SolarWinds, Goverment, FireEye Cyber Attack; What You Need to Know
What you need to know about the December 13th Cyber Attack noted by FireEye
What Technology Experts Need To Know
1. The SolarWinds Orion product is the initial attack vector, so only companies with this product appear to be involved in this attack.
2. SolarWinds has patched this vulnerability and has released details regarding who needs to patch.
3. FireEye has details regarding how to know if you're involved, found here.
4. FireEye advises that once legitimate access was gained, it was preferred, and the attackers were known to clean up, so if you have the Orion product it may be best to perform a deep audit of access.
What You Need to Know
Details are still coming in and this article will be updated as further details manifest.
To provide some background, SolarWinds is a company commonly known for providing Remote Access, Monitoring, and Automation for Computers, and Network Devices.
Recently FireEye, a Cyber Security Company has raised the alarm to a cyber attack implemented as early as March, in where attackers utilized SolarWinds Orion to gain access to various sensitive systems spanning different businesses and government entities.
Not all SolarWinds customers were affected. The SolarWinds Orion product was the product maliciously leveraged to gain access to these systems. Access was gained via a weaponized update. We do not yet have details regarding how the bad actor's gained access to SolarWinds infrastructure.
SolarWinds Orion features a
government version of its product and Forbes reports "According to a review
of public records, the range of U.S. government customers who’ve previously
bought SolarWinds Orion is vast. The Pentagon is the biggest customer, with the
Army and the Navy being big users."
This information matches up with FireEye's statement "The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East"
There are articles that have popped up claiming Dominion Voting Systems uses SolarWinds Orion. These claims appear based on an image circulating featuring the Dominion Systems logo provided by the SolarWinds Serv-U File Transfer product. This image features the SolarWinds Serv-U product, not the Orion product, and thus unless further details are provided does not appear to prove much of anything.
What can we learn from the attack
This particular attack currently appears to have been very coordinated, and rather manual in nature. This means unlike a typical fire and forget sort of virus, there was someone in the backend issuing coordinated commands to infected systems. FireEye has also reported that once legitimate access was gained, it was preferred to their original backdoor method, and that cleanup was often performed to reduce alarms.
This indicates purposeful and methodical effort. SolarWinds is reporting "this attack was likely conducted by an outside nation state". There has are reports that Russia is currently suspected, to understand why you may consider reading "Why Does Russia Get Credit For A Lot of Hacks?", that said there is nothing to currently verify that Russia is behind this one, and Kremlin spokesman Dmitry Peskov has denied that Russia was involved reports the NYPost.
As further details manifest, this article will be updated.