FIREYE, a Cybersecurity company which works with the Law enforcement agencies of US, released a Blog on their Website on 13th December 2020 which highlighted an issue with the ‘Solarwind’s Orion IT monitoring and management solution’. According to the blog, this issue seems to have affected people and businesses globally and could have started as early as spring 2020. This blog will take you through this issue and will provide a view presented by people all around the world regarding this Hack.
What exactly is this hack?
This global campaign, as unearthed by FIREYE and tracking as UNC 2452, has targeted the businesses worldwide who use the Solarwind’s Orion Software and the actors behind this campaign have gained access to various public and private organisations all around the world. An update released for the above-mentioned software on their official website included a file known as “SolarWinds.Orion.Core.BusinessLayer.dll”, which is a SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. This component was trojanised by the Perpetrators and was mixed up with the update patch released by Solarwind. This malware allowed and gave these perps an Ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. This malware is identified as so sophisticated that it disguises the traffic used by it under the name of Orion Improvement Program (OIP), and stores the logs of data collected along with the plugin information files allowing it blend in as legitimate activity of the software.
Who are the victims of this attack and what have they done to amend this situation?
The victims of this attack are not limited to just one country or continent or one type of organisation but are spread all across the world and across various sectors as well. This list of victims include governments, consulting firms, technology companies, Telecom and extractive entities in North America, Europe, Middle East and Asia. FIREYE and Solarwinds have informed the affected parties and other potentially affected or at risk entities as well. All these people who are affected were the customers of SolarWinds and around 30 of those customers were in the United States. The same breach has also affected various US governmental Departments and federal agencies such as the United States Energy Departments and Department of Homeland Security.
It was also reported that the hackers behind this incident also broken into Microsoft’s servers and were also able to access some of the company’s well-guarded source code as well. A Microsoft spokesman said security employees had been working “around the clock” and that “when there is actionable information to share, they have published and shared it.” A Microsoft spokesman said security employees had been working “around the clock” and that “when there is actionable information to share, they have published and shared it.”
This hack has not only allowed the perps to alter the data but to the track and steal it as well, therefore making amends or mitigating this issue has not been easy. Solarwinds has recommended all their customers to update their software to Orion Platform release 2020.2.1 HF 1, which is currently available via the SolarWinds Customer Portal. However, FIREYE has recommended isolating the systems which are affected and build separate systems with the latest software and platforms, so that an update to the previous platforms doesn’t potentially overwrite the forensic evidence and traces and potentially leave additional backdoors. Solarwinds has also issued some detailed recommendations regarding the same as well which can be accessed following this link.
The aftermath of the incident
The US Cybersecurity and Infrastructure Security Agency (CISA) also issued an Emergency Directive 21-01, asking all “federal civilian agencies to review their networks” for indicators of compromise. It has asked them to “disconnect or power down SolarWinds Orion products immediately”. The FBI, CISA and the office of the Director of National Intelligence also issued a statement which highlighted that they will be launching a joint task force known as the “Cyber Unified Coordination Group (UGC)” in order to coordinate government response to the crisis. While the white house has been mostly silent on the issue, the President-elect Joe Biden has issued a statement: “A good defence isn’t enough; We need to disrupt and deter our adversaries from undertaking significant Cyber attacks in the first place.”