A Timeline of the Solarwinds Hack: What We’ve Learned
Published January 19, 2021 WRITTEN BY THE KIUWAN TEAMExperienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species. The SolarWinds hack was a major security breach that affected a software company serving over 3,000 companies, including major corporations like Cisco, Intel, Cox Communications, and Belkin. Also attacked were multiple US states and government agencies including the US Department of State and the US Department of Homeland Security. The attack, dubbed SUNBURST, involved inserting malicious code into the firm’s Orion Platform software and using it to access clients’ networks. Experts believe the attack was instigated by hackers based in Russia and may have managed to access sensitive government data. It is one of the most sophisticated cyberattacks in history, with malware capable of evading detection. Here’s a timeline of the major events in the SUNBURST attack, followed by recommendations for organizations to protect against supply-chain threats. The Attack Timeline Threat Actor Accesses SolarWinds September 4, 2019: unknown attackers access SolarWinds. September 12, 2019: the hackers inject the test code and perform a trial run. The attackers used a sophisticated injection source to insert the SUNBURST malicious code into the company’s Orion Platform software. The attacker used multiple servers based in the US and mimicked legitimate network traffic to circumvent the threat detection used by SolarWinds, its partners, and clients. February 20, 2020: Hackers compile and deploy the SUNBURST attack. This was an updated variant of the malicious code inserted into the Orion Platform released from February 20, 2020, and beyond. June 4, 2020: the perpetrators removed the SUNBURST malicious code from SolarWinds systems. FireEye Discovers SolarWinds Attacks December 8, 2020: FireEye, a cybersecurity threat and intelligence provider, reports that state-sponsored hackers broke into its network and made away with its Red Team penetration testing and assessment tools. The company was concerned that the hackers would use the stolen tools to target other companies. December 11, 2020: while conducting breach investigations, FireEye discovered that SolarWinds had been attacked. They realized that this was a supply chain hack where the attackers had corrupted and weaponized SolarWinds’ Orion Platform updates. The malicious SUNBURST code had corrupted all the Orion releases made between March and June 2020. December 12, 2020: FireEye informs SolarWinds that the Orion Platform had been compromised through a cyberattack. The news prompted the National Security Council (NSC) to convene a White House meeting to discuss the security breach of several government agencies and enterprises. The News Becomes Public December 13, 2020: The Cybersecurity and Infrastructure Security Agency (CISA) issues an emergency directive requiring federal agencies to disable SolarWinds Orion connections because they posed a substantial security threat. SolarWinds issues a security advisory explaining the Orion Platform hack and the defensive measures clients could use to protect their systems. FireEye disclosed that a hacker had used SolarWinds’ supply chain to compromise the networks of several global clients. Microsoft issued guidance explaining how the attack could affect its customers. The attack got media coverage for the first time. Reuters reported that the hack on SolarWinds Orion may have originated in Russia and could have compromised the systems of several federal agencies. Public Response Begins December 15, 2020: SolarWinds released a software fix. The media identified victims to include the Department of Homeland Security (DHS), the State Department, and the National […]
