SolarWinds Attack: Detailed Overview

Published On - June 28, 2024

Seven Step Consulting Blog

 Timeline

  • Early 2019: The initial breach into SolarWinds’ network is believed to have occurred. The attackers compromised the build system for SolarWinds Orion, an IT monitoring and management software.
  • March 2020: Malicious updates to the SolarWinds Orion software, containing the SUNBURST backdoor, began to be distributed to customers.
  • December 2020: The breach was publicly disclosed. FireEye, a cybersecurity firm, announced it had been targeted by a sophisticated nation-state group, which led to the discovery of the SolarWinds compromise.

 Attack Details

  1. Initial Breach:
  • The attackers infiltrated SolarWinds’ systems and inserted malicious code into the Orion software updates, a practice known as a supply chain attack.
  • The compromised updates were signed with SolarWinds’ legitimate digital certificates, making them appear trustworthy.
  1. Malware: SUNBURST:
  • The SUNBURST malware was embedded in the Orion software updates.
  • Once installed, SUNBURST provided remote access to the attackers and allowed them to move laterally within networks, steal data, and potentially plant additional malware.
  1. Distribution and Impact:
  • Approximately 18,000 SolarWinds customers, including numerous Fortune 500 companies and several U.S. federal agencies, downloaded the compromised updates.
  • High-profile victims included Microsoft, Intel, Cisco, the U.S. Department of Homeland Security (DHS), the U.S. Department of Treasury, and the U.S. Department of Commerce.
  1. Detection and Disclosure:
  • FireEye was the first to detect the attack after discovering that their own network had been breached.
  • In December 2020, FireEye publicly disclosed the breach, revealing the widespread impact and sophistication of the attack.

 Threat Actors

Attribution:

  • The attack is widely attributed to a sophisticated nation-state actor. The U.S. government has pointed to a Russian cyber espionage group, often referred to as APT29 or Cozy Bear, which is linked to the Russian Foreign Intelligence Service (SVR).

Motivations:

  • The attackers were primarily focused on intelligence gathering, targeting sensitive information from high-profile government agencies and private sector organizations.

 Summary

The SolarWinds attack was a highly sophisticated and far-reaching cyber-espionage operation that compromised a trusted software supply chain to infiltrate numerous high-profile targets. It highlighted the vulnerabilities in supply chain security and the need for robust security measures in software development and deployment processes. The attack had significant implications for cybersecurity practices globally, leading to increased scrutiny and efforts to secure supply chains and improve detection and response capabilities.