SolarWinds (2020)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The discovery of an ongoing attack was announced by FireEye on 13 December 2020.[1] The malware was supposedly distributed from March to June 2020[2] and the first infiltrations into the SolarWinds systems were traced to 2019.[3]
Suspected actor The U.S. government has attributed the attack to an “Advanced Persistent Threat Actor, likely Russian in origin”, not naming any particular actor.[4] According to The Washington Post, the hack could be traced to a unit of Russia’s Foreign Intelligence Service (SVR), known also as “Cozy Bear” or APT29[5], whereas Russian cybersecurity firm Kaspersky claimed to find similarities in the code that might lead to APT group Turla, yet it did not reject a possible involvement of APT29 as well.[6] Russia has denied all allegations, claiming that it “does not conduct offensive operations in the cyber domain”.[5]
Target Clients of SolarWinds, including U.S. government entities as well as private sector organisations. Amongst them were global companies such as Microsoft, Cisco, Intel, Deloitte, and U.S. governmental agencies, such as the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the Department of Agriculture, the National Nuclear Security Administration, or the Treasury.[7][8] The first to notice the breach was the private cybersecurity firm FireEye, also a victim of the hack.[1]
Target systems SolarWinds Orion Platform software.[1]
Method Supply chain attack. The hackers managed to trojanize the Orion software with backdoor malware SUNBURST.[1] SolarWinds itself unknowingly sent the infected software as an update to its customers from March to June 2020. The malware was instructed to wait up to two weeks and then execute commands enabling transferring files, executing files, profiling the system, rebooting the machines, and disabling system services.[1] Via SUNBURST, the hackers were able to install other malware into the accessed systems, such as the SUPERNOVA malware.[9] To remain unseen, the tools were routinely removed by perpetrators once their goal was achieved.[1]
Purpose The campaign possibly aimed at data theft[1] and cyber espionage[7] – against both governmental and non-governmental actors.
Result About 18,000 customers of SolarWinds installed the infected updates.[4] This resulted in compromised systems, lost integrity and confidentiality of data, and data thefts. With access to networks, hackers may even have destroyed data or stolen identities.[7] Overall, the full scope and impact of the campaign remains unknown.
Aftermath According to several analysts, trust in the supply chain was shaken due to the revealed lack of security[10][11] The experience may also lead to distrust updates by consumers, according to Trey Herr, director of Atlantic Council’s Cyber Statecraft Initiative.[12] Furthermore, sanctions are most likely to be put on Russian Federation by the U.S. government.[12] Also, the recovery process will reportedly take up to 18 months and involve substantial effort and investments.[3]
Analysed in Scenario 02: Cyber espionage against government departments

Scenario 09: Economic cyber espionage

Collected by: Michaela Prucková

  1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 FireEye, “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”, 13 December 2020
  2. Solarwinds, “Security Advisory FAQ”, 18 December 2020.
  3. 3.0 3.1 P H O'Neill, “Recovering from the SolarWinds hack could take 18 months”, 2 March 2021, MIT Technology Review.
  4. 4.0 4.1 Cybersecurity and Infrastructure Security Agency, “Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA)”, 5 January 2021.
  5. 5.0 5.1 E Nakashima and C Timberg, “Russian government hackers are behind a broad espionage campaign that has compromised U.S. agencies, including Treasury and Commerce”, 14 December 2020, The Washington Post.
  6. G Kucherin and I Kuznetsov and C Raiu, “Sunburst backdoor – code overlaps with Kazuar”, 11 January 2021, Securelist.com.
  7. 7.0 7.1 7.2 I Jibilian and K Canales, “Here's a simple explanation of how the massive SolarWinds hack happened and why it's such a big deal”, 25 February 2021, Business Insider.
  8. B Fung, “Biden administration says investigation into SolarWinds hack is likely to take "several months"”, 17 February 2021, CNN.com.
  9. SolarWinds, “SolarWinds Security Advisory”, 29 January 2021.
  10. B Buchanan, “The Russian hack shows that our problem isn’t technology. It’s whom we trust”, 16 December 2020, The Washington Post.
  11. The Linux Foundation, “Preventing Supply Chain Attacks like SolarWinds”, 13 January 2021.
  12. 12.0 12.1 E Nakashima, “Biden administration preparing to sanction Russia for SolarWinds hacks and the poisoning of an opposition leader”, 23 February 2021, The Washington Post.