology software supply chain attack" to date. Some key findings from the report are
To date, no DFS-regulated company has reported that the hackers behind the SolarWinds Attack actively exploited their company’s network. This is consistent with other reporting that financial services companies were not actively targeted for exploitation. Overall, DFS-regulated companies responded to the SolarWinds Attack swiftly and appropriately. For example, 94% of impacted companies removed the vulnerability announced by SolarWinds on December 13 from their networks within 3 days by disconnecting vulnerable systems from their networks and/or patching them. Several DFS regulated companies’ patch management programs are immature and lack the proper “patching cadence”5 needed to ensure timely remediation of high-risk cyber vulnerabilities. Link to report
On February 23, 2021, the Senate Intelligence Committee held a hearing on the SolarWinds hack. Those invited to testify before the Committee included:
Kevin Mandia,CEO of FireEye Opening Statement Sudhakar Ramakrishna, CEO of SolarWinds Opening Statement Brad Smith, President of Microsoft Opening Statement George Kurtz, President and CEO of CrowdStrike Opening Statement Link to hearing
On February 19, 2021, Oregon Senator Ron Wyden wrote Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), to inquire about EINSTEIN's role in the SolarWinds attack. "I am particularly concerned," Wyden wrote, "that the government's $6 billion EINSTEIN cybersecurity system failed to promptly detect the hacks even years after warnings about EINSTEIN's vulnerability to such a campaign."
Link to Wyden's Letter
On June 3, 2021, Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency (CISA), wrote to Senator Ron Wyden in response to the Senator's questions around the EINSTEIN program and its role in the SolarWinds attack. Wales explains that EINSTEIN is a part of CISA's broader strategy to protect federal civilian agencies. To that end, Wales explains, EINSTEIN is an "intrusion detection system, looking at the perimeter of a network and examining traffic that is coming from outside the network to inside the network and not designed to detect an unknown threat like the SolarWinds attack." Wales goes on to say that SolarWinds showed that EINSTEIN "must be supplemented with capabilities that enable us to look inside the network to better detect in-network intrusions."
Link to Wales' Letter
On May 25, 2021, the House Committee on Science, Space, and Technology held a hearing on the SolarWinds hack. The witnesses included Mr. Matthew Scholl, Chief, Computer Security Division of the Information Technology Laboratory, National Institute of Standards and Technology (NIST); Dr. Trey Herr, Director, Cyber Statecraft Initiative, Atlantic Council; Ms. Katie Moussouris, Founder and CEO, Luta Security; and Mr. Vijay D’Souza, Director, Information Technology and Cybersecurity, Government Accountability Office (GAO).
Link to transcripts of hearing

Private Sector Reports

The Atlantic Council's Scowcroft Center for Strategy and Security and its Cyber Statecraft Initiative published a report that identified three overarching lessons from the SolarWinds hack:
First, states have compromised sensitive software supply chains before. The role of cloud computing as a target is what takes SolarWinds from another in a string of supply-chain compromises to a significant intelligence-gathering coup. Second, the United States could have done more to limit the harm of this event, especially by better prioritizing risk in federal technology systems, by making the targeted cloud services more easily defensible and capable by default, and by giving federal cybersecurity leaders better tools to adapt and govern their shared enterprise. Third, SolarWinds was a failure of strategy much more than it was just an IT risk-management foul-up or the success of a clever adversary. Link to report
SentinelOne's Threat Intelligence and Malware Analysis Division, SentinelLabs, published an analysis of SUNBURST, the trojanized version of the SolarWinds Orion plug-in that was used as a backdoor in the SolarWinds hack. Their analysis describe how SUNBURST's malicious code looks for processes, services, and drivers to create an effective backdoor into the infected networks. Link to report
After FireEye published its blog on the SolarWinds hack in December 2020, Volexity was able to tie these attacks to multiple incidents it worked in late 2019 and 2020 at a US-based think tank. Volexity tracks this threat actor under the name Dark Halo. At this US-based think tank, which remains anonymous, Volexity worked three separate incidents involving Dark Halo. In the initial incident, Volexity found multiple tools, backdoors, and malware implants that had allowed the attacker to remain undetected for several years. After being extricated from the network, Dark Halo then returned a second time, exploiting a vulnerability in the organization's Microsoft Exchange Control Panel. Near the end of this incident, Volexity observed the threat actor using a novel technique to bypass Duo multi-factor authentication (MFA) to access the mailbox of a user via the organization's Outlook Web App (OWA) service. Finally, in a third incident, Dark Halo breached the organization by way of its SolarWinds Orion software in June and July 2020. The primary goal of the threat actor was to obtain the e-mails of specific individuals at the think tank. This included a handful of select executives, policy experts, and the IT staff at the organization. Volexity notes its investigations are directly related to the FireEye report based on overlap between command-and-control (C2) domains and other related indicators such as a backdoored server running SolarWinds Orion. Link to report

Recommended citation

Bueno, Felipe. “Solarwinds Attack.” June 21, 2021

Author

A review of our current cyber incident response

New York State Department of Financial Services Report

The Biden Administration's Response

United States Senate Select Committee on Intelligence, Hearing on SolarWinds

United States House Committees on Oversight and Reform and Homeland Security, Hearing on SolarWinds

Letter from Senator Ron Wyden (D-OR) to Brandon Wales, Acting Director of the Cybersecurity and Infrastructure Security Agency

Brandon Wales' response to Senator Ron Wyden's inquiry

U.S. House of Representatives Committee on Science, Space, and Technology, Subcommittee on Investigations and Oversight and Subcommittee on Research and Technology

Broken Trust: Lessons from Sunburst, The Atlantic Council report

SentinelOne Analysis of SUNBURST backdoor

Palo Alto Networks’ Unit 42 Timeline of SolarWinds Hack

Volexity Analysis of Threat Actor "Dark Halo"

Felipe Bueno