The SolarWinds Attack: Discovery and Impact

Discovery of the Attack

The discovery of the SolarWinds attack began with an unusual incident at FireEye, a leading cybersecurity firm known for its expertise in threat detection and response. In early December 2020, FireEye detected a breach in its own network, which prompted an internal investigation. FireEye’s security team noticed unusual authentication requests and anomalous behavior in their network, indicating a potential compromise. The attackers had inserted malicious code, known as SUNBURST, into the Orion software update process, which was then distributed to SolarWinds customers. FireEye coordinated with SolarWinds and relevant government agencies to disclose the breach, triggering a wider investigation into the scope and impact of the attack.

 

Widespread Impact

This supply chain attack was the first of its kind and unprecedented in its scale, affecting a wide range of organizations across various sectors. The impact was felt globally, highlighting the extensive reach of the compromised software. Critical U.S. government departments, including the Department of Homeland Security, the Treasury, Commerce, and State, were among the victims. These breaches posed significant national security risks, as sensitive information and communications were potentially exposed. Numerous major corporations across industries such as technology, telecommunications, and finance were impacted. This included companies like Microsoft, Cisco, and Intel, which faced the threat of intellectual property theft and operational disruption. The attack extended beyond the United States, affecting entities in Europe, Asia, and other regions. This global reach underscored the interconnected nature of modern supply chains and the widespread reliance on SolarWinds’ software.

 

Social Engineering Tactics

A key component of the attack involved the use of social engineering tactics to gain initial access. The attackers managed to obtain a password for SolarWinds’ build system by exploiting weak security practices. It was later revealed that a key password (“solarwinds123”) was publicly accessible on a misconfigured server. This lapse in basic security hygiene provided the attackers with a foothold into SolarWinds’ network, from where they could infiltrate the software development environment and insert the SUNBURST malware. This aspect of the attack underscores the importance of strong password policies and vigilant security practices to protect against social engineering threats.

 

Mechanism of the Attack

The SolarWinds attack was executed through a highly sophisticated supply chain compromise, leveraging the trust in SolarWinds’ widely used Orion platform. The attackers infiltrated SolarWinds’ software development environment, inserting the SUNBURST malware into the Orion update process. This malware was designed to blend in with legitimate software traffic, making it difficult to detect. Once the compromised update was installed by customers, SUNBURST remained dormant for up to two weeks, minimising suspicion. Upon activation, it communicated with remote command-and-control servers using stealthy techniques, allowing the attackers to issue commands and exfiltrate data. The malware used sophisticated methods to avoid detection, including obfuscating its network traffic and mimicking legitimate Orion processes.

 Effects of the SUNBURST Malware

The specific effects of the SUNBURST malware were extensive. The attackers used the backdoor access provided by SUNBURST to steal sensitive data, including confidential communications, internal documents, and proprietary information. Once inside a network, the attackers moved laterally to access additional systems and data, further entrenching their presence and expanding the scope of the compromise. The breach necessitated extensive mitigation efforts, including disconnecting affected systems, applying security patches, and conducting comprehensive security audits. This caused operational disruptions and financial costs for the affected organisations.

Conclusion

The SolarWinds attack highlighted several critical vulnerabilities in modern cybersecurity practices. First and foremost, it underscored the dangers of supply chain vulnerabilities. By compromising SolarWinds, a trusted vendor, the attackers gained access to a vast array of organisations.

Additionally, the attack revealed weaknesses in detection and response capabilities. The SUNBURST malware was able to evade traditional security measures by mimicking legitimate software processes and using sophisticated obfuscation techniques. This allowed the attackers to operate undetected for an extended period, further amplifying the damage.