By now, many of you have heard that a sophisticated group of elite hackers infiltrated SolarWinds systems and injected malicious code into thousands of SolarWinds clients. The shockwaves are only now hitting the industry and we don’t yet know the full ramifications of such an attack, but whatever happens, we know it will be horrific.
Sudhakar Ramakrishna wrote in his blog on Monday. “We recognize the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future.”
It is very clear that these hackers (which government agencies around the world are starting to believe were state sponsored), were heavily supported for their efforts. “They ensured that their code was properly inserted and remained undetected, prioritizing operational security to avoid revealing their presence to SolarWinds developers”, CrowdStrike wrote in its own blog post on Monday. Ironically, CrowdStrike revealed Tuesday afternoon that it has also been infiltrated as a result of the SolarWinds hack as well, making it the 5th cybersecurity company to come forward revealing that its networks have been compromised.
The attackers had enough time in SolarWinds (as well as 18,000 other networks) to gather information as well as execute malicious command and control operations. The earliest suspicious activity on SolarWinds’ internal systems identified by the company’s forensic teams in their current investigation dates all the way back to September 2019, Ramakrishna said.
Then on Feb. 20, 2020, Ramakrishna said the hackers began inserting the malicious code into Orion Platform releases starting on February 20, 2020. The hackers remained undetected and removed the malicious code from SolarWinds’ environment on June 4, 2020, according to Ramakrishna. The massive attack was reportedly carried out by the Russian foreign intelligence service, The Washington Post has previously reported.
From June 2020 until today, SolarWinds investigated various vulnerabilities in its Orion platform, and either remediated or initiated the process of remediating those vulnerabilities, he said. However, the company didn’t identify the vulnerability now known as SUNBURST until December, he said. SolarWinds said its then-CEO Kevin Thompson was advised by a FireEye executive of the Orion backdoor on Dec. 12.
SolarWinds has identified two previous customer support incidents that, with the benefit of hindsight, might be related to the massive hacking campaign, Ramakrishna said. The first was investigated with a customer and two third-party security companies, and SolarWinds at the time didn’t determine the root cause of the suspicious activity or identify the presence of SUNBURST malicious code, Ramakrishna said.
The second incident occurred in November, and SolarWinds similarly didn’t identify the presence of the SUNBURST malicious code, according to Ramakrishna. SolarWinds is still investigating these incidents and is sharing information related to them with law enforcement to support investigation efforts, Ramakrishna said.
“Our concern is that right now similar processes may exist in software development environments at other companies throughout the world,” Ramakrishna said. “The severity and complexity of this attack has taught us that more effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships.”
As stated earlier, we are only now beginning to see some of the effects of this massive hacking operation. Expect more large companies coming forward in the next few days and weeks revealing that their systems were compromised as well..
Security effects everyone. Be vigilant and keep your eyes open.