The SolarWinds Orion Hack
Multiple US businesses and government networks, including the US Treasury and the US NTIA, have been compromised through a malware-infected update of the SolarWinds’ Orion software.
This was confirmed in a report by FireEye security company, which was one of the victims of the malware-infected update.
According to FireEye, SolarWinds, the software provider of Orion software, has experienced a breach that allowed hackers to deploy a malware-infected update for Orion.
Intrusions at the US Treasury Department and US Department of Commerce’s National Telecommunications and Information Administration (NTIA) were reported this Sunday by Reuters, Wall Street Journal, and other leading media.
FireEye’s own network was also compromised as a result of the SolarWinds supply chain attack. A publication by the Washington Post stated that other government departments have also been infected.
According to Reuters, the incident is ranked as a serious one and has led to a rare US National Security Council meeting in the White House that was conducted on Saturday.
Washington Post sources connected the attack to APT29, a codenamed group of hackers affiliated with the Russian Foreign Intelligence Service (SVR).
FireEye security company has not confirmed the attribution of APT29 for the malware deploy in the Orion software and has offered the neutral UNC2452 code name for the group behind this attack.
Based on the evidence that is currently available, however, a number of professionals in the cybersecurity community, share the opinion that it is APT29 who most likely stands behind the attack.
Microsoft has also confirmed the compromise on SolarWinds’s software and has sent private security alerts containing countermeasures to the customers that might have been affected on Sunday.
Orion is a tech framework used in large networks to monitor all IT infrastructure, including servers, workstations, mobile devices, and IoT devices.
A press release issued by SolarWinds on late Sunday confirmed the breach on the Orion platform. In the publication, the tech company admits that the Orion update versions 2019.4 through 2020.2.1 that were released between March 2020 and June 2020 have been malware contaminated.
This malware was dubbed SUNBURST by FireEye and a technical report was released earlier today along with detection rules in GitHub.
Microsoft has labeled the malware Solorigate and has added detection rules to Windows Defender antivirus.
The number of the victims of the attack has not been revealed but it appears that the US does not seem to be directly targeted. According to FireEye’s reports, the hacking campaign is widespread and is affecting public and private organizations globally.
Victims of the attack on the Orion software platform include entities involved in government, consulting, technology, telecom, and other sectors, located in North America, Europe, Asia, and the Middle East. It is suspected that there could be victims in other countries as well.
In relation to the incident, SolarWinds revealed that it will introduce a new update (2020.2.1 HF2) that will be available this Tuesday, the 15th of December. The role of this new update will be to replace the compromised component and provide several additional security enhancements.