X
X

Find Your Specialist

X

Contact Us

    Go Back

    Monitoring the SolarStorm: Understanding SolarWinds Orion Hack

    By Derrick Rice and Eric Geving

    What do we know?

    The recent news of the SolarWinds Orion hack and its ever-growing list of impacted clients is unlike any hack within recent history. The SolarWinds Orion client base of 300,000+ users combined with the deep level of permissions given to its network monitoring platform, mean the scope of the SolarWinds Orion Platform hack will take years to be fully quantified.

    Unlike in other high-profile attacks, including most recently Equifax and Marriott International, social security numbers or credit card numbers were not the target. The intent of the attack on SolarWinds wasn’t to exfiltrate sensitive information but to infiltrate organizations that use the platform. This breach was made possible through the use of a “supply chain attack.”

    What is a supply chain attack?

    This supply chain attack leveraged the SolarWinds Orion update tool to push compromised software packages out to clients. Once a compromised update package was installed within a client’s infrastructure, the attackers could use it as a backdoor into the network and leverage the elevated permissions granted to the software. Clients who used SolarWinds Orion and updated their product to an affected version, are susceptible to this attack (known as SUNBURST), and it should be assumed these organizations were compromised.

    Who is behind the attack?

    The SolarWinds hack was a global intrusion campaign reported to be carried out by hackers from the Foreign Intelligence Service of the Russian Federation (or SVR RF). This campaign may have begun as early as Spring 2020 and is currently ongoing. Post-compromise activity following this supply chain attack has included lateral movement throughout infrastructure and systems and theft of sensitive data.

    What is being done?

    SolarWinds has released version 2020.2.1 HF 1, which includes security enhancements to fix the vulnerability in the affected versions. Even with the enhancements, organizations should consider rebuilding their SolarWinds Orion environment from scratch. Patching affected systems may leave behind backdoors, which could still be utilized by attackers via alternate means.

    What should my organization do?

    If your organization is still running a compromised version found here, you should ensure that SolarWinds servers are immediately isolated from the rest of your infrastructure. In addition, a comprehensive forensic investigation should occur and passwords for elevated accounts, especially those having access to SolarWinds Orion servers and infrastructure, should be changed. It is important to note that, through lateral movement, other systems and accounts may have been compromised, and forensic investigations should not solely be focused on SolarWinds Orion systems and accounts.

    What can we do to be prepared for other attacks?

    Even though some of the most diligent organizations have fallen victim to this supply chain attack, it is important that we continue mitigate some of the most common risks and focus on good cyber hygiene, including:

    • Default Accounts – Identifying and changing default passwords for pre-installed accounts should be one of the first steps taken when implementing a new software or service. These passwords are often simple and easy to guess and should be replaced to meet existing organizational password standards. Any pre-installed accounts that are not necessary for ongoing application or service maintenance should be disabled.
    • Password Strength & Security – Passwords should be required to fit strong organizational standards to limit the probability of a bad actor obtaining access via common password-guessing methods. Standards should require usage of letters and numbers, as well as special characters. Password expiration and rotation practices can serve to limit risk associated with passwords being compromised.
    • Access Reviews – Account access should be regularly reviewed to confirm that access to sensitive areas remains appropriate. Limiting account privileges on an as-needed basis can reduce the opportunities for a bad actor to gain privileged access. Access controls should be built to include review of user provisioning instances and termination protocols.

    If your organization is hacked or infiltrated, being able to identify and respond to indicators of compromise is key to protecting your organization from being the next headline. As attacks progress, these indicators can provide information that could tip-off security personnel to behaviors that are out of the ordinary and cause for investigation. Some of these capabilities include:

    • Monitoring Account Behavior – Be on the lookout for anomalous account activity. Should accounts be connecting to systems outside of normal business hours? Are accounts connecting to multiple systems at a time or systems that aren’t typically a part of the account’s purpose? These situations could be cause for further investigation.
    • Baselining traffic – Knowing what types of network traffic are “normal” could help your organization identify situations that are suspicious. For example, if you understand what ports or protocols, connections to external IP addresses, amounts of data exchange, and connection types and durations are seen day-to-day, conditions outside the norm could be investigated.

    Ensure your systems are logging activity and access with the right amount of verbosity, which include information such as time of day, source and destination IP address, account used and action performed. Utilizing these audit logs and a Security Information and Event Management (SIEM) tool can alert and aid your personnel in investigating activity and eradicating threats in timely manner.

    This historic hack will continue to be investigated. In an article on January 7th, the Wall Street Journal reported that the Department of Homeland Security cybersecurity group was continuing to explore the situation to understand other methods of intrusion that may also have been utilized. As the investigation into this attack continues, we will gain a better understanding of its far-reaching impact.


    Derrick Rice CISSP, CISA, QSA is a Director in Frazier & Deeter’s Process, Risk & Governance Practice, where he focuses on information and technology systems management, design, security and support. Derrick provides subject matter expertise and manages the delivery of various security assessments, including PCI, HITRUST and HIPAA.

    Eric Geving is an Associate in the Process, Risk & Governance practice at Frazier & Deeter.

    Related Articles

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled

    Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

    Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

    These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

    From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.