The hackers then used that foothold to create and cryptographically sign the necessary security tokens to hoodwink systems into believing subsequent access to other accounts and resources was legitimate.
The malicious code was itself cleverly designed, would execute commands, and provided remote admin access.
US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack READ MOREĪs customers downloaded the update, they unwittingly pulled down and installed the backdoor at the same time. The hackers crafted their malicious code specifically for SolarWinds’ platform, and created a. In hindsight, it was the perfect target for spies: providing just the right spot to insert a backdoor into trusted, confidential systems, with high visibility of network traffic, and the plot to do so appears to have been extremely well organized, sophisticated, and gone for months undetected. It boasts of more than 300,000 customers. It has a long history and pedigree, it was established and remains based in the US, and it has slowly grown through careful acquisition and a gradual build-out of its platforms, continually adding to and updating its system. Orion is a network monitoring platform that is particularly popular with the US and UK public sector as well as the world’s largest corporations. We asked FireEye straight up if it was hacked via a SolarWinds update, and a spokesperson told us simply: "Our investigation is still ongoing." Who are the hackers and how did they get in?
Our analysis indicates that these compromises are not self-propagating each of the attacks require meticulous planning and manual interaction." "Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. "The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors. "This compromise is delivered through updates to a widely used IT infrastructure management software - the Orion network monitoring product from SolarWinds," added FireEye CEO Kevin Mandia. The campaign demonstrates top-tier operational tradecraft Cryptically, FireEye has glued together its early-December public statements that it was hacked, and its investigation into what it says is "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain." It's not clear whether the FireEye intrusion and exfiltration stemmed directly from a bad installation of Orion.
Everyone using the product is urged to upgrade to a fixed version, assume compromise, and work from there.įireEye, meanwhile, probed the backdoor smuggled into the SolarWinds code, and documented its findings in detail, here. The dodgy updates were said to have been slipped onto the site between March and June this year.Īmerica's Cybersecurity and Infrastructure Security Agency (CISA) put out an emergency directive on Sunday night calling on all federal civilian agencies to review their networks immediately and pull the plug if they are running the Orion software. That's likely how the US government networks were compromised: by installing tainted downloads – which are, we're told, still available from the SolarWinds website at time of writing though it is no longer linked-to. Once on a box, the backdoor could be used by miscreants from afar to run commands, hijack the computer, steal data, and so on. It appears someone – again, Moscow is in the firing line – altered downloads from the SolarWinds website so that the code contained a remote-controlled backdoor. It was quickly suspected that the computers were infected via SolarWinds Orion, a network monitoring tool for Microsoft Windows. Backdoored SolarWinds software, linked to US govt hacks, in wide use throughout the British public sector READ MORE