The software company SolarWinds has been compromised and used to execute a supply-chain attack on the company’s customers, with suspected impacts on at least two US Government bodies. There are likely more Government and private company victims, yet to be named publicly. A technical analysis of the campaign was released by US cybersecurity company FireEye who have strongly implied they were themselves a victim of this same campaign.
SolarWinds provide IT infrastructure management software to help businesses look after their networks. In a press release issued on Sunday, the firm said it had experienced a “highly sophisticated, manual supply chain attack on SolarWinds Orion Platform”. Software updates released between March and June 2020 were tampered with and malware inserted.
The scale of the attacks was not known at the time of writing, but the firm has over 300,000 customers, including the US military, intelligence, and justice departments, as well as the Office of the President of the United States, meaning the number or potential victims and the sensitivity of the data they hold is extremely high. They also serve 425 of the Fortune 500. Even if only a small fraction of these organisations have been affected, this campaign could have very far-reaching consequences.
Who were the attackers?
The Washington Post have said the attacks were the work of the Russian Government linked threat actor APT29 (AKA Cozy Bear). The group are widely linked to the Foreign Intelligence Service of the Russian Federation (known as the “SVR”) and also thought to be responsible for the FireEye attacks last week, an attack on the Democratic National Committee in 2016, and recent attempts to steal COVID-19 vaccine information.
However, this attribution had not been acknowledged by any official published sources at the time of writing, including the US CERT, FireEye, or SolarWinds. FireEye gave the attackers the codename “UNC2452”, a neutral naming convention that did not infer any specific connection to a known group. They did note that the attackers demonstrated “top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors”.
What did the attackers do?
Reporting published by FireEye indicates that the attackers compromised assets and infrastructure used by SolarWinds to deploy updates for the Orion product suite. They then trojanised a component of the Orion software, inserting malicious code which functioned as a remote access tool. The malicious component was then pushed to users via standard update channels. This modification did not impact the functionality of Orion.
FireEye report that the malware was configured to sit dormant for 12-14 days following deployment, after which point it would attempt to connect to a command and control (C2) server. The malware was able to perform several functions on a compromised host, including collecting system information, downloading and running files and commands, and automatically disabling security tools.
In some cases, the malware was reportedly used to download and run a previously undocumented tool, named TEARDROP by FireEye, which was used to deploy a Cobalt Strike BEACON payload. BEACON is a legitimate penetration testing tool which has been used by a range of malicious actors, including APT29. The means by which compromised hosts were selected for further tool deployment is not known.
FireEye also stated that following the deployment of a BEACON payload, the attackers sought to move laterally through compromised networks using compromised credentials. A notification issued by the US Cybersecurity and Infrastructure Security Agency (CISA) indicated that Kerberoasting was likely used to obtain credentials in some instances.
What were their aims?
Media reports have described the campaign as cyberespionage, meaning that the likely aims were to collect information useful to a nation-state adversary for political, diplomatic, economic, or military advantage. The FireEye report notes that the ultimate actions included data theft, although the details of what has been taken were not made public.
Who is at risk?
Currently, only SolarWinds Orion customers are thought to be potentially at risk, specifically those that downloaded the affected software updates for Orion - versions 2019.4 through to 2020.2.1 released between March and June 2020. FireEye have said that victims included Government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East and have indicated they think there will be more.
Several US Government entities have reportedly been impacted so far, including the US Treasury and the Department of Commerce, but it is possible that others will detect the activity on their networks in the coming days and weeks.
What is the impact?
US institutions and private companies are frequently attacked by cyberespionage actors, although this activity is on a scale not seen for some time and what and how much data has been taken, was not made public. It was not known if any of the data stolen included classified information, although systems holding this kind of intelligence are usually on separate networks.
The political impact of these attacks is yet to play out, with the US Government yet to accuse Russia of the attacks. The Russian Embassy in the USA released a statement on Facebook to deny involvement in the attacks and call for bilateral cooperation between the two countries, blaming the US media for the accusations. Some may see this as a continuation of business-as-usual for nation-states targeting the US, but if the US Government makes formal attribution to Russia, the episode will not do anything to repair already fractious US-Russia relationships and may lead to further action, such as criminal indictments or further sanctions.
Impacts on businesses will likely mean costly investigations for those affected and possible insurance claims. Businesses using the Orion software platform will now be doing extensive cleanups and threat hunting to ensure they understand the impact of any compromise, remediate, and satisfy any regulatory obligations they may have to report the loss of data or otherwise.
What is the mitigation?
CISA advises that organisations which have run SolarWinds Orion versions from 2019.4 through 2020.2.1 HF1 since 24 March 2020, should treat hosts running this software as compromised and immediately isolate them from their networks until further investigation can be completed. If deployment of the malicious Orion component is confirmed, these hosts should be wiped and rebuilt using the latest verion of Orion (2020.2.1 HF 2). Credentials used with or stored on SolarWinds systems and on this host during this timeframe should also be assumed to have been compromised so should be revoked and reissued.
Following this, the following actions are advised to further investigate:
- Examine hosts running SolarWinds Orion and check for the presence of file “SolarWinds.Orion.Core.BusinessLayer.dll” with the MD5 hash “b91ce2fa41029f6955bff20079468448”. If present, this confirms that the trojanised Orion component was deployed on that host.
- Alternatively, run Yara rules developed by FireEye on hosts running SolarWinds Orion to detect presence of malicious component.
- Deploy Snort rules developed by FireEye to detect C2 traffic patterns for malicious SolarWinds Orion component.
- Check across the entire network for DNS look-ups and outbound traffic to malicious domains identified by FireEye.
- Deploy Snort rules developed by FireEye to detect BEACON C2 traffic.
- Review activity logs for accounts associated with administration of hosts running SolarWinds Orion for evidence of malicious or anomalous usage.
- Review Window Event logs on Domain Controllers for evidence of Kerberoasting attempts.
Until the wider impacts of the compromise of SolarWinds is known, consider pausing updates to SolarWinds products and investigating other hosts running SolarWinds products as potentially also compromised.