On December 13, FireEye discovered that SolarWinds Orion products (versions 2019.4 HF 5 and 2020.2 with no hotfix or 2020.2 HF 1) were being exploited by malicious actors. The supply chain attack trojanized SolarWinds Orion business software updates to distribute malware, which affected a range of government agencies and private corporations.

Victims of the breach

The victims’ list includes government, telecom, technology, consulting, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye, a cyber firm that itself was breached. As a precaution, Microsoft said in a post that it had not identified any Microsoft product or cloud service vulnerabilities in its investigation of the matter.

Several reports have said that the breach affected the Department of Homeland Security, but the department has not made any official statement.

FireEye and Microsoft were studying the breach and discovered that the hackers were gaining access to victims through updates since Spring 2020 to SolarWinds’ Orion network monitoring software, which Microsoft named “Solorigate”. Microsoft has since removed the certificate from its trusted list, and Defender will automatically flag it as malicious.

What happened?

Attackers were able to quietly add malicious code to SolarWinds’ software updates for Orion users. These updates were trojanized to contain a backdoor that reaches out to third-party servers— enabling the attacker to gain a foothold in the network through routine or automatic updates.

Once the trojanized DLL is successfully loaded, these cybercriminals now have access to the environment, enabling the ability to scan the system, exfiltrate data, and/or steal credentials. it appeared to be a legitimate and a trusted update because this was signed with an official SolarWinds certificate, additional research by Microsoft indicates that in some instances, attackers were able to gain administrative access.

Even the Cybersecurity and Infrastructure Security Agency (CISA) did a statement saying “CISA is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, released between March 2020 and June 2020” encouraging users to read the SolarWinds and FireEye advisories.

Who’s behind the attack?

At the moment, it is unclear what the motivation or the end goal is of the attacker. Most evidence suggests this is an extremely narrow and targeted nation-state activity as opposed to a wide-spread attack.

The FBI is investigating the campaign, and so far many suspect the Russian government is responsible for the attack, but it denied the claims as “baseless”. If the Russia connection is confirmed, it will be the most sophisticated known theft of American government data by Moscow since a two-year spree in 2014 and 2015, in which Russian intelligence agencies gained access to the unclassified email systems at the White House, the State Department and the Joint Chiefs of Staff.

The company filed a document Monday with the Securities and Exchange Commission saying that “fewer than 18,000” of its more than 300,000 customers may have installed a software patch enabling the Russian attack. It was not clear, the filing said, how many systems were actually hacked.