Attacks on the SolarWinds Orion Software by Sophisticated Hackers

The Cybersecurity and Infrastructure Security Agency (CISA) gave a warning regarding the active exploitation of the SolarWinds Orion IT monitoring and management software by sophisticated hackers.

It is believed that the ongoing cyberattack is the work of a very sophisticated nation state hacking group. It’s the same group that created a Trojanized version of the Orion software used for downloading a backdoor known as SUNBURST into customers’ systems.

About 18,000 customers had been affected by the supply chain attack because of having downloaded the Trojanized version of the Orion software as well as the SUNBURST backdoor. Big public and private companies and government institutions are using SolarWinds Orion.

The U.S. military, State Department, the Pentagon, the National Security Agency and NASA are SolarWinds customers. 425 of the 500 biggest publicly traded U.S. companies use SolarWinds  products. There have been attacks on the US Treasury, the Department of Homeland Security, and the US National Telecommunications and Information Administration (NTIA).

The cybersecurity firm FireEye first detected the attacks. The attacks began in spring 2020 with the launching of the malicious versions of the Orion software. The malware is elusive so it’s been so long before a threat is detected. According to FireEye, the malware hides its network traffic in the Orion Improvement Program (OIP) protocol and keeps reconnaissance results in valid plugin configuration files so it could mix in with valid SolarWinds activity. After the installation of the backdoor, the attackers could move sideways and perform data theft.

President and CEO of SolarWinds Kevin Thompson said that the vulnerability is thought to be the work of a nation-state group attacking a very-sophisticated, targeted, and manual supply chain.

The hackers accessed SolarWinds’ software development set up and put in the backdoor code into the library of the SolarWinds Orion Platform software versions 2019.4 HF 5 up to 2020.2.1 HF 1, which were available in March 2020 to June 2020.

CISA’s Emergency Directive ordered all federal civilian bureaus to work quickly to prevent any ongoing attack by removing or disconnecting SolarWinds Orion products, versions 2019.4 up to 2020.2.1 HF1, from their systems. The bureaus likewise prevented the Windows host OS from linking to the enterprise domain.

All SolarWinds clients were instructed to upgrade their Orion software to Orion Platform version 2020.2.1 HF 1. And later use the available second hotfix,  2020.2.1 HF 2  to replace the compromised part and do other extra security improvements.

If immediate upgrade is impossible, SolarWinds provided guidelines for keeping the Orion Platform secure. Organizations must likewise check for any indication of compromise by means of the antivirus engines, where the signatures of the backdoor are added. Microsoft has stated that detection of the backdoor is now possible with all its antivirus products so users should run a full scan.

SolarWinds, FireEye, the FBI, and the intelligence community are working together to watch  the attacks. SolarWinds and Microsoft are also working to take out an attack vector that causes the compromise of Microsoft Office 365 productivity solutions.

It is still uncertain which group is doing the attack; but according to the Washington Post, the Russian nation state hacking group APT29 (Cozy Bear) is responsible for the attack. A Kremlin spokesperson said Russia is not involved with the attacks.