A trojanised software update to the SolarWinds Orion platform was downloaded by about 18,000 private and government organisations, giving Russian hackers the opportunity to infiltrate IT systems and exfiltrate vast amounts of data.
Earlier this week, security firm FireEye said it discovered a new campaign by nation-state actors that involved hackers trojanising software updates of the SolarWinds Orion platform with a malware called Sunburst to infect organisations worldwide.
The hackers trojanised versions 2019.4 HF 5 through 2020.2.1 of the SolarWinds Orion platform that were released between March and June 2020 and infiltrated organisations worldwide that downloaded the trojanised software updates. According to FireEye, victims of the campaign include government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia, and the Middle East.
The Orion Platform is marketed by SolarWinds as an advanced and seamless software solution that helps large-scale enterprises monitor and manage their IT infrastructures that are complex and geographically dispersed. The software can be deployed on-premises, in virtualized environments, and in Microsoft Azure.
The software unifies data from multiple IT layers into an application-centric view, designed to enable powerful, end-to-end hybrid IT management, and deliver multi-cloud visibility along with deep on-premises monitoring. Solarwinds also sells an Orion Suite for Federal Government to enable governments worldwide to manage and monitor their IT infrastructure.
After FireEye discovered the hacking operation and made the information public, the US Cybersecurity and Infrastructure Security Agency (CISA) also issued an Emergency Directive, advising all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.
SolarWinds also released an urgent software update to the Orion Platform, stating that it has just been made aware of a highly sophisticated, manual supply chain attack to the Orion platform that was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
"Security and trust in our software is the foundation of our commitment to our customers. We strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers. We are working to investigate the impacts of this incident and will continue to update you as we are made aware of any interruptions or impact to your business specifically," the comoany said.
According to The New York Times, the trojanised software update was downloaded by as many ad 18,000 private and public organisations, a little more than half of the 33,000 organisations that use the Orion platform to monitor and manage their IT infrastructure. However, Russian hackers behind the operation only targeted specific government agencies and private organisations that they originally intended to target.
Trump administration officials told The New York Times that the hacking operation breached the Department of Homeland Security, the State Department, and parts of Pentagon, aside from the U.S. Treasury and the U.S. Commerce Departments which were reported to be affected as per The Washington Post.
The Orion platform is also used by the US Justice department and the National Security Agency but it is not clear if the two institutions also downloaded the trojanised software updates and infiltrated by hackers as a result. As of now, it is also not clear how many private organisations, based in the US or other countries, have been targeted by hackers behind the organisations.
In an advise to businesses that have deployed the SolarWinds Orion platform, Sam Curry, chief security officer at Cybereason, says that they must strengthen their security posture at the earliest by taking the following steps:
● Isolate machines running SolarWinds until further information is available as the investigation unfolds
● Reimage impacted machines
● Reset credentials for accounts that have access to SolarWinds machines
● Upgrade to Orion Platform version 2020.2.1 HF1 as soon as possible. Solar Winds has also provided further mitigation steps
"In addition, set up a task force to look through all data logs, check the hygiene of systems and make sure everyone is generally on high alert for future attacks. Ensure your company is always on the hunt for adversaries. The sooner you do these things the sooner you can assume no one is lurking in your network in silent mode," he added.