Essential Guide

Browse Sections

Editor's note

The pervasiveness of SolarWinds backdoor attack, the sophistication of the hackers behind it and the number of high-profile victims make it the biggest cyber attack of 2020 -- and possibly the past decade.

The ongoing SolarWinds breach also shines a light on how dangerous a supply chain attack can be and gives infosec pros yet another reason to evaluate their security systems and processes.

FireEye Inc. disclosed in December 2020, that suspected nation-state hackers had successfully carried out a vast supply chain attack on SolarWinds Orion, a popular IT performance monitoring platform. The attack allowed threat actors to access government and enterprise networks worldwide.

The Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence said in a joint statement with the FBI in December 2020 that the attacks are ongoing and widespread.

Major tech companies, including Cisco, Intel, Microsoft and Nvidia, reported malicious SolarWinds updates, though the companies say there is no evidence that threat actors breached their networks.

In January 2021, the U.S. Department of Justice published a statement saying the global SolarWinds incident affected multiple federal agencies -- including the Justice Department's Microsoft Office 365 email system. The breach appears to have affected 3% of the Office 365 mailboxes, and the Department said there's no indication that classified information was affected.

Investigations into the SolarWinds backdoor cyber attack so far point to Russian espionage.

Here, we provide everything you need to know about the SolarWinds breach, how it infiltrates systems, and the ongoing response from infosec industry experts and vendors.

1The latest SolarWinds breach news

Victims of the SolarWinds backdoor attack continue to be revealed as big tech companies and organizations discover malware infections and act to mitigate risks.

The SolarWinds backdoor malware hit Orion Platform versions 2019.4 HF5 through 2020.2.1, which were released between March 2020 and June 2020.

In Dec. 2020, SolarWinds disclosed a second backdoor, discovered by Palo Alto Networks researchers, dubbed Supernova. The Supernova malware required the exploitation of a vulnerability in the Orion software platform, which SolarWinds had patched in a recent update. Unlike Sunburst, Supernova was not a supply chain attack.

Here's the latest news on the ongoing SolarWinds backdoor breach.

2How the SolarWinds breach happened

Threat actors reportedly began reconnaissance efforts in March 2020 and planted a backdoor in SolarWinds' Orion platform. It was activated when customers updated the software.

FireEye's threat research on the breach shows that a SolarWinds digitally signed component of the Orion software framework contains a backdoor which uses HTTP to communicate with third-party servers. FireEye dubbed the trojanized version of the SolarWinds Orion plugin Sunburst.

"After an initial dormant period of up to two weeks, it retrieves and executes commands, called 'Jobs,' that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services," FireEye reported.

The malware "masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers."

3IT industry, vendors respond

Once the SolarWinds backdoor was identified, software vendors and IT security experts worked to identify network impacts, issue updates and apply fixes, while marveling at the sophistication and long-term implications of this massive cyber attack.