The SolarWinds attacks: What we know so far

While there are still many unanswered questions about the devastating SolarWinds backdoor attacks, the scope and impact of the attacks came further into focus over the holidays.

On Sunday, Dec. 13, it was revealed that the Austin-based IT management software company SolarWinds was hit by a supply chain attack that compromised updates for its Orion software platform. As part of this attack, threat actors inserted their own malware, now known as Sunburst or Solorigate, into the updates, which were distributed to many SolarWinds customers.

The first confirmed victim of this backdoor was FireEye, which disclosed on Dec. 8 that it had been breached by suspected nation-state hackers. But it was soon revealed that that SolarWinds attacks affected other organizations, including tech giants and U.S. government agencies. Thankfully, the immediate threat of the attack has since been mitigated by a fast response from multiple companies and agencies, as well as a kill switch created by Microsoft and FireEye.

In recent weeks, there have been additional developments that have shed light on the nature of the attacks as well as the U.S. government's response to them. Here's a look at some of those recent developments.

Editor's note: This article will be updated with future developments as they occur.

1/5/21 -- U.S. government acknowledges Russia's likely involvement

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI) and the NSA released a joint statement on Jan. 5 discussing the President Trump-backed Cyber Unified Coordination Group (UCG), a task force formed in December involving all four organizations and created to investigate and remediate the SolarWinds hack that compromised multiple government networks.

For the first time, the government publicly suggested that Russian threat actors were responsible in the statement.

"This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was, and continues to be, an intelligence gathering effort. We are taking all necessary steps to understand the full scope of this campaign and respond accordingly," the statement reads.

In addition, the statement says that, regarding those impacted by the attack, they have "so far identified fewer than ten U.S. government agencies that fall into this category."

12/31/20 -- Microsoft announces breach

The Microsoft Security Response Center released a blog post on Dec. 31 that provided an update on its investigation of Sunburst (referred to by the company as Solorigate) malware, the malware used in the SolarWinds attack that impacted victims including FireEye and the U.S. government. The post reveals that a presumably rogue internal account was used to "view source code in a number of source code repositories."

The post points out in bold text that first and foremost, Microsoft customer data is safe.

"Our investigation into our own environment has found no evidence of access to production services or customer data. The investigation, which is ongoing, has also found no indications that our systems were used to attack others," it read.

The blog goes on to say that while malicious SolarWinds applications were detected internally and subsequently removed, Microsoft's investigation revealed that there was unusual activity detected in a small number of accounts, including the aforementioned source code viewing.

"We detected unusual activity with a small number of internal accounts and upon review, we discovered one account had been used to view source code in a number of source code repositories. The account did not have permissions to modify any code or engineering systems and our investigation further confirmed no changes were made. These accounts were investigated and remediated," the post read.

According to Microsoft, there is no increase in risk associated with viewing source code because their threat models "assume that attackers have knowledge of source code." Moreover, while they don't generally share source code publicly, their "inner source" culture suggests that the source code isn't necessarily a massive secret inside of Microsoft.

12/30/20 -- CISA updates directive for federal agencies

CISA added a new supplemental guidance to its SolarWinds hack mitigation directive on Dec. 30.

Federal agencies are required to use "at least SolarWinds Orion Platform version 2020.2.1HF2" (the current version of the platform) as "The National Security Agency (NSA) has examined this version and verified that it eliminates the previously identified malicious code."

In addition, it reaffirms that machines using Orion Platform Version 2019.4 HF5, 2020.2 RC1, 2020.2 RC2, 2020.2, 2020.2 HF1 are not currently permitted to be active, and should be shut down or removed from networks.

12/29/20 -- SolarWinds statement mentions that there may be other victims

In a Dec. 29 statement by SolarWinds, the company discussed its "commitment to cooperation." Much of the statement broadly discussed the attack and a promise to continue working with enterprises and government authorities in ongoing investigations.

"In response to this attack, we are supporting our customers, hardening our products and systems, working with industry-leading third-party cybersecurity experts, and collaborating with our partners, vendors, law enforcement, and intelligence agencies around the world," the statement reads.

In addition, the first paragraph of the statement refers to other potential victims, though it does not suggest any internal knowledge (as of its publishing) that confirms such targets.

"SolarWinds customers in both the private and public sectors also were victims of this Sunburst attack, and there have been media reports that other software companies may have been targeted as well. We are currently the most visible victim of this attack, but we are likely not alone," it reads.

12/24/20 -- SolarWinds addresses 'Supernova' backdoor

On Dec. 24, SolarWinds released an updated security advisory regarding the second backdoor discovered by Palo Alto Networks researchers, dubbed Supernova. In addition to the .Net webshell, SolarWinds' investigation found the Supernova malware required the exploitation of a vulnerability in the Orion software platform, which the vendor patched in the most recent updates. In addition, SolarWinds said unlike Sunburst, Supernova was not the result of a supply chain attack.

"Supernova is not malicious code embedded within the builds of our Orion Platform as a supply chain attack," the advisory said. "It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."

12/17/20 -- Second backdoor discovered in SolarWinds

On Dec. 17, Palo Alto Networks published research that identified a second backdoor, dubbed "Supernova," inside SolarWinds' Orion platform. During an analysis of Orion artifacts used in the Sunburst attacks, Palo Alto Networks researchers discovered a sophisticated .NET DLL file that allowed threat actors to arbitrarily configure Orion platforms and run malicious code on vulnerable systems. Perhaps more importantly, the researchers believed the Supernova backdoor was implanted by different threat actors than the nation-state adversaries that conducted the initial supply chain attacks, which Palo Alto Networks called "SolarStorm."

"The Supernova webshell's association with the SolarStorm actors is now questionable due to the aforementioned .DLL not being digitally signed, unlike the Sunburst .DLL," the researchers wrote. This may indicate that the webshell was not implanted early in SolarWinds' software development pipeline as was Sunburst, and was instead dropped by a third party."

On Dec. 18, Microsoft posted similar findings about the second DLL file and backdoor, which "has been determined to be likely unrelated to this compromise and used by a different threat actor." It's unclear who that threat actor is and what their goals were.