Global powers are competing for control of a new battlefield—software and infrastructure that is built, and increasingly managed, by private industry.
An advanced threat actor has compromised the SolarWinds Orion Platform, a unified IT monitoring solution that will often have access to an organization’s most sensitive secrets. While this is still a developing situation that requires further assessment, the scope of this attack has global ramifications and the need for affected organizations to act is immediate.
Disclaimer: This is a developing situation and as such some information within this post may be updated to reflect new and developing understanding of the threat actor’s campaign.
Supply chain attack against multiple high-profile victims
Public reporting has revealed details of a global campaign by a highly capable threat actor—currently tracked as “UNC2452”—compromising widely used network management software as part of a supply chain attack against multiple high-profile victims. The software in question is the SolarWinds Orion Platform and the compromise inserted a malicious “backdoor,” known as “SUNBURST”, in to one of the libraries of this application that would give the threat actor a foothold on the affected system.
SolarWinds’ 8-K SEC filing indicates that it believes the malicious code was inserted as part of the build process, and the source code was not directly affected. The update would appear to be legitimate to the victims, as it was installed as part of an official update and signed by a legitimate SolarWinds certificate.
Current reporting indicates that the malicious updates started being delivered to SolarWinds customers in March 2020 and continued until June 2020. Microsoft analysis indicates there are non-malicious anomalies in some historic updates that may be evidence of threat actor having access to the build process dating back to at least October 2019.
The presence of the malicious update does not indicate active exploitation
In the SEC filing, SolarWinds indicates that more than 17,000 organizations may have received an update containing the malicious code. However, the presence of the malicious update by itself does not indicate active exploitation of an organization by the threat actor. The nature of the supply chain compromise means that the threat actor would have had no control over which SolarWinds customers downloaded the update; therefore, the number of actively exploited organizations is likely to be less than the total who received the malicious update.
The first round of actively exploited victims was reported to notably include several US government organizations as well as the US cybersecurity company FireEye. Microsoft has since reported that they have seen active exploitation of more than 40 organizations related to this campaign across 8 countries. This includes the United States, Canada, Mexico, Israel, United Arab Emirates, Belgium, Spain and the United Kingdom.
To date, the organizations who have been reported as actively compromised as a result of this supply chain compromise appear to be focused on organizations with governmental operations or collaborations. These types of organizations would expect to attract attention from threat actors such as UNC2452, which exhibit a high degree of sophistication and resources in their operations. . There will be wider targets of opportunityContinue reading