What We Know So Far About the SolarWinds Hacking Scandal

A Homeland Security cybersecurity analyst circa Sept. 2010.
A Homeland Security cybersecurity analyst circa Sept. 2010.
Photo: Jim Watson (Getty Images)

After infiltrating a Texas-based software company, an elite group of hackers turned its most widely used product into a Trojan horse. Their plan couldn’t have worked better. At least a half dozen government agencies (so far) and an untold number of America’s wealthiest corporations led them heedlessly right through the gates.

Advertisement

Virtually no one outside of the IT world had heard of SolarWinds before Monday, but it’s said to count among its corporate clientele hundreds of the country’s top revenue earners from nearly every facet of industry. The National Security Agency and many of the government’s other most well-guarded members have used its network management platform, including, as in at least the Army’s case, on communication networks handling classified information. That same software, known as Orion Platform, began quietly dispensing malware create to spy on its users and pilfer their most sensitive files, likely in March of this year.

According to SolarWinds, upwards of half of its 33,000 Orion customers may have been infected. For nine months, apparently, nobody noticed.

The Departments of State, Commerce, Treasury, and Homeland Security, as well as the National Institutes of Health, which conducts biomedical research on the government’s behalf, are among the list of federal agencies currently said to be victims of the attack, according to Washington Post reporting earlier this week. Politico reported Thursday that the Energy Department and its National Nuclear Security Administration, chiefly responsible for safeguarding the nation’s nuclear weapons, had been also compromised. (In a statement Thursday, an Energy spokesperson claimed the malware was “isolated to business networks only.”)

What was stolen and where and how many victims there are remain a mystery.

The intrusion at SolarWinds, which unnamed U.S. officials attributed in the Post to the SVR, Russia’s foreign intelligence service, was the first step in what experts describe as a “highly sophisticated” supply-chain attack. It began with the hackers inserting malicious code, known as Sunburst, into the Orion Platform. In a filing Thursday, SolarWinds said that while Orion’s source code is clean, Sunburst “appears to have been inserted during the Orion software build process.”

Advertisement

The hackers baked Sunburst into several versions of Orion posted by SolarWinds to its website. When its corporate and government customers went to update their existing copies of the platform, Sunburst hitched a ride and then embedded itself in their network. It would then go dark for a period of days or weeks. When it did spring to life, it began by doing reconnaissance on its new environment and sending those details back to its handlers. Cleverly, the hackers disguised their communication with Sunburst as typical Orion traffic—the everyday work of actual IT employees—a sign of the sophistication involved.

It could also download, transfer, and execute files on its own. If the hackers decided they’d found a prime target, they could order Sunburst to deploy further payloads. One, called Teardrop, has been observed deploying a custom version of the network penetration software Cobalt Strike. These additional capabilities allow Sunburst to, for instance, harvest user credentials, monitor keystrokes, and hunt for ways to elevate its power in the network.

Advertisement

Countless businesses and government offices are left scrambling to grasp the scope of this elaborate data-theft scheme perpetrated, reportedly, by a rival nation’s spies. Citing experts, Bloomberg reported Friday that the complexity of the attack, compounded by the hackers’ unusual drive to pass as real IT workers, may cut short even the most earnest effort to determine the score.

Officials said Wednesday that a joint task force comprising of the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence had been established to coordinate a “whole-of-government” response to the incident. CISA, where several top officials were recently forced out by the White House, including former director Chris Krebs, warned separately that the attack still poses a “grave risk” to the country. It also acknowledged the hackers for their “patience, operational security, and complex trade-craft.”

Advertisement

Russia has denied involvement in cyberattacks of any kind.

The House Homeland Security and Oversight Committees said in a joint statement Thursday that an investigation had been launched into the attacks on federal government systems. Senior intelligence officials were asked to conduct a classified meeting on the Hill on Friday. Senate Intelligence Committee Vice-Chair Mark Warner, meanwhile, sharply criticized the White House for not, as he put it, “taking this issue seriously enough.” He went on to accused President Trump of apparently not “acknowledging, much less acting upon, the gravity of this situation.”

Advertisement

At time of writing, Trump has not issued a statement concerning the attack.

This post will be updated as new information becomes available.

Advertisement

Senior Reporter, Privacy & Security

DISCUSSION

It's bad. I updated my server early Monday. Made sure there weren't any new/unusual admin accounts. Made sure no known c&c traffic was sent. But that doesn't leave me sleeping easy either.