SolarWinds: Anatomy of a Nation-state Hacking Campaign

The SolarWinds cyberattack has been widely reported on.  The prevailing opinion is that it is a Russian espionage campaign.  What is clear is that the attackers are highly-skilled and well-resourced.  To date, there is no evidence ICS systems were targeted.  The capability, however, is clearly there.  What follows attempts to provide a clear outline of the campaign that emerges from the published details.

SolarWinds Orion as an attack vector

Orion is a suite of tools for network management.  Joe Weiss has described Orion as “SCADA for networks.”  It is especially popular with IT departments at government agencies and large enterprises.  As an attack vector it has an almost unique combination of three properties.  First, it is at the center of IT operations and inherently has visibility across the network.  Second, its users are likely to have high privilege levels.  Third, its processes routinely perform privileged actions.  The first objectives of an attacker are lateral movement and escalated privilege.  A back door into the Orion execution environment is a very good starting point.

Weaponizing Orion

Orion software is built by SolarWinds.  The attackers penetrated SolarWinds software development environment and inserted their own code into the SolarWinds source code repository.  The result was that for a period of several months in early 2020, every update release of Orion included their backdoor trojan malware.  Because it was now part of the normal build process the final executables all had the correct SolarWinds verification signature.  Any customer who installed the update was now infected.  The attackers then removed their code and covered their tracks.  They probably knew they had access to their primary targets and wanted to minimize their chances of detection.

Establishing Command and Control at the Target

The trojan software was designed to evade detection.  In due course it would send out a beaconing message to connect back to the attackers.  If it was a system the attackers were interested in, they could then send additional attack modules and proceed with reconnaissance, privilege elevation, and lateral movement to get themselves firmly established and well hidden.  From there they could pursue their real objectives.

Secondary Attack Modules and Infrastructure

One of the striking characteristics of the attackers was that they were highly skilled, stealthy, patient, and well resourced.  The secondary modules were almost always unique custom builds tailored to the local environment.  File names were chosen to blend in and look like files expected to be there.  They used a very large number of command-and-control servers spread across the Internet. They were in target systems for months without detection.  The full extent and objectives of the SolarWinds campaign remain unknown.  About 18,000 SolarWinds customers downloaded the weaponized Orion version.  Only a fraction of these received known follow up attacks.  One of these was FireEye cyber security software.

 FireEye

FireEye, one of the leading cybersecurity firms, announced on December 8 that it had been hacked and that its penetration testing tools had been stolen.  This caused a major uproar in the cybersecurity world as the theft was compared to the infamous case of the Shadow Brokers and the NSA toolset.  FireEye’s stock price dropped dramatically.  The attackers’ rejoicing did not last long.  On December 13, FireEye revealed the SolarWinds campaign and CISA issued its first emergency directive for users of SolarWinds Orion.  While it is not hard to imagine why the attackers would be tempted to attack FireEye, doing so was probably a serious error in judgement.

Takeaways

Defense against nation-state level cyber attacks is difficult.  The attackers were well entrenched inside multiple targets for months.  Had they not attacked FireEye, they would probably still be there operating undetected.  There is no public evidence this campaign was targeting ICS systems, but no question that the attackers could have expanded their access into control networks.  Bedrock intrinsic security adds multiple layers of cyber security technologies and defense within its products and supply chain to help avoid this type of supply chain hack.