We discovered that it stemmed from a massive supply chain attack originating in the Orion network management software from SolarWinds, which affects many other organizations including several large U.S. federal agencies.
Currently, it includes the Treasury Department, the Commerce Department, the Pentagon and many other agencies and companies that use the software. The details of the hack are technical, complicated and still being investigated, but here is what we know so far and some answers to common questions:
How Did the SolarWinds Breach Happen?
Hackers who appear to be associated with nation-state hacking group Cozy Bear, aka Advanced Persistent Threat (APT) group 29, part of the SVR arm of Russian intelligence services, got inside the development operations of SolarWinds and managed to insert malware inside a software update that was distributed by the company in March. Once installed, the malware “phoned home” to a command-and-control network run by the hacking group, which enabled them to enter the network and take further action. Since the patch came from the company and was digitally signed by SolarWinds, few companies would have known their software was compromised until now.
How Bad Is It?
Pretty bad. SolarWinds makes a network management system (NMS) software that monitors all the operations of a network and has the capabilities to intercept and examine network traffic and the systems on it. The malware that was delivered with the code was custom-designed for this hack and quite sophisticated. This means any hacker who has control of that software could use it to potentially sniff passwords, find vulnerable machines and attack them to spread throughout a network.
Is My Organization at Risk?
First of all, not all customers of SolarWinds are vulnerable to this hack. Only users of the Orion software platform are affected, and only those who loaded the March update. SolarWinds has communicated that the number of customers that have this update is about 18,000. However, even if your organization has the affected software installed, it may not have been hacked yet; 18,000 is a lot of targets to hack even for a big nation-state group.
What Should I Do?
If your organization meets those criteria, it definitely is at risk and should activate its incident response plan (you do have one of those, right?), decommission the software and begin to look for any Indications of Compromise (IoCs). For more help, Talos has published this useful list. You will probably also want to hire a threat hunting company to get the real pros who have knowledge and experience to assist you.
Even if your organization isn’t running SolarWinds, it still might not be out of the woods. If a third party or vendor your organization uses runs this software, they might be infected. And if they have access to your network or systems, your organization could be attacked through that connection. If you haven’t already, you should implement a third-party risk management program that covers vendor access of any kind. Even if your organiztion has a program, it is a good time for an overhaul and improvement.
The Takeaway From the SolarWinds Breach
The bottom line is that if your organization is vetting, monitoring and auditing its vendors properly, it will have a much better chance of stopping or catching attacks coming through third parties, whether it’s from this hack or the next one.
Organizations should hire an IT company to create a cyber-security incident response plan and evaluation of software and being used.