
SolarWinds, Goverment, FireEye Cyber Attack; What You Need to Know

What you need to know about the December 13th Cyber Attack noted by FireEye
What Technology Experts Need To Know
1.
The SolarWinds Orion product is the initial attack vector, so
only companies with this product appear to be involved in this attack.
2.
SolarWinds has patched this vulnerability and has released details
regarding who needs to patch.
3.
FireEye has details regarding how to know if you're
involved, found here.
4.
FireEye advises that once legitimate access was gained, it was
preferred, and the attackers were known to clean up, so if you have the Orion
product it may be best to perform a deep audit of access.
What You Need to Know
Details are still coming in and
this article will be updated as further details manifest.
To provide some background,
SolarWinds is a company commonly known for providing Remote Access, Monitoring,
and Automation for Computers, and Network Devices.
Recently FireEye, a Cyber
Security Company has raised the alarm to a cyber attack implemented as early as
March, in where attackers utilized SolarWinds Orion to gain access to various
sensitive systems spanning different businesses and government entities.
Not all SolarWinds customers were
affected. The SolarWinds Orion product was the product maliciously
leveraged to gain access to these systems. Access was gained via a weaponized update. We do not yet have details regarding how the bad actor's gained
access to SolarWinds infrastructure.
SolarWinds Orion features a
government version of its product and Forbes reports "According to a review
of public records, the range of U.S. government customers who’ve previously
bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the
Army and the Navy being big users."
This information matches up with FireEye's statement "The victims have
included government, consulting, technology, telecom and extractive entities in
North America, Europe, Asia and the Middle East"
There are articles that have
popped up claiming Dominion Voting Systems uses SolarWinds Orion. These claims
appear based on an image circulating featuring the Dominion Systems logo
provided by the SolarWinds Serv-U File Transfer product. This image features
the SolarWinds Serv-U product, not the Orion product, and thus unless further
details are provided does not appear to prove much of anything.
What can we learn from the attack
itself?
This particular attack currently appears to have been very coordinated, and
rather manual in nature. This means unlike a typical fire and forget sort of
virus, there was someone in the backend issuing coordinated commands to
infected systems. FireEye has also reported that once legitimate access was
gained, it was preferred to their original backdoor method, and that cleanup
was often performed to reduce alarms.
This indicates purposeful and methodical effort. SolarWinds is reporting
"this attack was likely conducted by an outside nation state". There
has are reports that Russia is currently suspected, to understand why you may
consider reading "Why Does
Russia Get Credit For A Lot of Hacks?", that said there is
nothing to currently verify that Russia is behind this one, and Kremlin
spokesman Dmitry Peskov has denied that Russia was involved reports the NYPost.
As further details manifest, this article will be updated.