SolarWinds develops software that helps businesses to manage their networks, systems, and information technology infrastructure. Its customers include Fortune 500 companies and US government agencies. With 33,000 users, the company’s powerful Orion Platform has been designed to make it easy to monitor, analyze, and manage the complete IT stack in one place.
In December 2020, Microsoft investigations found evidence of an attempted supply chain attack at SolarWinds. This was different from an attack earlier in the year in which ‘Sunburst’ malware had been inserted into Orion binaries, costing cyber insurance firms an estimated US$90 million.
In the new attack, named Supernova, malware was implemented stealthily to make a very small number of changes to the Orion source code, providing remote access to hackers by enabling them to bypass authentication and execute API commands, all while leaving a minimal forensic footprint. In short, Supernova enabled hackers to impersonate any of the organization’s existing users and accounts, including those that were highly privileged, and to spy on private companies and high-level US Government Departments.
As with an astronomical supernova, the build up to this attack took place over an extended period of time. Like most software providers, SolarWinds sends our regular updates to its systems, to fix bugs or add new features. As early as February 2020, malware was planted in legitimate updates to the Orion software that were sent to 18,000 public and private sector SolarWinds customers. The code, which remained undetected by SolarWinds developers thanks to sophisticated tracking and camouflaging, created a backdoor to the customers’ IT systems, which the hackers were able to use to install even more malware.
At least 250 private and public organizations are believed to have been targeted and compromised, including parts of the Pentagon, the Department of Homeland Security and Treasury Department, private companies like Microsoft, Cisco, Intel and Deloitte, and other organizations like the California Department of State Hospitals, and Kent State University.
Experts say that the SolarWinds attack is just one of likely many similar supply chain compromises by stealthy and sophisticated groups, possibly nation-state hackers. They also agree that the key to any organization protecting themselves from such attacks is awareness – something that we at CYBERGYM have been talking about, and dedicating our lives to, for years.
It is hoped that this hack will accelerate broad changes in the cybersecurity industry. Meanwhile, at CYBERGYM, we are already investigating and analyzing the malware that hit SolarWinds and its customers, so that we can implement it as a learning exercise in the attack scenarios used in our training facilities.
In short, it’s time to take matters into your own hands – and we’re here to help! CYBERGYM