How to Make Sense of the SolarWinds Hack

The SolarWinds cyber attack that took place in 2020 via the SolarWinds Orion platform is a prime example of a supply chain attack. The attack had ramifications beyond SolarWinds, effecting both private companies and federal agencies. With the attack taking place in 2020, we are still seeing after effects of the attack into 2024 with the SEC recently fining companies for being misleading in their cyber attack disclosures as they relate to the SolarWinds Attack.

So, how did the SolarWinds hackers gain access to so many other companies? Below, we’ll break down:

1. What is SolarWinds?
2. What was the SolarWinds Attack / Hack?
3. How was the SolarWinds attack discovered and what was it’s impact?
4. What was the response and mitigation to the SolarWinds attack?
5. What were the implications and lessons learned?

What is SolarWinds?

SolarWinds, headquartered in Austin, Texas, is a provider of network monitoring software that enables organizations to quickly detect, diagnose, and resolve network performance problems and outages. Its software is widely used across industries, including government agencies, educational institutions, and private enterprises. With over 300,000 customers, SolarWinds has positioned itself as a critical player in IT infrastructure management.

At the heart of the SolarWinds network lies the Orion Platform—a robust and scalable infrastructure monitoring and management solution designed to simplify IT administration. SolarWinds describes Orion as “a powerful, scalable infrastructure monitoring and management platform designed to simplify IT administration.”

What was the SolarWinds hack?

Nature of the attack

The SolarWinds hack was a sophisticated cyberattack that exploited vulnerabilities in the Orion Platform. Hackers infiltrated SolarWinds’ software development process, inserting malicious code into an Orion update. This code created a backdoor, allowing attackers to gain unauthorized access to the networks of SolarWinds customers that installed the compromised update.

Delivery and distribution

The compromised update was distributed via SolarWinds’ legitimate software update mechanism in March 2020. Unsuspecting customers downloaded and installed the software update, unwittingly introducing the backdoor into their environments. Estimates suggest that up to 18,000 organizations installed the compromised version of the software.

Methodology

The attackers employed advanced tactics to evade detection. By embedding the malicious code within a legitimate software update, they ensured the malware appeared to originate from a trusted source. Once installed, the malware established a covert communication channel with the attackers, enabling them to move laterally within the affected networks and exfiltrate sensitive data.

How was it discovered and what was its impact?

Discovery

The SolarWinds hack came to light in December 2020, when cybersecurity firm FireEye detected unusual activity within its own systems. Further investigation revealed that the activity was linked to the compromised Orion software update, prompting a broader inquiry into the scope of the attack.

Scope of the attack

The attack targeted a wide range of organizations, including U.S. government agencies and government networks such as the Treasury and Commerce Departments, as well as private sector companies. While the exact number of affected entities remains unclear, the SolarWinds breach is considered one of the largest and most impactful cyberattacks in recent history.

Depth of compromise

The attackers maintained access to compromised networks for several months, leveraging their foothold to gather sensitive information. The full extent of the data accessed remains under investigation, but the breach highlighted significant vulnerabilities in supply chain security.

Attribution

The attack has been attributed to a sophisticated nation-state actor, widely believed to be associated with the Russian Foreign Intelligence Service. This attribution underscores the increasing complexity and geopolitical implications of modern cyberattacks.

Response and mitigation

Immediate actions

Organizations affected by the breach took swift action to identify and isolate compromised systems. SolarWinds released hotfixes for the Orion Platform, and the cybersecurity community provided indicators of compromise (IOCs) to help organizations detect and respond to the threat.

The targets in this attack were government agencies and others with highly classified and sensitive information, but the SolarWinds backdoor was widely distributed to any SolarWinds customer running the Orion platform which was updated in March of 2020. Therefore, consider reviewing the FireEye indicators and be sure to implement them into your detective controls. Different organizations may need to take different approaches based on how closely linked you may be to SolarWinds. Follow the short-term measures below that most suit your organization:

• If you are a current SolarWinds users:
  • Make sure you’ve installed the latest hotfixes for your version, and implement the hardening recommendations from SolarWinds.
• If you are a former user of SolarWinds:
  • Do a sweep of your environment to ensure there are no remnants of the software left on any devices.
• If you are a private company doing business with the federal government:
  • Review your systems immediately, you may have been a target.
• If you do not fall into one of the categories above, this attack could still affect you. You should still:
  • Review the indicators and ensure you have the proper defenses to detect elements of this malware.

Government and industry response

The U.S. government launched a coordinated effort to investigate the breach and enhance cybersecurity measures in federal systems. Industry stakeholders collaborated to share intelligence and develop strategies to mitigate the attack’s impact.

Long-term measures

In the wake of the SolarWinds hack, organizations have prioritized supply chain security and implemented measures to strengthen their cybersecurity posture. These efforts include enhanced vetting of third-party vendors, improved monitoring and detection capabilities, and increased investment in threat intelligence.

Implications and lessons learned

Supply chain vulnerabilities

The SolarWinds hack underscored the critical importance of securing the software supply chain. Organizations must adopt rigorous security practices to ensure the integrity of software updates and prevent similar attacks in the future.

Importance of detection and response

The breach highlighted the need for robust detection and response capabilities. Advanced threat actors can operate undetected for extended periods, emphasizing the importance of continuous monitoring and incident response planning.

Policy and regulatory changes

In response to the SolarWinds hack, governments and regulatory bodies have introduced new policies and standards aimed at improving supply chain security. These measures are designed to enhance transparency, accountability, and resilience across the cybersecurity landscape.

The SolarWinds hack serves as a stark reminder of the evolving threat landscape and the need for vigilance in safeguarding critical systems. By learning from this incident and implementing proactive measures, organizations can better protect themselves against future attacks.

Next steps

Whether it is the SolarWinds hack or the threat of a cyber attack in general, the team at Cyber Defense Group is available to assist with both a compromise assessment and a cyber risk assessment. Our service doesn’t stop at detection; we provide clear, actionable recommendations for immediate risk mitigation and long-term defense enhancement. This strategic assessment is more than a security check – it’s a crucial step towards fortifying your organization against current and future cyber threats, ensuring robust protection of your sensitive data and key assets. With Cyber Defense Group, you gain insights and a path to a stronger, more resilient cybersecurity posture.

Contact us today!