Nation State Actors Compromised SolarWinds IT Update Infrastructure

The Cyberattack by a Sophisticated Nation State Actor

On December 13, 2020, DHS CISA and media outlets reported a highly sophisticated nation state cyber threat actor had conducted a supply chain attack which compromised the SolarWinds Orion Platform software versions released between March 2020 and June 2020. 

This cyberattack reportedly trojanized SolarWinds Orion business software updates in order to distribute malware which FireEye has called “SUNBURST.” FireEye currently assesses this cyberattack campaign may have begun as early as Spring 2020.

According to FireEye, the malware allows this nation state actor to stay dormant for up to two weeks after compromise.  After the dormant period, the malware executes commands which include the “ability to transfer files, execute files, profile the system, reboot the machine, and disable system services.”  In addition, the malware backdoor uses multiple blocklists to identify forensic and anti-virus tools running in the organization’s IT enterprise.  Once this nation state actor obtains initial access, it moves laterally and acquires legitimate credentials and remote access to the victim environment which allows the cyber threat actor to blend in as an authorized network user.

FireEye has provided signatures and other threat intelligence to assist possible victim organizations.  This information is posted on the FireEye public GitHub page located at https://github.com/fireeye/sunburst_countermeasures. CISA has also issued an emergency directive to federal agencies.

Impact of This Nation State Cyberattack

According to the SolarWinds website, SolarWinds identifies the following organizations as some of its customers:

• Over 425 of the U.S. Fortune 500 organizations
• All 10 of the top 10 U.S. telecommunications companies
• All five branches of the U.S. Military
• The Office of the President of the U.S., the Pentagon, the U.S. State Department, NASA, NSA, U.S. Postal Service, U.S. Department of Justice
• All five of the top 5 Accounting firms
• Hundreds of universities and colleges around the world

This sophisticated nation state cyberattack has probably impacted (at a minimum) the following U.S. critical infrastructures:

1. Communications Sector
2. Defense Industrial Base Sector
3. Emergency Services Sector
4. Government Facilities Sector
5. Information Technology Sector

The remaining critical sectors may be impacted because they may rely on 3^rd party services provided by SolarWinds customers.  These critical infrastructure sectors include:

1. Chemical Sector
2. Commercial Facilities Sector
3. Critical Manufacturing Sector
4. Dams Sector
5. Energy Sector
6. Financial Services Sector
7. Food and Agriculture Sector
8. Healthcare and Public Health Sector
9. Nuclear Reactors, Materials, and Waste Sector
10. Transportation Systems Sector
11. Water and Wastewater Systems Sector

An Executive’s Cyber Leadership Perspective

This sophisticated nation state cyberattack is a useful example of the multiple and potential impacts of a supply chain cyberattack to both private and public sector organizations across U.S. critical infrastructure sectors.

Executives or corporate directors should consider the following questions to guide them regarding enterprise wide cybersecurity for their organization:

1. Does the organization use the SolarWinds Orion Platform?
2. If the response is yes, has the organization’s cybersecurity team obtained all cyber threat intelligence (including signatures, etc.) and reviewed the entire IT infrastructure for potential compromise by this cyberattack?
3. If there are indicators of compromise found in the organization’s IT infrastructure:
   • What is the cybersecurity team’s response to this cyberattack; how has this cyberattack been mitigated, and what organizational data and services have been compromised by this cyber threat actor?
   • Has a 3^rd party incident responder been engaged and if so, what is the status of this 3^rd party incident responder’s response, mitigation, recovery, and reporting?
   • Has the cybersecurity team engaged CISA to assist in the mitigation of this cyberattack?

4. If no indicators of potential compromise has been found in the organization’s IT infrastructure but the organization has engaged the services of the top 10 telecommunication providers and/or the top 5 accounting providers, consider the following questions:
   • What has the telecommunications provider/accounting firm done to determine if their organization has been compromised by this cyber threat actor?
   • If the telecommunications provider/accounting firm has been compromised by this cyber threat actor, was any of the organization’s data accessed by the cyber threat actor?
   • What has been done to respond, mitigate, recover, and ensure full visibility to any telecommunication provider/accounting firm client organization whose data may have been compromised by this cyber threat actor?

5. Lessons learned. The organization’s senior executive team and board of directors should request an after-action report regarding the impact of this cyberattack on the organization to identify any gaps, weaknesses, and lessons learned due to this cyberattack. In addition, these identified gaps, weaknesses, and lessons learned may require strategic resources to be authorized by the senior executive team and board of directors to provide the CIO/CISO/CSO and their cybersecurity team with the appropriate resources to continuously mature the organization’s cybersecurity risk management program and overall cybersecurity posture.

Today’s cybersecurity leadership responsibilities for executives and corporate directors are challenging.  This supply chain attack is an example of how these enterprise risk responsibilities can change overnight with significant consequences to the organization and the business community.  Executives and corporate directors need to stay cyber savvy and continuously engaged with their executive team responsible for enterprise wide cybersecurity.

The following are links to the above referenced reports:

1. FireEye Threat Research on supply chain attack trojanizing SolarWinds Orion business software updates (December 13, 2020) https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
2. SolarWinds Security Advisory link https://www.solarwinds.com/securityadvisory
3. CISA Advisory “Active Exploitation of SolarWinds Software (December 13, 2020) https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software