Here is an update on the still developing story of the SolarWinds hack that was discovered in mid-December.
First a Timeline of the events that first started in as early as September of 2019 that looks a lot like threat actor APT 29, but FireEye has named this threat UNC2452.
So the threat actors of UNC2452, once in the SolarWinds network started checking the network for vulnerabilities and started deploying and testing their malware for the perfect fit for their purposes. The Threat Actor did deploy the Sunburst Malware got it installed in the Build VM of the SolarWinds network which affected the executable that would be deployed to its clients of the Orion Network Management Platform. Hence, once a patch of Orion software was ready the Sunburst Malware would be deployed with it. The patches affected were the March and June patches of 2020. These affected patches were 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. After June 2020, the Threat actors decided to remove the malware from the above Build VM on the SolarWinds network. All patches after these builds of the Orion Network Management appear to be Malware free. However, in early December, FireEye had a compromise of their own network compromising their proprietary tools. After their research of the incident, FireEye determined the incursion came from SolarWind’s Orion Platform.
Then came the discovery of Sunburst and then an emergency declaration from the CISA for government agencies to stop using the SolarWinds Orion Platform immediately and purge it from their systems.
SolarWinds Deployed a patch of the Orion Platform to remove the malware from affected systems
Then the US-CERT issued a public warning a few days later. A week or so later, Palo Alto found the SuperNova malware also deployed in the Orion platform code, but they strongly believe the malware was created by a separate Threat actor as this software was not signed as the SunBurst Malware was.
Finally, on January 13, 2020, CrowdStrike found a third malware strain in the Orion Platform called Sundrop, but CrowdStrike has not determined the adversary involved in this malware deployment.
Now let’s look at who is affected…
If we look at the SolarWinds 8-K filing with the SEC, SolarWinds has determined just under 18,000 customers have been affected. If you look at their Customer Page on the SolarWinds Website ( now recently removed) you notice that SolarWinds provides services to customers that include most of the Fortune 500, Military, Many branches of the US Government, the top 10 Telecommunication companies, the top five accounting firms in the US, and hundreds of colleges and Universities worldwide.
Companies that have declared they were affected were Microsoft, FireEye, the US Courts, Cisco, The State Department, Dept of Commerce, and most recently Mimecast.
This is a developing story and the extent of the attack and the original motive is still unknown. Stay tuned for further videos on this story and be sure to check out our notes below for more detailed and updated information. Thank you for watching our video and if you like us please press the like button and subscribe for further updates.