Find Your Specialist


Contact Us

    Go Back

    Monitoring the SolarStorm: Understanding SolarWinds Orion Hack

    By Derrick Rice and Eric Geving

    What do we know?

    The recent news of the SolarWinds Orion hack and its ever-growing list of impacted clients is unlike any hack within recent history. The SolarWinds Orion client base of 300,000+ users combined with the deep level of permissions given to its network monitoring platform, mean the scope of the SolarWinds Orion Platform hack will take years to be fully quantified.

    Unlike in other high-profile attacks, including most recently Equifax and Marriott International, social security numbers or credit card numbers were not the target. The intent of the attack on SolarWinds wasn’t to exfiltrate sensitive information but to infiltrate organizations that use the platform. This breach was made possible through the use of a “supply chain attack.”

    What is a supply chain attack?

    This supply chain attack leveraged the SolarWinds Orion update tool to push compromised software packages out to clients. Once a compromised update package was installed within a client’s infrastructure, the attackers could use it as a backdoor into the network and leverage the elevated permissions granted to the software. Clients who used SolarWinds Orion and updated their product to an affected version, are susceptible to this attack (known as SUNBURST), and it should be assumed these organizations were compromised.

    Who is behind the attack?

    The SolarWinds hack was a global intrusion campaign reported to be carried out by hackers from the Foreign Intelligence Service of the Russian Federation (or SVR RF). This campaign may have begun as early as Spring 2020 and is currently ongoing. Post-compromise activity following this supply chain attack has included lateral movement throughout infrastructure and systems and theft of sensitive data.

    What is being done?

    SolarWinds has released version 2020.2.1 HF 1, which includes security enhancements to fix the vulnerability in the affected versions. Even with the enhancements, organizations should consider rebuilding their SolarWinds Orion environment from scratch. Patching affected systems may leave behind backdoors, which could still be utilized by attackers via alternate means.

    What should my organization do?

    If your organization is still running a compromised version found here, you should ensure that SolarWinds servers are immediately isolated from the rest of your infrastructure. In addition, a comprehensive forensic investigation should occur and passwords for elevated accounts, especially those having access to SolarWinds Orion servers and infrastructure, should be changed. It is important to note that, through lateral movement, other systems and accounts may have been compromised, and forensic investigations should not solely be focused on SolarWinds Orion systems and accounts.

    What can we do to be prepared for other attacks?

    Even though some of the most diligent organizations have fallen victim to this supply chain attack, it is important that we continue mitigate some of the most common risks and focus on good cyber hygiene, including:

    • Default Accounts – Identifying and changing default passwords for pre-installed accounts should be one of the first steps taken when implementing a new software or service. These passwords are often simple and easy to guess and should be replaced to meet existing organizational password standards. Any pre-installed accounts that are not necessary for ongoing application or service maintenance should be disabled.
    • Password Strength & Security – Passwords should be required to fit strong organizational standards to limit the probability of a bad actor obtaining access via common password-guessing methods. Standards should require usage of letters and numbers, as well as special characters. Password expiration and rotation practices can serve to limit risk associated with passwords being compromised.
    • Access Reviews – Account access should be regularly reviewed to confirm that access to sensitive areas remains appropriate. Limiting account privileges on an as-needed basis can reduce the opportunities for a bad actor to gain privileged access. Access controls should be built to include review of user provisioning instances and termination protocols.

    If your organization is hacked or infiltrated, being able to identify and respond to indicators of compromise is key to protecting your organization from being the next headline. As attacks progress, these indicators can provide information that could tip-off security personnel to behaviors that are out of the ordinary and cause for investigation. Some of these capabilities include:

    • Monitoring Account Behavior – Be on the lookout for anomalous account activity. Should accounts be connecting to systems outside of normal business hours? Are accounts connecting to multiple systems at a time or systems that aren’t typically a part of the account’s purpose? These situations could be cause for further investigation.
    • Baselining traffic – Knowing what types of network traffic are “normal” could help your organization identify situations that are suspicious. For example, if you understand what ports or protocols, connections to external IP addresses, amounts of data exchange, and connection types and durations are seen day-to-day, conditions outside the norm could be investigated.

    Ensure your systems are logging activity and access with the right amount of verbosity, which include information such as time of day, source and destination IP address, account used and action performed. Utilizing these audit logs and a Security Information and Event Management (SIEM) tool can alert and aid your personnel in investigating activity and eradicating threats in timely manner.

    This historic hack will continue to be investigated. In an article on January 7th, the Wall Street Journal reported that the Department of Homeland Security cybersecurity group was continuing to explore the situation to understand other methods of intrusion that may also have been utilized. As the investigation into this attack continues, we will gain a better understanding of its far-reaching impact.

    Derrick Rice CISSP, CISA, QSA is a Director in Frazier & Deeter’s Process, Risk & Governance Practice, where he focuses on information and technology systems management, design, security and support. Derrick provides subject matter expertise and manages the delivery of various security assessments, including PCI, HITRUST and HIPAA.

    Eric Geving is an Associate in the Process, Risk & Governance practice at Frazier & Deeter.

    Related Articles

    • 01.25.2023

      A New Year Means New Privacy Laws

      Ever since the General Data Protection Regulation (GDPR) came into effect in May 2018, US state privacy laws have been passed in Virginia, Colorado, Connecticut, Utah and, most pressing of them all, California. The California Privacy Rights Act (CPRA) went…

      Continue Reading
    • 01.19.2023

      The New Rules Under Section 174

      Internal Revenue Code Section 174 has long been used by taxpayers to deduct certain expenses related to research and experimentation (R&E) in the current year.  The code section was originally enacted in 1954 to eliminate uncertainty in the tax accounting…

      Continue Reading
    • 12.20.2022

      IRS Customer Service May Improve in 2023

      With 4,000 new customer service representatives and plans to hire 700 new Taxpayer Assistance Center (TAC) employees, taxpayers soon may get relief from endless hold times, no in-person help and unresolved problems.

      Continue Reading
    • 12.12.2022

      Reduce Taxable Income with IRA Distributions Transfers

      IRA owners who are age 70½ or over can transfer up to $100,000 per year to charity to reduce their taxable income. These transfers, known as qualified charitable distributions or QCDs, offer end-of-the year tax savings and can count toward required minimum distributions (RMDs) that taxpayers who are age 72 must make each year. Think of it as a tax-free charitable rollover of IRA funds.

      Continue Reading
    • 12.02.2022

      UK R&D Tax Reliefs – Where Are We Now?

      In the November 2022 Autumn Statement, the Chancellor announced significant changes to the current Research and Development (R&D) tax reliefs. The key announcements were a change to the applicable rate of the Research and Development Expenditure Credit (RDEC) and a…

      Continue Reading
    • 12.01.2022

      1099s Required for 2022 Tax Year

      Taxpayers earning income from selling goods or providing services may receive a Form 1099-K, Payment Card and Third-Party Network Transactions, for the first time in early 2023, when the 2022 forms are due. The requirement to file Forms 1099 have…

      Continue Reading
    • 11.28.2022

      IRS Uncovers $3.1 Billion in COVID Fraud

      The IRS Criminal Investigation department (IRS-CI) has partnered with the Justice Department to uncover and prosecute fraudulent activities related to the federal government’s COVID relief programs. To date, the IRS has conducted 840 investigations involving fraud amounts totaling more than…

      Continue Reading
    • 10.25.2022

      IRS Inflation Reduction Act Increases Funds

      The Inflation Reduction Act of 2022, enacted in August, increased funding for the IRS by $80 billion through 2031 for enforcement activities, operations support, systems modernization and taxpayer services. The legislative language, Treasury Secretary Janet Yellen and IRS Commissioner Charles…

      Continue Reading

    Privacy Overview

    When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

    You can enable or disable our use of cookies per category.
    Always Enabled