SolarWinds Orion: What We Know
by Robin Simmons
December 17, 2020
According to several reports, sophisticated Russian hackers have infiltrated several U.S. federal departments and agencies, including Defense, Homeland Security, State, Treasury, Commerce, and NIH, as well as several cybersecurity companies. According to Krebs on Security, the hackers were able to “surreptitiously tamper with updates released by SolarWinds for its Orion platform, a suite of network management tools.” Although reports are not conclusive, the goals appear to include monitoring sensitive internal activity and exfiltrating data. Russia denies being behind these attacks.
Initial Government Response
On Sunday, the DHS Cybersecurity and Infrastructure Security Agency published Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise”. The directive said to treat “all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.” It directs all affected federal departments and agencies to disconnect or power down SolarWinds Orion products and perform additional technical actions to block the functionality of the malware. Additionally, organizations “that have the expertise” to image all instances of SolarWinds Orion and analyze stored network traffic are directed to do so.
Hacking the SolarWinds Orion Product
SolarWinds, Microsoft, and CISA report that the attack leveraged a vulnerability in SolarWinds’ Orion product. It has been described as a “supply chain” attack on the Orion software. This terminology indicates the attackers got a foothold through some aspect of the supply chain used by SolarWinds. (For example, Target was attacked in 2013 via compromise of third-party vendor credentials.) The attackers used Orion to falsify single sign-on tokens so they could impersonate any authorized user, including highly privileged accounts. To make matters worse, security products such as Orion can cause false positives in virus scanning software. As a result, SolarWinds advises customers to exclude folders that contain Orion products from virus scanning.
How Big Could this Be?
The SolarWinds customer list includes 425 of the U.S. Fortune 500 companies, the top ten U.S. telecommunication companies, all five branches of the U.S. military, all five of the top U.S. accounting firms, hundreds of colleges and universities, and several federal departments and agencies (including NASA, NSA, U.S. Postal Service, NOAA, Justice, and the Executive Office of the President). Bloomberg reports that SolarWinds said its Orion monitoring product could have been used to compromise the servers of as many as 18,000 of its customers.
How Long and What Next?
Bruce Schneier and today’s Washington Post report that the Russian operation dates back to March. Cleanup efforts will take a few weeks, depending on the skills of the IT and security staff of each organization that uses the SolarWinds Orion product. SolarWinds advises customers to upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.
Organizations that use SolarWinds Orion products are advised to follow the guidance provided by CISA in Emergency Directive 21-01. Shutting down SolarWinds Orion products and upgrading to the current version of Orion are a just start. Skilled analysis is needed to determine if an attacker gained access to your network, what the attacker was doing, and what unauthorized code might have been left behind. Organizations that lack the skills and expertise to perform these actions are urged to consult with cyber security professionals. Please contact us if you have any questions.
About the Author
Rob Simmons is Unissant’s Cybersecurity Practice Lead. A cybersecurity engineer and leader with technical expertise and operational experience, before joining Unissant Rob worked at the Mitre Corporation, where he was most recently their Senior Principal Cybersecurity Engineer. A former Air Force officer, Rob earned his Bachelor of Science (BS) in Electrical Engineering at the University of Michigan and his Master of Science (MS) in Electrical Engineering from the Air Force Institute of Technology. He’s also a public speaker and teaches courses on English as a Second Language.
About Unissant, Inc.
Unissant is a data-driven & cyber security services provider with expertise in healthcare and health IT, national security, finance, and energy. Founded in 2006, Unissant is a prime contractor on various government vehicles such as CIO-SP3, GSA PSS, GSA HealthIT SIN, and GSA 8(a) STARS II and is a CMMI Level 3, ISO 9001 & 27001 certified company headquartered in Herndon, Virginia with a satellite office in San Antonio, Texas. Unissant is the recipient of various industry awards such as “Government Project of the Year,” “Health IT Innovation Award” and most recently the “Disruptive Technology in Government” award.
Return to Unissant Eye On: Cyber Security