SolarWinds – The comprehensive review

In early 2019, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage critical IT resources.

SolarWinds has 33,000 customers that use Orion, according to the SEC documentation. E2Security has investigated the cause of the cause to create a “lessons learned” for their customers and to come up with a quick checklist on “what to consider” in order to apply the findings.

 

Opps this is the first time… …that it happened again
When the SolarWinds hack went public Q03/2020 Security Experts across the globe raised their opinion in various forums stating that “a hack like this did not come as a surprise after the homeland security and NSA had suffered a data breach following a hack where hackers gained access to their own very effective hacking tools and backdoor information.
Looking at the hack, its root cause and impact there are major learning for data security and data privacy.

New investigations shows, that the attackers start the activities in April 2019 with the first injection of test codes and started the first trial runs. In February 2020 the Sunburst where compiled and deployed to the customers environments.

Ten month later (1) Solarwinds where notified of the Sunburst attack.

 

Why SolarWinds?
In early 2019, hackers secretly broke into Texas-based SolarWind’s systems and added malicious code into the company’s software system. The system, called “Orion,” is widely used by companies to manage critical IT resources. SolarWinds has 33,000 customers that use Orion, according to the SEC documentation. The hack done enabled the hacker’s access to all SolarWinds Customers internal data – PII, IP the crown jewels of any company.

And not just companies where impacted. Attacked where also US agencies — including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury.

Aiming at targets like SolarWinds was a very clever approach leading to believe that it was strategically so well planned that only a government related group using time, money, and resources in such a way. Once the homeland security got hacked it did not result in any immediate monetary gain but lead to provide access to information about the core of the IT infrastructure within larger organizations – as for example other government departments. Why would any hacker attack such a target instead of going after Banking, Credit Card or Password -Data?

The installed malware code established a backdoor to customer’s information technology systems, which hackers could use to install additional malware on the impacted system to help them spy on companies and organizations. As SolarWinds had a major position in network management market the hack worked like a “super spreader”.

According to FireEye, this attack was the work of sophisticated attackers. This more specifically includes the sophistication of both development and operational teams. The development teams deployed anti-analysis countermeasures. The malware was developed to check file system timestamps to ensure the product has been deployed for 12 to 14 days before it phones home. This effectively prevents the use of malware sandboxes or other instrumented environments to detect it.

As a result of that distributed “cover-up” and “countermeasures” the SolarWinds hack remained undetected for a very long time. The threat actors began distributing the backdoor in March 2020, which sat silently in some of the compromised networks for months while harvesting information or performing other malicious activity.

 

Why did the hack happen without being noticed?

To read the full article, please download the corresponding whitepaper. Enjoy reading!
DOWNLOAD

The missing link in the chain: Cybersecurity in the value chain