What a nightmare the year 2020 has been for the humanity. At the time when everyone was breathing a sigh of relief with COVID-19 vaccine distribution, there comes another terror but this time in the form of cyberattack. The cyberattack named Sunburst supposedly from Russian state actors that became public earlier this month, has infiltrated close to 18,000 entities from top technology companies to government agencies mostly in US. While the extent of damage in terms of data and intellectual property theft and monetary loss is still being investigated by the entities, the scale of the attack is massive that was executed with utmost sophistication. As first few to go public, several email accounts of high ranking government officials from the US treasury department (responsible for advising the President on economic and financial issues) have been stolen. List of govt agencies who have confirmed this breach can be found here. There could be many more incidents of data theft and cyberespionage but most of them may not come out in the public.
At the jist of this cyberattack, the attackers figured out a way to install a backdoor software into the Solarwinds (Orion platform) monitoring software which could then send traffic payload (stolen data) from the customer’s environment to something called C2 system (Command and Control) owned by the attackers. This kind of attack is called supply chain attack because the hackers attack the weakest link in the chain of IT systems by installing undetectable malware, In this case it was Orion monitoring platform (3rd party supplier). So Installing a backdoor into Orion means that hackers could gain access to all the IT assets managed by this platform and may be able to laterally move between various IT systems sucking up whatever data they deem important. Solarwinds Orion platform can manage and monitor pretty much all IT assets and not limited to routers, switches, firewalls, servers and databases.
The data theft and other unscrupulous activities could have been happening for several months until one of the Solarwinds customer Fireeye (security threat intelligence company) spotted this early December because their red team tools (scripts, tools, scanners..) used for security posture assessments were stolen through this backdoor. As a side note Fireeye stock price has risen 58% during this time (12/17 – 12/22) . Its probably because they were the first to detect this malware and alert the US government and the Industry as a whole.
Above you will see a simple depiction of the attack surface. As the first step, the hackers injects a malware (backdoor) to a legitimate DLL file onto the Orion update server. Then this legitimate update file (.exe) is then downloaded by the Orion monitoring platform and executed which also happens to install the backdoor software. This backdoor is then used by the C2 server to execute jobs or tasks and steal the data from different IT assets. In-depth technical information can be found on the Microsoft’s website.
While the cybersecurity experts suggest that the breach is very well underway, I am sure IT security experts are working hard to detect and eliminate this malware from their environments. Here is an helpful resource Security Advisory FAQ | SolarWinds
Sunburst may have been aptly titled as the Sun has really burst in the cyberspace causing damage and leaving many in the darkness.