AS6 - SolarWinds

The SolarWinds incident, one of the most significant cyberattacks in recent history, began when hackers gained unauthorized access to the internal network of SolarWinds, a prominent IT management software provider. In 2019, they injected malicious code into SolarWinds' widely used Orion software, which was unknowingly distributed to around 18,000 customers in a software update released in March 2020. Exploiting this compromise, the hackers conducted targeted cyber-espionage campaigns against various organizations. The breach, attributed to a state-sponsored hacking group believed to be linked to the Russian government, allowed the attackers to gain unauthorized access to systems. In response, directives were issued advising affected organizations to disconnect or power down SolarWinds Orion products. The breach also affected Microsoft, which revealed that the attackers had accessed some of their source code repositories. Investigations, forensic analyses, and mitigation efforts were undertaken to assess the breach's extent, remove the malicious code, and bolster security measures. The incident exposed the attackers' sophistication and highlighted the vulnerability of trusted software supply chains, underscoring the importance of robust cybersecurity measures.

To Campaign Map

Techniques:

Reconnaissance

T0142 - Accidental public disclosure of internal resources

The password “solarwinds123,” was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server. According to the researcher, he was able to use this password to access SolarWinds FTP server.

T0142 page

T0105 - Active Scanning

SolarWinds investigations uncovered evidence that the threat actor compromised credentials and conducted research and surveillance in furtherance of its objectives through persistent access to our software development environment and internal systems, including our Microsoft Office 365 environment,

T0105 page

Initial Access

T0153 - Compromised developer workstation

The exact infection point at SolarWinds is still unknown, but there are a few theories. One theory is that the attackers compromised a developer workstation and used it to upload the malicious code to the SolarWinds Orion software. Another theory is that the attackers exploited a vulnerability in SolarWinds' build process to inject the malicious code. It is also possible that the attackers used a combination of these methods to gain access to SolarWinds' systems.

T0153 page

T0135 - Vulnerable CICD System

T0135 page

T0113 - Compromised user account

It is speculated that the attackers employed multiple techniques to compromise user accounts. These methods might have involved the utilization of brute-force attacks or phishing tactics to gain unauthorized access.

T0113 page

T0113 - Compromised user account

T0113 page

Impact

T0191 - Malicious code in artifacts

SolarWinds reported that the attacker introduced a backdoor named Sunburst and UNC2452 into the SolarWinds Orion Software. Contrary to altering the source code itself, the attacker injected the malware into the software during the build process, as disclosed by SolarWinds.

T0191 page

Execution

T0172 - Runtime Backdoor

The SolarWinds breach had a potentially significant impact due to the widespread use of the compromised Orion Software in numerous high-profile organizations. These included prominent US agencies, as well as technology giants like Microsoft, Intel, and Cisco. While the specific extent of the damage caused by the breach has not been publicly disclosed, the potential for harm was substantial, considering the stature of these companies as significant suppliers of software in the industry

T0172 page

Campaign Links:

LEGEND

SolarWinds

SolarWinds Customers