One of the biggest cyberattacks of the 21st century which was recently discovered that targeted US government organizations and companies. In fact, it is declared a global cybersecurity breach. Hackers used the SolarWinds Orion platform, a popular network monitoring and analyzing product for attack by distributing trojanized updates to the software users.
It was named a Supply Chain Attack, as hackers targeted the third-party vendors which supplied to the federal government or a private organization instead of directly attacking them.
Discovery of Sunburst Malware in SolarWinds Orion Platform:
On December 13, 2020, the US cybersecurity company FireEye discovered when they posted a blog detecting an attack on their systems. According to them, a software update in the Orion platform was exploited to install the ‘Sunburst’ malware in it and then installed by more than 17,000 customers.
After installation, hackers compromised a digitally signed SolarWinds Orion network monitoring component, which provides a backdoor entry into the networks and systems of SolarWinds customers and this attack is so exceptionally complex and continues to evolve, even security tools such as anti-virus are not able to detect it.
Attackers of SolarWinds Hack:
It was believed that the attack was done by a Cozy Bear or APT29, a hacker group associated with Russian intelligence (Source: Here). Hackers gained access to email accounts of the US Department of Homeland Security, the Department of Energy, Commerce, and Treasury, parts of the Pentagon, Centers for Disease Control and Prevention, the Justice Department, and the State Department were all compromised.
Not only this, but also 30,000 public and private organizations such as FireEye, Microsoft, Intel, Cisco and Deloitte, the California Department of State Hospitals, and Kent State University also suffered from this attack.
It is the same Russian hacker group that is also previously accused of breaching the State Department and White House email servers under the Obama administration.
Reason for the Attack in SolarWinds Orion Platform:
The reason for the hack remains unknown, but there could be many reasons for the hacker needing to get details into the organization’s system such as gaining access to future product plans and customer or employee information held for ransom. But it is still not clear as to what all information is compromised and stolen from government agencies, but the level of access is too deep and broad.
Though many private and enterprises were affected, the main focus for the hackers is to attack the government agencies which were using the SolarWinds IT management systems.
Image source: https://www.solarwinds.com/
Analysis of SolarWinds Hack:
According to SolarWinds, the incident began in September 2019 where they found suspicious activity in the software during the current investigations. Later, they released Orion platform 2019 version in October which appears to have modifications coded to test the perpetrators ability to insert code into their builds. These perpetrators remained undetected, and the company failed to identify the vulnerabilities. In Feb 2020, Sunburst – a malicious code injected to Orion platform and hackers started sending software updates with vulnerable code and were installed by 18,000 customers, as per SolarWinds statement.
Mitigations for the SolarWinds Hack:
Later, SolarWinds recommended the customers to upgrade the existing Orion platform as soon as possible which has a patch for this malware. The company also plans to release a new hotfix that will replace the breached component and add additional security enhancements.
Few reports also pointed out that Microsoft’s own products and systems were being used to expand the attack, but Microsoft denied these allegations.
As per an official statement by US Federal investigators, they accused Russia’s Foreign Intelligence Service, known as the SVR, behind this attack. The malware penetrated in multiple networks of US government agencies, and it is expensive and much difficult and could take years to secure the systems again. Now, hackers gained access to these networks, hackers could destroy or alter confidential data.
On the other hand, Russian government denied these allegations, releasing a statement that the accusations are baseless, and they don’t conduct offensive operations in the cyber domain. According to them, malicious activities in the information space conflict with the principles of the Russian foreign policy and national interests (Source: Here).
Found this article interesting? Follow DefenseLead on Twitter and Facebook to read more exclusive content.