In this blog post, I will briefly answer the most important questions about the hijack of SolarWinds Orion. My target audience is information security noobs like me, but you can read along too if you are more advanced.
Which company develops and sells the compromised software?
SolarWinds. SolarWinds is an IT company headquartered in Austin, Texas, which had a revenue of 938.5 million US dollars in 2019.
Which software was compromised and what does this software do?
SolarWinds Orion. SolarWinds Orion is an IT performance monitoring platform. Orion does the following (I took this list from a LinkedIn post by Chris Roberts on 15.12.2020. All the credits for this list go to him!):
- Network, server, storage, and application monitoring
- Network, IP, and virtualization management
- NetFlow analysis and web performance monitoring
- Log analysis
- User device tracking
- Server configuration monitoring
- Database performance analysis
- Patch management
What happened exactly?
Threat actors inserted malicious code into Orion updates that were released between March and June 2020. The malicious code lets the threat actors spy on their targets at will.
What is the possible impact?
SolarWinds has 275,000 customers worldwide, but according to the company only “fewer than 18,000” downloaded the compromised updates.
Which are some US institutions using Orion?
The Pentagon, the State Department, the NSA, the Department of Justice and the Office of the President.
Who are the malicious actors? What is their goal?
This information is unknown at the moment. Some people point the finger at Russia, but there has been no official confirmation yet. However, officials suggested that the attack has all the hallmarks of an espionage operation.
How did SolarWinds get breached?
This information is unknown at the moment. One possibility is that an insider helped the threat actors gain access to the source code of the software updates. Another possibility is that SolarWinds was breached with a remote attack and didn’t detect it.
How many governments and companies have been compromised?
This information is unknown at the moment. We have to assume that the original Orion customer base, together with organizations which shared data with the targets, are at risk.
I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!
I have read that the Solarwinds compromise was what caused the Gmail and YouTube outage that took place briefly yesterday. Any information or speculation on that?
According to ZDNet, the reason behind the outage was the “reduced capacity for Google’s central identity-management system, blocking any service that required users to log in.” It seems that that had nothing to do with SolarWinds.
Hi … is there insight as to how they got access to the updates? I have only been in the field a few years and this would help me understand how the threat actors got in.
The investigation is still ongoing. According to Jai Vijayan from darkreading.com, it seems that “attackers gained access to the company’s Orion software build system — or CI/CD development environment — using forged SAML authentication tokens that likely impersonated highly privileged accounts”. The original article can be found here: https://www.darkreading.com/attacks-breaches/concerns-run-high-as-more-details-of-solarwinds-hack-emerge/d/d-id/1339726
Nice and clear, thank you.