Editor's note
The pervasiveness of SolarWinds backdoor attack, the sophistication of the hackers behind it and the number of high-profile victims make it the biggest cyber attack of 2020 -- and possibly the past decade.
The ongoing SolarWinds breach also shines a light on how dangerous a supply chain attack can be and gives infosec pros yet another reason to evaluate their security systems and processes.
FireEye Inc. disclosed on December 13, 2020 that suspected nation-state hackers had successfully carried out a vast supply chain attack on SolarWinds Orion, a popular IT performance monitoring platform. The attack allowed threat actors to access government and enterprise networks worldwide.
The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence said in a joint statement with the FBI on December 17 that the attacks are ongoing and widespread.
Major tech companies, including Cisco, Intel, Microsoft and Nvidia, reported malicious SolarWinds updates, though the companies say there is no evidence that threat actors breached their networks.
On January 6, the U.S. Department of Justice published a statement saying the global SolarWinds incident affected multiple federal agencies -- including the Justice Department's Microsoft Office 365 email system. The breach appears to have affected 3% of the Office 365 mailboxes, and the Department said there's no indication that classified information was affected.
Investigations into the SolarWinds backdoor cyber attack so far point to Russian espionage.
Here, we provide everything you need to know about the SolarWinds breach, how it infiltrates systems, and the ongoing response from infosec industry experts and vendors.
1The latest SolarWinds breach news
Victims of the SolarWinds backdoor attack continue to be revealed as big tech companies and organizations discover malware infections and act to mitigate risks.
The SolarWinds backdoor malware hit Orion Platform versions 2019.4 HF5 through 2020.2.1, which were released between March 2020 and June 2020.
On Dec. 24, SolarWinds disclosed a second backdoor, discovered by Palo Alto Networks researchers, dubbed Supernova. The Supernova malware required the exploitation of a vulnerability in the Orion software platform, which SolarWinds had patched in a recent update. Unlike Sunburst, Supernova was not a supply chain attack.
Here's the latest news on the ongoing Solarwinds backdoor breach.
-
Article
SolarWinds chases multiple leads in breach investigation
Investigators at SolarWinds are exploring multiple theories as to how the company's systems were compromised. Read Now
-
Article
SolarWinds Office 365 environment compromised
SolarWinds CEO Sudhakar Ramakrishna said nation-state threat actors first compromised a single email account and later gained access to the company's Orion platform environment. Read Now
-
Article
Mimecast certificate compromised by SolarWinds hackers
Mimecast conducted an investigation after being alerted by Microsoft that a certificate for Microsoft 365 Exchange Web Services authentication was stolen by a sophisticated actor. Read Now
-
Article
Malwarebytes breached by SolarWinds hackers
Malwarebytes, which is not a SolarWinds customer, confirmed that nation-state actors used an entirely different vector to breach the antimalware vendor and access internal emails. Read Now
-
Article
SolarWinds backdoor infected tech giants, impact unclear
Fallout from the SolarWinds backdoor cyber attack continues as several major tech companies report they were infected by malicious software updates. Read Now
-
Podcast
SolarWinds attacks come into focus
Several major organizations, including Microsoft and the U.S. Department of Justice, have disclosed breaches due to SolarWinds. TechTarget news editors discuss the scope of the backdoor attacks. Listen Now
-
Article
10 of the biggest cyber attacks of 2020
Here is a list of 10 of the largest cyber attacks of a pandemic-dominated 2020, including several devastating ransomware incidents and a massive supply chain attack. Read Now
2How the SolarWinds breach happened
Threat actors reportedly began reconnaissance efforts in March 2020 and planted a backdoor in SolarWinds' Orion platform. It was activated when customers updated the software.
FireEye's threat research on the breach shows that a SolarWinds digitally signed component of the Orion software framework contains a backdoor which uses HTTP to communicate with third-party servers. FireEye dubbed the trojanized version of the SolarWinds Orion plugin Sunburst.
"After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs,' that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services," FireEye reported.
The malware "masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers."
-
Article
SolarWinds backdoor used in nation-state cyber attacks
U.S. government agencies and security experts urged IT pros to immediately review their networks after a backdoor was discovered in the popular SolarWinds IT monitoring software. Read Now
-
Article
FireEye red team tools stolen in cyber attack
FireEye's testing tools were compromised by SolarWinds attackers who appeared to target information related to certain government customers. Read Now
-
Podcast
SolarWinds backdoor shakes infosec industry
TechTarget's security news editors discuss the massive SolarWinds backdoor supply chain attacks. Listen Now
-
Article
SolarWinds breach highlights dangers of supply chain attacks
A sophisticated supply chain cyber attack targets one link in a software chain, leading to far-reaching and devastating consequences for victims. Read Now
-
Article
SolarWinds attack almost certainly work of Russian spooks
Investigations into the far-reaching SolarWinds Solorigate attack did not let up during the holidays. Read Now
-
Article
SolarWinds confirms supply chain attack began in 2019
SolarWinds and CrowdStrike published updates Monday that added new information for the timeline of the supply chain attack and how threat actors first gained access. Read Now
3IT industry, vendors respond
Once the SolarWinds backdoor was identified, software vendors and IT security experts worked to identify network impacts, issue updates and apply fixes, while marveling at the sophistication and long-term implications of this massive cyber attack.
-
Article
Microsoft, SolarWinds in dispute over nation-state attacks
The latest investigation updates from SolarWinds and Microsoft offer differing views on how nation-state threat actors compromised SolarWinds' environment. Read Now
-
Article
FireEye releases new tool to fight SolarWinds hackers
The new tool, dubbed Azure AD Investigator, will help audit Microsoft 365 environments for techniques used by the nation-state actors behind the SolarWinds supply chain attack. Read Now
-
Article
Microsoft, FireEye deliver kill switch for SolarWinds backdoor
The kill switch affects new and previous Sunburst infections by disabling Sunburst deployments that beacon to avsvmcloud[.]com. Read Now
-
Article
SolarWinds struggles with response to supply chain attack
SolarWinds took immediate steps to address the breach and issued a cybersecurity advisory, but issues remained in the vendor's response. Read Now
-
Article
Biden picks cyber veteran to reinvigorate security response
The Biden administration is poised to take a hard-line approach to nation-state attackers like Russia, which is suspected to be behind the SolarWinds attack. Read Now
-
Article
SolarWinds attack stumps SecOps pros
SecOps experts are reeling from the sophistication of the attack and its implications for enterprise security. Read Now
-
Article
SolarWinds CEO sets out rescue plan
SolarWinds has called in help, including former U.S. government security lead Chris Krebs and cybersecurity experts with forensics expertise. Read Now