US-based SolarWinds suffered one of the most disastrous cyberattacks of the year that has potentially compromised up to 200 organisations and agencies, including prominent names such as Intel, Microsoft, NVIDIA, and Cisco. It is now being referred to as Solorigate, first coined by Microsoft.
This attack comes on the heels of a major breach at FireEye, one of the world’s most sought after cybersecurity firms. The FireEye hack was termed the biggest known cyberattack since the 2016 incident where the US National Security Agency was compromised by a little known group called the ShadowBrokers.
In both SolarWinds and FireEye cases, it is speculated that the hackers operated on behalf of a foreign government. FireEye, which is also investigating the cause behind the SolarWind hack, said that a malware-laced update for the latter’s Orion software infected the networks of multiple US companies and government networks.
Reportedly, 18,000 customers of SolarWinds received a malicious update that included a backdoor. However, the number of cases in which attackers could infiltrate using the backdoor is much lesser — currently pegged at close to 200.
Experts believe that this is the case of a supply chain attack, wherein notorious elements seek to damage an organisation by targeting the weaker and lesser secure elements in the supply chain. One of the most prominent examples of supply chain attacks is the Target security breach of 2013.
The Target breach is considered one of the largest data attacks in the history of the retail industry. The attack happened between November 27 and December 15, 2013, that introduced malware into the POS (point of sale) system of 1,800 stores, making 40 million credit and debit cards susceptible to fraud. This breach eventually led to the downfall of the company’s profit in Q4 of 2013 by about 46%, apart from the additional expenditure of 90 lawsuits filed against the company.
What Went Wrong With SolarWinds
The attackers compromised the SolarWinds Orion Platform DLL (Dynamic Link Library) with the addition of 4,000 lines of discrete malicious codes. This insertion of lines of codes in SolarWinds.Orion.Core.BusinessLayer.dll allowed the attacker to operate unfettered in the compromised networks.
What made it even foolproof is the fact that the compromised file was even digitally signed which suggests that the attackers had access to the SolarWind’s software development or the distribution pipeline.
As per a Microsoft review report looking at the SolarWind hack, there has been evidence to suggest that the attackers started testing their ability to insert code by adding empty classes as early as October 2019. Because of which the insertion of malicious code happened at a very early stage, possibly before the software build that would include the digital signing of the compiled code.
The malware would stay dormant in the affected system for a period of up to two weeks. After this, it retrieves and executes commands called Jobs. These Jobs include transferring and executing files, profiling the system, rebooting the machine, and eventually disabling system services. The backdoor also used multiple obfuscated blocklists in order to identify any antivirus tools that may be running on the system, including processes, services, and drivers.
Interestingly, FireEye discovered SolarWinds’ backdoor while investigating its own breach that was identified on December 8.
Supply chain attacks are a growing concern. The Solorigate incident is a reminder that these attacks achieve harmful results of the deadly combination of widespread impact and deep consequences for compromised networks.
As suggested by, companies can guard themselves against these attacks by isolating and investigating devices; by identifying accounts used on affected devices; and by determining the timeline of device compromise for an indication of lateral movement.