On 13 December 2020, FireEye announced its discovery of a supply chain cyberattack involving the deployment of malware via software updates on a SolarWinds product called SolarWinds Orion. Orion is an IT network-monitoring service that was used by 30,000 organisations at the time of the breach, including most US Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East. The US Department of Justice (DoJ) confirmed that it was breached by the supply chain cyberattack on 6 January 2021 and it was later reported that the US Treasury, the federal judiciary and departments of commerce, defence, homeland security, energy and state had also been affected, along with Microsoft.
In an “orangematter” blog post, dated 11 January 2021, SolarWinds provided an overview of the timeline of the cyberattack as established by its forensic teams. A threat actor was believed to have first accessed the company’s internal systems on 4 September 2019, though there has since been speculation that the network may have been infiltrated as early as January 2019. The threat actor injected test code from 12 September 2019 until 4 November 2019, as a result of which the October 2019 Orion Platform update contained modifications. The company claimed that this was likely a means of testing the hackers’ ability to insert code into the company’s software. Following the trial, the threat actor updated its malicious code and deployed Sunburst on to Orion releases from 20 February 2020, distributing backdoor entryways to thousands of SolarWinds customers. Once the software had been updated, Sunburst would remain dormant for up to two weeks before trojanising the host system and sending ostensibly harmless domain name system (DNS) requests, disguised as performance-data communications, to hackers via the internet. The requests permitted hackers to access systems that had downloaded the software update and provided information to assist them in determining which networks to focus on. SolarWinds later reported that the system intrusion was facilitated by multiple servers based in the USA.
The Sunburst code went undetected and was removed from the SolarWinds environment by the threat actor on 4 June 2020. Deep Dive SolarWinds investigated and remediated various vulnerabilities on the Orion Platform over the given period but it was not until FireEye notified the company on 12 December 2020 that the vulnerabilities were recognised to be part of a malicious code attack. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on 13 December 2020, which called for all federal civilian executive branch departments and agencies to review their computer networks and disconnect devices affected by the known compromise involving SolarWinds Orion products. On 14 December 2020, SolarWinds informed the US Securities and Exchange Commission (SEC) that its Orion products and updates released between March 2020 and June 2020 had been subject to a cyberattack. Its report detailed that the malware had been introduced due to a compromise of the Orion software build system and had not been present in the source code repository of the Orion products. On 17 December 2020, the CISA issued an alert stating that the compromise was caused by an advanced persistent threat actor (APT). On the following day, the New York Department of Financial Services (DFS) published a supply chain compromise alert notifying all DFS-regulated entities of the SolarWinds attack.
In response to the cyberattack, SolarWinds launched an investigation to reveal its scope and impact and implement remedial measures to curb its effects. On 14 and 15 December 2020, SolarWinds released a patch designed to remove Sunburst from affected systems. However, the investigation of the initial compromise led to the discovery of Supernova. This was a separate malware that targeted Orion and its detection forced the company to develop a further three patches to address the malware, which were released on 23 December 2020. On 11 January 2021, SolarWinds reported it had located the highly sophisticated and novel malicious code injection source used by the perpetrators to insert Sunburst into builds of its Orion software. It also claimed to have reverse-engineered the code responsible for the intrusion to better understand the malware tool and attack. SolarWinds released an additional two patches to address Sunburst and Supernova on 25 January 2021.
In the wake of the incident, several unanswered questions remain. The White House was able to provide some clarity over the suspected identity of the perpetrators when, in a statement on 15 April 2021, it formally asserted that the Russian Foreign Intelligence Service (SVR) was responsible for the attack. It added that it had “high confidence” in its assessment and that “the scope of this compromise [was] a national security and public safety concern”. The tribulations of US government departments has been comparatively well documented and it has been reported that nine government agencies were affected in total. Aside from this, however, the full impact of the hack on the financial sector has been difficult to determine and SolarWinds has not publicly disclosed how hackers were able to initially gain entry into its systems.
