The past week was way too hectic for both journalists and the cybersecurity community as the SolarWinds cyber attack caused a stir. As different reports poured in, it became difficult to keep a track of what actually has happened. So, here we present a quick overview of the incident whilst referring to the information available until the time of writing.
What is SolarWinds?
SolarWinds is an American software company. It basically develops software for businesses to facilitate them in managing their systems, network, and IT infrastructure. The firm started off in 1999 and presently has around 3200 employees. Whereas, as of December 2020, it holds 300,000 customers That includes numerous federal agencies and many Fortune 500 firms.
About the SolarWinds Cyber Attack
About a week ago, multiple reports surfaced online about security breaches hitting numerous huge targets. It turned out that all of the attacks had one thing in common – the Orion Platform products.
Subsequent investigations confirmed that the attack had actually aimed at SolarWinds.
Disclosing the cyber attack, SolarWinds stated in the notice that they were alerted of the incident from FireEye. Right before the SolarWinds cyber attack reports, FireEye disclosed an orchestrated cyber-attack on its infrastructure.
Briefly, SolarWinds confirmed that the incident impacted their “Orion Platform products and internal systems”. Specifically, the incident happened due to a vulnerability in its product updates delivered between March and June 2020. The exploit received the name SUNBURST as the attackers hacked the codebase and injected a backdoor into it.
Upon detecting the vulnerability, SolarWinds deployed hotfixes for it with the release of Orion 2020.2.1 HF 2.
They also shared a detailed advisory on the SUNBURST vulnerability and the subsequent fix.
It initially remained unclear who the attackers were, despite FireEye’s clear statement about a state-sponsored attack.
Nonetheless, subsequent alerts and advisories by Microsoft, FireEye, and media reports eventually confirmed the link to Russian state actors Cozy Bear or APT29. Though, the Russian Embassy in the US explicitly denied this allegation via a Facebook post.
The US Dept. of Homeland Security CISA also issued a detailed advisory about the affected Orion products, the subsequent patches, and mitigation strategies. Specifically, the affected versions include the following.
- Orion Platform 2019.4 HF5, version 2019.4.5200.9083
- Orion Platform 2020.2 RC1, version 2020.2.100.12219
- Orion Platform 2020.2 RC2, version 2020.2.5200.12394
- Orion Platform 2020.2, 2020.2 HF1, version 2020.2.5300.12432
Who Were The Victims?
SolarWinds cyber-attack has turned out to be a devastating one that affected multiple firms from the public and the private sector.
According to the details available yet, the victims include,
- US Department of the Treasury
- The US Department of State
- US National Nuclear Security Administration
- The US National Telecommunications and Information Administration
- US Department of Energy
- The National Institutes of Health
- US Department of Homeland Security
- Certain US states
- Deloitte LLP
- VMware Inc.
- Belkin International Inc.
- California Department of State Hospitals
- Kent State University
(This isn’t the final list though.)
Microsoft and SolarWinds have shared details in their advisories regarding the indicators of compromise and subsequent remediation strategies.
So, you can go through these advisories to know if you’ve been a victim of the SUNBURST attack.
Also, a “KillSwitch” is now available to deactivate SUNBURST deployments on affected systems.
We shall update our readers as new details follow.