The attackers compromised the Solarwinds Orion software platform by inserting malicious code into multiple valid software patches released by Solarwinds. It's believed the SolarWinds software was hacked with a 'dry run' going back to October 2019, but the actual compromised patches started to roll out with the malicious code in the Spring of 2020.
The SolarWinds Orion products are network monitoring products that require unfettered access to everything on a network which makes them a perfect conduit for the hackers, and extremely dangerous for compromised systems.
The attack is far reaching, covering potentially 18,000 SolarWinds clients including just about every major department of government and many Fortune 500 companies. Government entities suspected of being compromised include: Homeland Security, State Department, US Treasury (including the IRS), Department of Energy, and the National Nuclear Security Administration.
Some of the private companies that are suspected of being compromised include: Microsoft, Cisco Systems, Nvidia Corp, VMware, The New York Times and Belkin which makes the LinkSys WiFi Routers.
One concern is that the clients of the compromised companies are vulnerable. For example, there is some concern that after Microsoft was compromised, users of Microsoft products may also have been compromised. Similarly it's easy to see that if Belkin’s LinkSys routers were compromised, then millions of consumers of their WiFi routers may also be vulnerable.
The compromise would still be going undetected if not for a FireEye employee who initially suspected something was off when he received a routine email alert. FireEye was first to discover the breach and reported many of its tools stolen by the hackers on December 8th. It was not until later that it was discovered that the breach was really in SolarWinds and was much more widespread than just FireEye. If not for FireEye, we all likely would still be in the dark on this one.
It is widely suspected, although not confirmed, that the sophisticated attack was the work of a group called "Cozy Bear" within the SVR - the Russian spy agency that succeeded the KGB.
Outgoing President Donald Trump didn’t comment on the attacks for several days, and when he finally tweeted about it, he said the attacks were overblown by “fake news”, and then contradicted his own intelligence agencies and his Secretary of State - Mike Pompeo - by proclaiming that the attacks likely were not Russia but maybe China.
Initially FireEye’s stock plummeted 13% on the initial news of its breach and tools being stolen. Its stock has since recovered and is up over 30% above where it was prior to the news of the hack. SolwarWinds stock is down 30% since the news came out.
Its been reported that a couple of silicon valley investors (SilverLake and Thoma Bravo) apparently sold hundreds of millions of dollars in SolarWinds shares about a week before the news of the hack became public. If true, the SEC is likely to be knocking on their doors soon to investigate insider trading.
Its interesting and ironic that the Equifax hack was the result of ignoring a software patch, and this SolarWinds hack was delivered via software patches. Patches are the number one way clients of software companies are encouraged to keep up with all the latest security bug fixes, but will companies think twice about patching going forward?
Image courtesy of Financial Times