Share this article on:
The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning that sophisticated hackers are actively exploiting SolarWinds Orion IT monitoring and management software.
The cyberattack, which is ongoing, is believed to be the work of a highly sophisticated, evasive, nation state hacking group who created a Trojanized version of Orion software that has been used to deploy a backdoor into customers’ systems dubbed SUNBURST.
The supply chain attack has impacted around 18,000 customers, who are understood to have downloaded the Trojanized version of SolarWinds Orion and the SUNBURST backdoor. SolarWinds Orion is used by large public and private organizations and government agencies.
SolarWinds customers include all five branches of the U.S. military, the Pentagon, State Department, NASA and National Security Agency. Its solutions are also used by 425 of the 500 largest publicly traded U.S. companies. The US Treasury, US National Telecommunications and Information Administration (NTIA), and Department of Homeland Security are known to have been attacked. The campaign was first detected by the cybersecurity company FireEye, which was also attacked as part of this campaign.
The attacks started in spring 2020 when the first malicious versions of the Orion software were introduced. The hackers are believed to have been present in compromised networks since then. The malware is evasive, which is why it has taken so long to detect the threat. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to FireEye. Once the backdoor has been installed, the attackers move laterally and steal data.
“We believe that this vulnerability is the result of a highly-sophisticated, targeted, and manual supply chain attack by a nation-state,” said Kevin Thompson, SolarWinds President and CEO.
The hackers gained access to SolarWinds’ software development environment and inserted the backdoor code into its library in SolarWinds Orion Platform software versions 2019.4 HF 5 through 2020.2.1 HF 1, which were released between March 2020 and June 2020.
CISA issued an Emergency Directive ordering all federal civilian agencies to take immediate action to block any attack in progress by immediately disconnecting or powering down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their networks. The agencies have also been prohibited from “(re)joining the Windows host OS to the enterprise domain.”
All customers have been advised to immediately upgrade their SolarWinds Orion software to Orion Platform version 2020.2.1 HF 1. A second hotfix – 2020.2.1 HF 2 – is due to be released on Tuesday and will replace the compromised component and implement other additional security enhancements.
If it is not possible to immediately upgrade, guidelines have been released by SolarWinds for securing the Orion Platform. Organizations should also scan for signs of compromise. The signatures of the backdoor are being added to antivirus engines, and Microsoft has confirmed that all its antivirus products now detect the backdoor and users have been advised to run a full scan.
SolarWinds is working closely with FireEye, the Federal Bureau of Investigation, and the intelligence community to investigate the attacks. SolarWinds is also working with Microsoft to remove an attack vector that leads to the compromise of targets’ Microsoft Office 365 productivity tools.
It is currently unclear which group is responsible for the attack; although the Washington Post claims to have spoken to sources who confirmed the attack was the work of the Russian nation state hacking group APT29 (Cozy Bear). A spokesperson for the Kremlin said Russia had nothing to do with the attacks, stating “Russia does not conduct offensive operations in the cyber domain.”