Skip to content

Service

ORX News

Community

ORX News Community

Deep Dive - December 2022

Malware attack on SolarWinds compromises US government and Microsoft among 18,000 customers.


In December 2020, it emerged that third-party software provider SolarWinds had suffered a malware attack compromising its customers’ networks. Though the full impact of the cyberattack remains unclear, the incident sent shockwaves through the financial industry as it underlined the risk posed to financial institutions by supply chain vulnerabilities. Following the attack, the industry is taking action to adapt in the face of this threat.
Find out more about this major operational risk loss event by downloading the free Deep Dive from ORX News.

The Deep Dive, usually only available to ORX News subscribers, provides vital information about this information security event, including:

  • A detailed explanation of the event
  • Attack method
  • Internal risk factors, including inadequate cybersecurity 
  • External risk factors, including state-backed threat actors
  • Remedial measures taken in response to the event
  • Financial and non-financial impacts

Download the free Deep Dive for all this information and more.

Executive summary

On 13 December 2020, FireEye announced its discovery of a supply chain cyberattack involving the deployment of malware via software updates on a SolarWinds product called SolarWinds Orion. Orion is an IT network-monitoring service that was used by 30,000 organisations at the time of the breach, including most US Fortune 500 companies and government agencies in North America, Europe, Asia and the Middle East. The US Department of Justice (DoJ) confirmed that it was breached by the supply chain cyberattack on 6 January 2021 and it was later reported that the US Treasury, the federal judiciary and departments of commerce, defence, homeland security, energy and state had also been affected, along with Microsoft.

In an “orangematter” blog post, dated 11 January 2021, SolarWinds provided an overview of the timeline of the cyberattack as established by its forensic teams. A threat actor was believed to have first accessed the company’s internal systems on 4 September 2019, though there has since been speculation that the network may have been infiltrated as early as January 2019. The threat actor injected test code from 12 September 2019 until 4 November 2019, as a result of which the October 2019 Orion Platform update contained modifications. The company claimed that this was likely a means of testing the hackers’ ability to insert code into the company’s software. Following the trial, the threat actor updated its malicious code and deployed Sunburst on to Orion releases from 20 February 2020, distributing backdoor entryways to thousands of SolarWinds customers. Once the software had been updated, Sunburst would remain dormant for up to two weeks before trojanising the host system and sending ostensibly harmless domain name system (DNS) requests, disguised as performance-data communications, to hackers via the internet. The requests permitted hackers to access systems that had downloaded the software update and provided information to assist them in determining which networks to focus on. SolarWinds later reported that the system intrusion was facilitated by multiple servers based in the USA.

The Sunburst code went undetected and was removed from the SolarWinds environment by the threat actor on 4 June 2020. Deep Dive SolarWinds investigated and remediated various vulnerabilities on the Orion Platform over the given period but it was not until FireEye notified the company on 12 December 2020 that the vulnerabilities were recognised to be part of a malicious code attack. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on 13 December 2020, which called for all federal civilian executive branch departments and agencies to review their computer networks and disconnect devices affected by the known compromise involving SolarWinds Orion products. On 14 December 2020, SolarWinds informed the US Securities and Exchange Commission (SEC) that its Orion products and updates released between March 2020 and June 2020 had been subject to a cyberattack. Its report detailed that the malware had been introduced due to a compromise of the Orion software build system and had not been present in the source code repository of the Orion products. On 17 December 2020, the CISA issued an alert stating that the compromise was caused by an advanced persistent threat actor (APT). On the following day, the New York Department of Financial Services (DFS) published a supply chain compromise alert notifying all DFS-regulated entities of the SolarWinds attack.

In response to the cyberattack, SolarWinds launched an investigation to reveal its scope and impact and implement remedial measures to curb its effects. On 14 and 15 December 2020, SolarWinds released a patch designed to remove Sunburst from affected systems. However, the investigation of the initial compromise led to the discovery of Supernova. This was a separate malware that targeted Orion and its detection forced the company to develop a further three patches to address the malware, which were released on 23 December 2020. On 11 January 2021, SolarWinds reported it had located the highly sophisticated and novel malicious code injection source used by the perpetrators to insert Sunburst into builds of its Orion software. It also claimed to have reverse-engineered the code responsible for the intrusion to better understand the malware tool and attack. SolarWinds released an additional two patches to address Sunburst and Supernova on 25 January 2021.

In the wake of the incident, several unanswered questions remain. The White House was able to provide some clarity over the suspected identity of the perpetrators when, in a statement on 15 April 2021, it formally asserted that the Russian Foreign Intelligence Service (SVR) was responsible for the attack. It added that it had “high confidence” in its assessment and that “the scope of this compromise [was] a national security and public safety concern”. The tribulations of US government departments has been comparatively well documented and it has been reported that nine government agencies were affected in total. Aside from this, however, the full impact of the hack on the financial sector has been difficult to determine and SolarWinds has not publicly disclosed how hackers were able to initially gain entry into its systems.

Download the Deep Dive

Fill in the form below to get your free copy of the Deep Dive exploring the Malware attack on SolarWinds loss event.

About ORX News

ORX News is the industry’s leading source of operational risk loss events. Firms can subscribe for exclusive data and analysis tailored to the banking, insurance, and asset management sectors.

How does it work?

Our team of dedicated researchers can collectively speak over seven major languages. Accessing recent operational and non-financial risk (ONFR) loss events is made effortless through the ORX News website, where they are summarised in English, categorised, searchable, and exportable. ORX News keeps you informed and connected with the latest ONFR developments and you can use the data for modelling, benchmarking and scenarios.

Find out more about ORX News

 


Disclaimer: ORX has prepared this resource with care and attention. ORX does not accept responsibility for any errors or omissions. ORX does not warrant the accuracy of the advice, statement or recommendations in this resource. ORX shall not be liable for any loss, expense, damage or claim arising from this resource. The content of this resource does not itself constitute a contractual agreement, and ORX accepts no obligation associated with this resource except as expressly agreed in writing. ©ORX 2024


Contacts:

Lily Richardson

Lily Richardson

News Manager, ORX

Isobel Selwyn

Isobel Selwyn

News Senior Researcher, ORX

Helen L’Abbate

Helen L’Abbate

Deputy Director - Research & Information, ORX

contact-icon

Want to read more Deep Dives from ORX News? 

Become an ORX News subscriber to read about operational risk loss events from around the world.

 

Find out more about ORX News