A Timeline of the Solarwinds Hack: What We’ve Learned
Published January 19, 2021
WRITTEN BY THE KIUWAN TEAM
Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security.
The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection.
Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats.
The Attack Timeline
Threat Actor Accesses SolarWinds
- September 4, 2019: unknown attackers access SolarWinds.
- September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients.
- February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond.
- June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems.
FireEye Discovers SolarWinds Attacks
- December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies.
- December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020.
- December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack.
- The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises.
The News Becomes Public
December 13, 2020:
- The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat.
- SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems.
- FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients.
- Microsoft issued guidance explaining how the attack could affect its customers.
- The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies.
Public Response Begins
December 15, 2020:
- SolarWinds released a software fix.
- The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National Institutes of Health, among others.
- A bipartisan group of senators implored CISA and the FBI to investigate and submit a report to Congress detailing the impact of the cyberattack on federal agencies.
SolarWinds Releases Additional Details
December 16, 2020:
- SolarWinds clarified that its MSP software was not affected by the attack, but the MSP group was taking steps to mitigate risks. As a precautionary measure, SolarWinds MSP instructed its partners to revoke the digital certificates of the MSP tools and digitally re-sign into its applications. The company revoked all the old certificates and issued customers with new ones.
- Security experts identified the malicious domain name used in the attack and turned it into Killswitch to cause the malware to self-destruct.
- A columnist in the New York Times noted that the breach was a major threat to national security.
- The FBI started investigations to collect intelligence and identify, disrupt, and pursue the actors.
Affected Organizations Revealed
December 17, 2020
- Microsoft confirmed that it had detected the infected SolarWinds files in its systems and neutralized them. However, there were no indications that its system had been compromised.
- US president-elect Joe Biden vowed that confronting cybersecurity threats would be one of his incoming government’s priorities.
- December 19, 2020: analysts and news outlets reported that around 198 organizations had been affected.
- December 22, 2020: The US Treasury Department revealed that dozens of email accounts had been compromised, including those of high-ranking officials.
Security Updates Are Released
- December 24, 2020: SolarWinds explained how its latest security patches and fixes had addressed the Orion Supernova attack.
- December 30, 2020: CISA released an updated guideline on the Orion platform vulnerability. It advised all the federal agencies using the SolarWinds Orion platform to update to version 2020.2.1HF2, which had been verified safe from the malicious code.
- January 5, 2021: SentinelOne released an open-source SUNBURST assessment tool to help organizations determine their attack readiness level.
US Intelligence Agencies Accuse Russia
- January 5, 2021: In a joint statement, US intelligence agencies formally accused Russia of association with the SolarWinds attack that compromised several federal departments and agencies.
- January 6, 2021: The New York Times reported that American intelligence agencies are examining the role that JetBrians TeamCity CI/CD software may have played in allowing Russian hackers to introduce a back door into client software. JetBrains responded to this report in a series of announcements on January 6 through 8.
- January 11, 2021: Kaspersky noted that the SolarWinds hack resembled malware used by the Turla hacking group affiliated with the Russian security service.
SolarWinds Upgrades Its IT Staff As More Attack Details are Revealed
- January 6, 2021: SolarWinds rehired its former CEO as a consultant in the interim. He will assist with the investigations of the Orion breach.
- January 8, 2021: SolarWinds CEO said that the company would prioritize cybersecurity in 2021. SolarWinds hired former Facebook and CISA security experts as consultants.
- January 11, 2021: Crowdstrike publishes a technical analysis of a tool called SUNSPOT which attackers deployed in SolarWinds’ build environment in order to inject the SUNBURST backdoor.
Conclusion
The SolarWinds SUNBURST attack is the most high-profile cyberattack in recent years. The attackers used a compromised supply chain to target several clients, including federal government agencies and tech companies. Organizations can mitigate such attacks by sharing intelligence about threat activities and forming cybersecurity partnerships.
Organizations must become more vigilant against threats posed by third-party supply chain vendors by improving their cyber-security hygiene. One approach is to use the zero-trust model where both insiders and outsiders need verification before accessing a network. The zero-trust framework also applies the concept of least-privilege access where users and network insiders only access what they need, unlike the traditional setup where insiders have unfettered access to the network.
Although it remains unproven that JetBrains TeamCity was used by the attackers in this incident, the SUNBURST attack also highlights the need for software vendors to harden cloud-based development platforms against intrusion. We recommend considering a solution like Assembla, which supports secure source code development for Git, SVN, and Perforce.
Kiuwan offers solutions for application security testing by leveraging SAST and SCA analysis to achieve scalable and fast platforms that seamlessly integrate with any DevOps environment. Get in touch with our team and let’s talk security!