Hackers Weaponize SolarWinds Orion for Worldwide Cyberattacks; SolarWinds, FireEye Release Counter Measures
Russian hackers allegedly weaponized SolarWinds Orion business software updates in order to distribute malware called SUNBURST. From there, the Russian hackers allegedly attacked multiple government, consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, FireEye said in a blog post and The Washington Post further reported.
Related: Timeline of SolarWinds Orion cyber attack.
The victims include the U.S. Commerce and Treasury Departments; the Department of Homeland Security (DHS), the National Institutes of Health and the State Department, The Wall Street Journal reports. The U.S. National Security Council held an emergency meeting on Saturday, December 12, to discuss the situation, Reuters added.
Roughly 18,000 SolarWinds customers had downloaded the malware-infected software, though the number of fully compromised victims will perhaps be in the hundreds, the Journal estimated.
SolarWinds Orion Attacked: Corrective Measures
SolarWinds issued an Orion security advisory here, explaining that attack involved Orion builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. The signatures are found on FireEye’s public GitHub page.
SolarWinds Orion is used mainly by IT professionals to monitor corporate and government networks. It is not part of the SolarWinds MSP toolset — which is typically used by managed IT services providers (MSPs) to monitor SMB networks. But some MSPs are known to leverage Orion for various monitoring purposes.
The potential Orion vulnerability surfaces less than one week after FireEye disclosed that hackers stole FireEye’s Red Team penetration testing software. At the time of that disclosure, FireEye expressed concern that the hackers will potentially use the stolen Red Team penetration testing tools to attack additional companies.
SolarWinds Orion Vulnerability: CEO Kevin Thompson’s Statement
SolarWinds stopped short of saying its Orion software was involved in the Treasury Department hack, but Thompson issued this statement to the news agency:
“We are aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products. We believe that this vulnerability is the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordinate with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”
In a tweet about the alleged Orion issue, former CISA Director Christopher Krebs said:
“If you’re a SolarWinds customer & use [Orion], assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this.”
SolarWinds: Wall Street and $SWI Shareholders React
Amid the hacking reports, SolarWinds stock ($SWI) fell about 19 percent in pre-market trading on December 14, SeekingAlpha reports. Shares rallied a bit after the market opened, and the decline was reduced to about 13 percent to 16 percent, depending on market timing.
The Orion attack emerges just as SolarWinds prepares to finalize a CEO transition. Former Pulse Secure CEO Sudhakar Ramakrishna is scheduled to succeed Thompson in January 2021. Also, SolarWinds MSP is likely to spin off from SolarWinds in 2021.
Note: Story originally posted December 13, 2020. Updated December 14, 2020, to reflect statements and guidance from FireEye and SolarWinds.
What kind of fallout or repercussions do you think will come from this? Besides the stock dipping, do you think the government will go after the perpetrators?
Chad: Thanks for your note. It’s too early to say for sure. It’s also unclear what, if anything, the Trump administration will do during its final weeks in office. After the U.S. presidential inauguration, we’ll be watching to see if/how the Biden administration works with European Union members and allies to hammer out new/more cyber policies to address nation state attacks.
In the meantime, MSSP Alert heard new cybersecurity legislation rumors even before the Orion attacks surfaced.
Anyone know if this impacts other Solarwinds products…SEM, Dameware, ARM, etc…?
Steve: The SolarWinds advisory only mentions Orion. Track the official SolarWinds statement here.
JP: Thanks for the response. That’s pretty much what I was getting to the wait and see approach. It’s crazy how little coverage this incident got initially, but it’s been gaining traction and getting a bit more attention in the past week.