Full Report
In a blog post released 13 Dec 2020, FireEye disclosed that threat actors compromised SolarWinds’s Orion IT monitoring and management... The post How A Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise appeared first on McAfee Blog.
Analysis Summary
# Incident Report: SolarWinds Supply Chain Compromise via SUNBURST Backdoor
## Executive Summary
This major security incident involved the compromise of SolarWinds’ IT monitoring software (Orion) ecosystem through a trojanized update, resulting in the deployment of the SUNBURST backdoor across numerous organizations. The attack leveraged a sophisticated software supply chain vector, enabling attackers (likely an APT group tracked as UNC2452) to establish a foothold with elevated privileges, bypassing standard defenses. The full scope of subsequent lateral movement and data exfiltration is still under discovery, prompting widespread industry response and enhanced security scrutiny of trusted software updates.
## Incident Details
- Discovery Date: December 13, 2020 (Date of FireEye disclosure)
- Incident Date: Attack began much earlier, involving purposeful preparation.
- Affected Organization: SolarWinds (Source of compromise); numerous downstream customers.
- Sector: IT Monitoring/Management Software (Supply Chain compromise affecting various sectors)
- Geography: Global (Implied by the scale of SolarWinds user base)
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-December 2020 (Specific start date not detailed, but preceded detection by a significant dwell time).
- **Vector:** Software Supply Chain Compromise (T1195.002) - Attackers injected malware into a digitally-signed Windows Installer Patch for SolarWinds Orion software.
- **Details:** The trojanized file, `SolarWinds.Orion.Core.BusinessLayer.dll`, delivered the SUNBURST backdoor, which remained dormant for a calculated wait period before initiating external communication.
### Lateral Movement
- **Details:** Actions following initial foothold included **Discovery** and **Lateral Movement** to achieve objectives such as data exfiltration or intellectual property theft, as suggested by the FireEye compromise. Attackers may leverage compromised valid accounts and Active Directory access.
### Data Exfiltration/Impact
- **Details:** FireEye specifically reported intellectual property theft following compromise. The full scope across all victims is ongoing investigation, but the capability for data exfiltration was present.
### Detection & Response
- **Details:** Detected after FireEye investigated its own environment following suspicious activity. Subsequent industry analysis by McAfee and alerts by CISA confirmed the scope.
- **Response Actions:** FireEye released countermeasures to identify the initial SUNBURST backdoor. Organizations were advised to check for vulnerable SolarWinds versions, patch, and immediately investigate endpoints and proxy logs.
## Attack Methodology
- **Initial Access:** Supply Chain Compromise (Trojanized digitally-signed SolarWinds Orion Update Package).
- **Persistence:** Established via the SUNBURST backdoor, communicating via command and control servers.
- **Privilege Escalation:** Attained a foothold with elevated privileges post-backdoor activation.
- **Defense Evasion:** Used trusted software distribution paths, signed code, and stealthy communication masquerading as legitimate update traffic (T1001.003).
- **Credential Access:** Implied (Necessary for deep lateral movement and data theft), though not explicitly detailed for the initial entry phase.
- **Discovery:** Performed system and network discovery post-infection.
- **Lateral Movement:** Implied through the use of mechanisms to move across the corporate network.
- **Collection:** Gathering of data, including intellectual property (as seen in the FireEye case).
- **Exfiltration:** Capability exists following C2 communication and payload transfer (T1105).
- **Impact:** Compromise of sensitive infrastructure and potential theft of proprietary information.
## Impact Assessment
- **Financial:** Not explicitly quantified in the context provided, but implied to be significant due to remediation and business disruption costs.
- **Data Breach:** Intellectual property theft confirmed at FireEye; potential for broader sensitive data theft across compromised organizations.
- **Operational:** Potential business disruption while identifying and isolating compromised systems. The adversary was observed wiping log files to erase traces, complicating response.
- **Reputational:** Significant damage to the reputation of SolarWinds, and heightened anxiety for IT/security leaders industry-wide regarding software integrity assurance.
## Indicators of Compromise
*Note: Specific indicators are obscured as the primary goal of the source material was to *report* on them, not provide a live IoC list.*
- **Network indicators:** Communication to third-party C2 servers, potentially using custom Domain Generation Algorithms (DGA). Communication masqueraded as normal update traffic.
- **File indicators:** Presence of the trojanized DLL (`SolarWinds.Orion.Core.BusinessLayer.dll`) within the update package.
- **Behavioral indicators:** Detection of malicious named-pipe presence associated with the SUNBURST backdoor execution. Calculated wait time before external communication.
## Response Actions
- **Containment:** Immediate cessation of communication channels used by SUNBURST (decommissioning C2 infrastructure if identified). Identifying and isolating systems that executed the vulnerable SolarWinds Orion software.
- **Eradication:** Removal/replacement of trojanized software components. Comprehensive forensic investigation to determine the extent of access, including checking for compromised user accounts or Active Directory access.
- **Recovery:** Patching to non-vulnerable versions of SolarWinds software. Strengthening monitoring, especially around privileged accounts and sensitive infrastructure.
## Lessons Learned
- The software supply chain presents a critical, low-signal vector that can grant attackers trusted positions within victim networks.
- Sophisticated actors possess significant patience, using deliberate wait times to evade detection.
- Security defenses must look beyond perimeter and common access vectors (like phishing/RDP) to validate the integrity of trusted third-party software updates.
- Adversaries actively erase logs to hinder incident response, highlighting the need for robust, immutable log aggregation.
## Recommendations
- **Supply Chain Validation:** Work closely with key technology suppliers (IT, Cloud, Hardware) to validate software/firmware integrity, especially updates.
- **Enhanced Monitoring:** Increase monitoring and investigation activities around privileged accounts and access to sensitive infrastructure (e.g., Active Directory).
- **Detection Maturity:** Review and update SOC detection use cases to specifically hunt for advanced persistent threat techniques, including subtle command-and-control patterns.
- **Resilience Planning:** Conduct tabletop exercises specifically focused on complex, deep-seated compromises like supply chain attacks and associated breach notification procedures.