SolarWinds Supply Chain Breach: What You Need to Know
SolarWinds suffered a nation-state attack, discovered in December 2020, impacting an initial estimate of 18,000 organizations globally.
SolarWinds, a popular provider of IT and monitoring solutions, has disclosed a large-scale breach. FireEye has attributed attacks to a sophisticated nation-state actor group. Once SolarWinds was breached, actors modified source code updates to the Orion platform to include malware. To date, compromised update packages include 2019.4 HF5 through 2020.2.1, deployed during March 2020 to June 2020 to clients through supply chain updates to the Orion platform.
What is the scope of the attack?
Two malware components are reported for this breach to date, Teardrop and Sunburst. Teardrop is a memory-only Trojan that initiates the attack on a server and then loads Sunburst, a backdoor Trojan. SolarWinds has approximately 18,000 clients (based on initial estimates) that may have been compromised as a result of this supply chain attack. Victims disclosed include FireEye, the U.S. Treasury department and the U.S. Commerce department. SolarWinds reportedly serves more than 425 Fortune 500 companies as well as all branches of the U.S. military, NASA and other organizations.
Is World Wide Technology impacted?
World Wide Technology (WWT) uses SolarWinds Orion to monitor the availability and performance of systems within our corporate environments and lab spaces. A thorough internal investigation concluded that WWT was not impacted by the widely reported compromise of the SolarWinds Orion code base.
Our investigation leveraged threat intelligence, endpoint management systems, log analysis, incident response tooling, and automated detection and response processes to confirm that WWT SolarWinds code versions weren’t impacted and that indicators of compromise were not present. WWT continues to monitor and respond to this ongoing threat as more information is shared by public and private threat intelligence providers. For questions, please contact firstname.lastname@example.org.
What should my organization do?
If your organization uses SolarWinds products — especially that of Orion — WWT recommends due diligence in threat hunting the known indicators of compromise (IOCs) and anomalous activity during and after March 2020 related to this breach. Even if your organization does not have a direct relationship with SolarWinds, it is likely that it does have third-party relationships with other organizations that may have been compromised through this supply chain attack. Due diligence is recommended for all organizations during this unprecedented breach.
During your audit for known IOCs, possible rogue and compromised accounts and services (for persistence), and anomalous behavior, if a confirmed threat exists or a client uses the Orion product, WWT recommends comprehensive due diligence and/or rebuilding of the server(s). We recommend referencing the following resources in performing due diligence:
- U.S. DHS Emergency Directive
- FireEye IOCs and Countermeasures
- Microsoft Kerberoasting Article
- Contact WWT for additional support and post-incident strategy response support.
The WWT Virtual CISO program embeds seasoned cybersecurity consultants within the environment to help lead initiatives, like incident response and threat mitigation, and assist with program development, maturation and management.
Our Threat and Vulnerability Management Program offerings empower you to uncover and strategically address threats and vulnerabilities with a risk-based methodology, leveraging security automation to increase efficacy, with the ultimate goal of reducing risk across your organization’s environment.
WWT's cybersecurity consultants possess more than 450+ total years of security experience, with roughly 80 certifications and 100 years of government agency experience.
For any immediate needs, please reach out to your account manager or contact us for support.