- “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor”
- “Trojanized” SolarWinds software used to conduct attacks
- According to an analyst, Dominion Voting Systems used a “FILE SHARE System… hosted on A SolarWinds Orion Network”
- “This campaign may have begun as early as Spring 2020 and is currently ongoing”
Fireeye, a California-based cybersecurity firm, has produced an in depth analysis of the international hacking attacks utilizing software used by U.S. government agencies and private companies worldwide: SolarWinds.
Backdoor methods were used to enter systems remotely.
After an initial dormant period of up to two weeks, it retrieves and executes commands, called “Jobs”, that include the ability to transfer and execute files, profile the system, and disable system services. The backdoor’s behavior and network protocol blend in with legitimate SolarWinds activity, such as by masquerading as the Orion Improvement Program (OIP) protocol and storing reconnaissance results within plugin configuration files. The backdoor uses multiple blocklists to identify forensic and anti-virus tools via processes, services, and drivers…Hidden in plain sight, the class SolarWinds.Orion.Core.BusinessLayer.OrionImprovementBusinessLayer implements an HTTP-based backdoor…
Fireeye analysis
Read SolarWinds security alert
Read alert from federal Cybersecurity and Infrastructure Security Agency
According to SolarWinds, it’s customer list includes more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions.
According to SolarWinds, it’s customer list includes more than 300,000 customers worldwide, including military, Fortune 500 companies, government agencies, and education institutions.
“Our customer list includes:
More than 425 of the US Fortune 500
All ten of the top ten US telecommunications companies
All five branches of the US Military
The US Pentagon, State Department, NASA, NSA, Postal Service, NOAA, Department of Justice, and the Office of the President of the United States
All five of the top five US accounting firms
Hundreds of universities and colleges worldwide”
Executive Summary
- We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.
- FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
- The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
- The campaign is widespread, affecting public and private organizations around the world.
- FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.
Summary
FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security. (Continued…)
Fight improper government surveillance. Support Attkisson v. DOJ and FBI over the government computer intrusions of Attkisson’s work while she was a CBS News investigative correspondent. Visit the Attkisson Fourth Amendment Litigation Fund. Click here.