Blog / SolarWinds Hack: Overview of the Situation
Recently there has been a lot of talk about the hack of SolarWinds. If you’ve spent any time looking into the attack, the list of people who have been struck reads very much like a who’s who list for the United States Government. This probably has a lot of people worried about their own Security. So, I figured that doing a bit of a rundown into what we know happened, would be timely.
Back in March, the Orion network monitoring software from SolarWinds, was compromised. For those not aware, the Orion software platform is a network monitoring tool aimed at Enterprise level customers. It’s designed to be modular, able to look at traffic, monitor servers, track users, databases, software patches, and more. Pretty impressive stuff, but it’s also far from free (they’re aiming for Enterprise class people after all, so we’re talking about of at least 1000 employees, that sort of thing.)
The installation was altered to include a bit of code that lay dormant for about two weeks, then went off and connected to a command & control server, to receive instructions. Now then, considering the type of machine this software would be installed on, it would have a massive amount of sensitive information stored on it. So, compromising just that machine would be a great way of gaining information about the activities of anyone who had installed the compromised version of this software. The 2-week delay was probably put in, so that no strange behaviour would get noticed in any official testing.
TRINUS Technologies makes use of some SolarWinds tools (specifically N-Central), but as this tool was not part of the attack, there’s no cause for concern if you’re a TRINUS customer.
SolarWinds hasn’t released specific details about how the installation was compromised, but there are a couple of important methods I can think of. First, they could have created their own custom installation package that did all the same upgrade stuff that a normal install did, but just added this new little hidden bit. This would need to work as a seamless upgrade from the previous version, otherwise the change would be detected immediately. While this is technically possible, it would require that they took the normal install apart, rebuilt it, as well as compromised the SolarWinds machine to replace the download and monitoring mechanism that verifies the download
While that is possible, it’s a lot of work and very complicated. The more convoluted it is, the more likely something will go wrong. So realistically, there are 2 ways this likely happened. They might have paid-off a developer to insert some code into the project (similar to what someone tried to do with Tesla earlier this year.) Another option is that they managed to get one of their own hired on and got the code that way. Regardless of how it happened, this sort of activity isn’t something your typical hacker group would bother with and is definitely on the level of being sponsored by a state. A regular hacking group would have turned this hack into money at some point.
Even though SolarWinds makes a lot of different software, to compromise more than one project would likely take multiple people. To be fair, once the code was put into place, whoever was responsible for it probably left SolarWinds and possibly fled the country. With the probable fallout that would happen when the code eventually got discovered, they probably stayed to make sure the code was in and got published and then left shortly afterwards.
Considering the nature of the software, the purpose of this hack was likely to be information gathering. If you keep in mind all the various resources that Orion can be connected to and monitor, being able to compromise just this software would provide someone with a treasure trove of information about anyone that installed the compromised version. If this had been a normal hack, the purpose of the hack would have been monetary in nature and we’d have seen Ransomware or something like that.
If you have any questions about SolarWinds tools used by TRINUS, please reach out to your TRINUS Account Manager for stress-free IT.
By Kind Courtesy of Your Friendly Neighbourhood Cyber-Man.