SolarWinds is a major software company based in Tulsa, Okla. Among the company’s products is an IT performance monitoring system called Orion. 

As an IT monitoring system, SolarWinds Orion has privileged access to IT systems to obtain log and system performance data. It is that privileged position and its wide deployment that made SolarWinds a lucrative and attractive target.

What is the SolarWinds hack?

SolarWinds suffered an attack that began in September 2019. The SolarWinds hack is the commonly used term for the supply chain breach involving the SolarWinds Orion system. As a result of the attack, over 18,000 SolarWinds customers installed updates containing malicious code. Hackers used that code to steal customer data and spy on other organizations

The SolarWinds attack was associated with CVE-2020-10148 which is a vulnerability that allows attackers to bypass API authentication by including specific parameters within a URI request. 

What is a Supply Chain attack?

A supply chain attack, which is also known as a third-party attack, value-chain attack or backdoor breach, is when a cybercriminal accesses a business’s network via third-party vendors or through the supply chain.

Image: Supply Chain Attack

How did the Solar Winds supply chain attack occur?

Orion has access to customer system performance logs and data, making it a lucrative target for hackers. In the Orion hack, a backdoor was created which could be accessed by the hackers to impersonate accounts and users of victim organizations. The backdoor was a remote access trojan (RAT). This backdoor allowed the hackers to access system files and hide their tracks by blending into the Orion activity, masking the malicious code from antivirus packages. This particular malicious update was named the Sunburst update. 

How was the SolarWinds Malware Deployed? 

The malware was deployed as part of an update from SolarWinds’ own servers and was digitally signed by a valid digital certificate bearing their name. This strongly points to a supply chain attack.The certificate was issued by Symantec serial number  0fe973752022a606adf2a36e345dc0ed.

Image: Digital Signature

SolarWinds Attack Lifecycle:

•   In September 2019, hackers were able to access the SolarWinds network.
•   They started testing their code injection in Orion in October 2019.
• About four months later, they injected malicious code called Sunburst into Orion.
• On March 26, 2020, SolarWinds began distributing Orion updates that contained the hackers’ malicious code.

Image: The Anatomy of the SolarWinds Attack Chain

Impacted Companies

According to different reports, the malware affected many companies and organizations. Government departments such as Homeland Security, State, Commerce, and Treasury were affected, as there was evidence that emails were missing from their systems. Private companies such as FireEye, Microsoft, Intel, Cisco, and Deloitte also suffered from this attack.

SolarWinds Supply Chain Attack Remediation 

The SolarWinds developer team issued swift hotfixes to remove the backdoor trojan, which was eventually followed by a slew of other businesses. IT giant Microsoft was also said to have found signs of the malware on its customers’ computers, which led to the release of security changes around the world.