15
- December
2020
Posted By : Michele Pariani
Summary of SolarWinds breach for InfoSec noobs

In this blog post, I will briefly answer the most important questions about the hijack of SolarWinds Orion. My target audience is information security noobs like me, but you can read along too if you are more advanced.

Which company develops and sells the compromised software?

SolarWinds. SolarWinds is an IT company headquartered in Austin, Texas, which had a revenue of 938.5 million US dollars in 2019.

Which software was compromised and what does this software do?

SolarWinds Orion. SolarWinds Orion is an IT performance monitoring platform. Orion does the following (I took this list from a LinkedIn post by Chris Roberts on 15.12.2020. All the credits for this list go to him!):

  • Network, server, storage, and application monitoring
  • Network, IP, and virtualization management
  • NetFlow analysis and web performance monitoring
  • Log analysis
  • User device tracking
  • Server configuration monitoring
  • Database performance analysis
  • Patch management

What happened exactly?

Threat actors inserted malicious code into Orion updates that were released between March and June 2020. The malicious code lets the threat actors spy on their targets at will.

What is the possible impact?

SolarWinds has 275,000 customers worldwide, but according to the company only “fewer than 18,000” downloaded the compromised updates.

Which are some US institutions using Orion?

The Pentagon, the State Department, the NSA, the Department of Justice and the Office of the President.

Who are the malicious actors? What is their goal?

This information is unknown at the moment. Some people point the finger at Russia, but there has been no official confirmation yet. However, officials suggested that the attack has all the hallmarks of an espionage operation.

How did SolarWinds get breached?

This information is unknown at the moment. One possibility is that an insider helped the threat actors gain access to the source code of the software updates. Another possibility is that SolarWinds was breached with a remote attack and didn’t detect it.

How many governments and companies have been compromised?

This information is unknown at the moment. We have to assume that the original Orion customer base, together with organizations which shared data with the targets, are at risk.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Comments

Leave a Reply