Published January 19, 2021
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
The SolarWinds hack was a major security breach that affected over 3,000 SolarWinds customers, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also impacted were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security.
The attack, dubbed SUNBURST, involved inserting malicious code into SolarWinds’s Orion Platform software. This code created a backdoor which later was used to access customers’ networks. Experts believe the attack was instigated by hackers based in Russia who may have managed to access sensitive government data. SUNBURST is one of the most sophisticated cyberattacks in history, with malware capable of evading detection.
Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats.
The Attack Timeline
Threat Actor Accesses SolarWinds
- September 4, 2019: unknown attackers access SolarWinds.
- September 12, 2019: the hackers inject the test code and perform a trial run. The attackers use a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker use multiple servers based in the US and mimick legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients.
- February 20, 2020: Hackers compile and deploy the SUNBURST attack. This is an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond.
- June 4, 2020: the perpetrators remove the SUNBURST malicious code from SolarWinds systems.
FireEye Discovers SolarWinds Attacks
- December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company expresses concern that the hackers would use the stolen tools to target other companies.
- December 11, 2020: while conducting breach investigations, FireEye discovers that SolarWinds had been attacked. They realize that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020.
- December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack.
- The news prompts the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises.
The News Becomes Public
December 13, 2020:
- The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they pose a substantial security threat.
- SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems.
- FireEye discloses that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients.
- Microsoft issues guidance explaining how the attack could affect its customers.
- The attack receives media coverage for the first time. Reuters reports that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies.
Public Response Begins
December 15, 2020:
- SolarWinds releases a software fix.
- The media identifies victims that include the Department of Homeland Security (DHS), the State Department, and the National Institutes of Health, among others.
- A bipartisan group of senators implores CISA and the FBI to investigate and submit a report to Congress detailing the impact of the cyberattack on federal agencies.
SolarWinds Releases Additional Details
December 16, 2020:
- SolarWinds clarifies that its MSP software was not affected by the attack, but the MSP group was taking steps to mitigate risks. As a precautionary measure, SolarWinds MSP instructs its partners to revoke the digital certificates of the MSP tools and digitally re-sign into its applications. The company revokes all the old certificates and issues new ones to customers.
- Security experts identify the malicious domain name used in the attack and describe a killswitch that disables the malware in some cases.
- A columnist in the New York Times notes that the breach represents a major threat to national security.
- The FBI begins investigations to collect intelligence and identify, disrupt, and pursue the actors.
Affected Organizations Are Revealed
December 17, 2020
- Microsoft confirms that it had detected the infected SolarWinds files in its systems and neutralized them. However, there were no indications that its system had been compromised.
- US president-elect Joe Biden vows that confronting cybersecurity threats would be one of his incoming government’s priorities.
- December 19, 2020: analysts and news outlets report that around 198 organizations have been affected.
- December 22, 2020: The US Treasury Department reveals that dozens of email accounts have been compromised, including those of high-ranking officials.
Security Updates Are Released
- December 24, 2020: SolarWinds explains how its latest security patches and fixes address the Orion Supernova attack.
- December 30, 2020: CISA releases an updated guideline on the Orion platform vulnerability. It advises all the federal agencies using the SolarWinds Orion platform to update to version 2020.2.1HF2, which has been verified safe from the malicious code.
- January 5, 2021: SentinelOne releases an open-source SUNBURST assessment tool to help organizations determine their attack readiness level.
US Intelligence Agencies Accuse Russia
- January 5, 2021: In a joint statement, US intelligence agencies formally accuse Russia of association with the SolarWinds attack that compromised several federal departments and agencies.
- January 6, 2021: The New York Times reports that American intelligence agencies are examining the role that JetBrians TeamCity CI/CD software may have played in allowing Russian hackers to introduce a back door into client software. JetBrains responds to this report in a series of announcements on January 6 through 8.
- January 11, 2021: Kaspersky notes that the SolarWinds hack resembles malware used by the Turla hacking group affiliated with the Russian security service.
SolarWinds Upgrades Its IT Staff As More Attack Details are Revealed
- January 6, 2021: SolarWinds rehires its former CEO as a consultant in the interim. He will assist with the investigations of the Orion breach.
- January 8, 2021: SolarWinds CEO states that the company will prioritize cybersecurity in 2021. SolarWinds hires former Facebook and CISA security experts as consultants.
- January 11, 2021: Crowdstrike publishes a technical analysis of a tool called SUNSPOT which attackers deployed in SolarWinds’ build environment in order to inject the SUNBURST backdoor.
The SolarWinds SUNBURST attack is the most high-profile cyberattack in recent years. The attackers used a compromised supply chain to target several clients, including federal government agencies and tech companies. Organizations can mitigate such attacks by sharing intelligence about threat activities and forming cybersecurity partnerships.
Organizations must become more vigilant against threats posed by third-party supply chain vendors by improving their cyber-security hygiene. One approach is to use the zero-trust model where both insiders and outsiders need verification before accessing a network. The zero-trust framework also applies the concept of least-privilege access where users and network insiders only access what they need, unlike the traditional setup where insiders have unfettered access to the network.
Although it remains unproven that JetBrains TeamCity was used by the attackers in this incident, the SUNBURST attack also highlights the need for software vendors to harden their development environment against intrusion. For organizations doing cloud-based development, we recommend using a secure platform such as those available from our sister company Assembla for Git, SVN, and Perforce.
Finally, we recommend that software vendors deploy a SAST solution to detect vulnerabilities introduced into source code during development, in combination with an SCA solution to manage risks from open-source software.
Kiuwan offers SAST and SCA solutions for scalable, fast application security testing that seamlessly integrates with any DevOps environment. Get in touch with our team and let’s talk security!