The SolarWinds supply chain attack was officially identified on December 13, but its impact was revealed earlier on December 8, when cybersecurity company FireEye announced it had been hacked by a state-backed APT group.
During the attack, hackers acquired probing tools used by FireEye to test its customers security. How the threat actors managed to gain access to the cybersecurity firm’s network was not known until December 13, however, when a joint report was issued by the US Government, FireEye, Microsoft and SolarWinds stating that SolarWinds had been successfully hacked by threat actors, believed to be liked with the Russian Foreign Intelligence Service.
The attack saw hackers obtain access to the SolarWinds’ Orion build system, which allowed them to create a backdoor to an authentic SolarWinds SLL file. The DLL was then rolled out to SolarWinds customers using a dedicated supply chain attack, which deployed the update automatically through a platform designed for to keep software current.
Once loaded, the DLL backdoor then connected to a command and control server at a hacker-run subdomain where it could receive and accept tasks to execute on any devices infected. It is unknown as to precisely what specific tasks were successfully executed, but they could potentially have included granting remote access to hackers, stealing private data or downloading further malware and installing it on systems.
Threat actors behind the cyberattack
Specialists at FireEye are presently tracking the hacker responsible under the name UNC245, while cybersecurity company Volexity, operating out of Washington, has connected the activity to a malicious actor they refer to as “Dark Halo”. Volexity believes Dark Halo hackers have successfully targeted and compromised the same US think tank multiple times since late 2019.
In the first recorded attack, the cybersecurity firm identified multiple tools, malware implants and backdoors that enabled Dark Halo to stay undetected. In the second attack, it uncovered that after being ejected from the target’s network, the hacker group used a freshly disclosed bug in Microsoft Exchange that allowed it to evade multi-factor authentication security protocols.
The third attack saw the threat operator use the SolarWinds supply chain attack to deploy an identical backdoor to the one employed to breach the networks of FireEye and the government bodies in the US.
Although still unconfirmed, some media reports have surfaced citing that these attacks are connected to the nefarious hacking group APT29, linked to the Russian Foreign Intelligence Service. Cybersecurity researchers at Volexity and FireEye have not verified any such claims to date.
Victims of the cyberattack
As part of the epic attack, security experts believe around 18,000 customers received the malicious DLL, however, out of these, attackers focused on “high value” organisations on this extensive list as targets.
Along with FireEye, Microsoft and Cisco, many US government entities were hit by the SolarWinds cyberattack, including the Department of State, the National Telecommunications and Information Administration (NTIA), the Department of the Treasury, Department of Homeland Security (DHS), the National Institutes of Health (NIH), the National Nuclear Security Administration (NNSA) and the Department of Energy (DOE), among others.