Threat Assessors Scrambling to Clean up the Mess After SolarWinds Orion Hack
Table of Contents
- By Dawna M. Roberts
- Published: Dec 21, 2020
- Last Updated: Mar 18, 2022
After last week's report of the SolarWinds Orion attack, threat assessors are scrambling to determine who was affected and how to clean up the enormous post-hacking mess.
Who Was Affected?
Data Breach Today reported late last week that SolarWinds supply chain vendors were affected by their hack. Some of the companies on the list include Cisco, Intel, FireEye, five government agencies including the State and Treasury departments, the National Institutes of Health, Homeland Security, and Commerce Department.
How Have Threat Assessors Responded?
According to Data Breach Today, FireEye, in conjunction with GoDaddy and Microsoft, have "identified a kill switch that would prevent SUNBURST from continuing to operate. This kill switch will affect new and previous SUNBURST infections by disabling SUNBURST deployments that are still beaconing to avsvmcloud[.]com."
Other threat researchers are working on other temporary solutions. One Chinese firm, RedDrip Team, released a decoder tool on GitHub that cybersecurity professionals can use to decode a partial list of the victims.
The FBI, CISA, and ODNI are working on their own investigations into the organized attacks. Threat researchers theorize that the hackers could have potentially had access to SolarWinds devices and data for more than ten months. First looks indicate that the attack was backed by the Russian government and carried out by a hacker group called APT29 or Cozy Bear.
Unfortunately, along with identifying some of the issues, they have uncovered further vulnerabilities within the SolarWinds systems. They have also determined that more than 18,000 organizations downloaded the malicious update to their SolarWinds products. That level of exposure and risk is unthinkable.
SolarWinds Response
In a panic-fueled notification, the U.S. Cybersecurity and Infrastructure Agency on Sunday urged customers to "disconnect or power down all SolarWinds Orion products immediately." SolarWinds has issued their own notice stating that "a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020." They recommend that customers upgrade immediately and on Tuesday will have the security patches promised.
SolarWinds reported to the SEC that 33,000 customers use their devices, but only 18,000 of them downloaded the malicious update. As a side note, two heavy investors (totaling more than 70% ownership of SolarWinds) sold their stake in the company, and SolarWinds stock plummeted 23%. Both companies denied any wrongdoing and said the sales were already in the works.
However, the SEC is taking a hard look at the suspicious trades, and a spokesperson said, "Large trades in advance of a major announcement, then an announcement: That is a formula for an insider trading investigation."
What Now?
FireEye, SolarWinds, Microsoft, and the CISA are working closely together and sharing notes about their findings. Their aim is to provide mitigation for affected vendors, customers, and agencies while also parsing the chain of events to understand how it happened and how to prevent future cyber attacks.
A spokesperson for Microsoft said that this "massive software supply chain intrusion" was "the most carefully planned, complex espionage I've ever helped uncover."
Because this attack covered so many different victims, it is still unclear what the ultimate goal was and how much damage is already in the works. Data Breach Today warns that "the victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia, and the Middle East, and it also expects that more victims will be uncovered and says it has been directly notifying all suspected victims it finds."
Some threat assessors believe that the decision of the hackers to exploit FireEye was a mistake that has cost them early detection and enormous threat response. They may not have been done with their mission, and it might have been cut short by that one false move.
How Should Customers Respond?
Shut down all devices and patch them immediately as soon as the updates are available. Keep checking SolarWinds' website for other security patches and updates and make it a part of your regular maintenance routine.
- Run full/deep scans of your antivirus/anti-malware software to ensure no other traces of anything sinister ended up in your network, on computers, or other devices.
- Be sure to implement monitoring software and cybersecurity threat protection. It's a battlefield out there, and the good guys are not winning right now. You cannot be too careful.
- If you are connected to vendors or third-party services, let them know about your data breach.
Everyone is in this together and needs to work as a unified front to keep the entire supply chain safe. Finally, keep abreast of what is going on with this situation and watch for any updates so you can take quick action.
