SolarWinds Hack

Target Audience

Undergraduate
Graduate

Keywords

Supply chain security
APT attack
backdoors

Introduction

Overview

The SolarWinds hack, discovered in December 2020, was a sophisticated cyberattack targeting SolarWinds, a prominent IT management software company. Hackers, believed to be state-sponsored, inserted a malicious code into SolarWinds' Orion software updates, which were then distributed to thousands of SolarWinds customers, including numerous government agencies and major corporations. This backdoor allowed the attackers to infiltrate networks, steal sensitive data, and conduct espionage undetected for months. The breach raised significant concerns about the security of software supply chains and the vulnerability of critical infrastructure to cyber threats.

Vulnerability Details

Hackers infiltrated SolarWinds' software development environment and injected malicious code into the Orion software updates. This code was then unwittingly distributed to thousands of SolarWinds customers when they downloaded and installed updates for the Orion platform. The attackers meticulously crafted the malware to remain undetected, leveraging techniques such as code obfuscation and encryption, and even mimicking legitimate software behavior to evade detection by security measures. The compromised updates were signed with legitimate SolarWinds digital certificates, making it difficult to detect the malicious activity.

Learning Objectives

Describe the SolarWinds hack
Explain themes in supply chain security
Explain Advanced Persistent Threat (APT)
List common defense mechanisms against cyber attacks
Explain backdoors and how to prevent them

Download

Includes a PDF case study adapted from a real-world cyber breach
Guided questions for student engagement
Instructor materials including context and background
All content packaged in a downloadable ZIP file

Remote Terminal

Terminal Description

In this lab, we are going to recreate a simplified version of solarwinds breach and how it was performed. The attackers injected malicious code into a .DLL file called SolarWinds.Orion.Core.BusinessLayer.dll, which they used to establish their backdoor connection.
Below is an example of what the SolarWinds.Orion.Core.BusinessLayer.dll file could have looked like, written in C#. The attackers obfuscated their code to appear as if it was performing normal business operations by keeping in line with the variable syntax style and naming conventions used by the original authors.

Module Questions

How early was it believed that SolarWinds was initially compromised?September 2019June 2020December 2020March 2020

What was the impacted software, Orion, designed to do?A cloud storage solutionInfrastructure monitoring and management platformAn email service providerA social media platform

How were the attackers able to plant their malware into the Orion platform?Attackers performed a phishing attack against high-level SolarWinds employees, gaining access to the systemAttackers took advantage of a misconfigured database, allowing them to access legitimate credentials of Orion administratorsAttackers compromised the software supply chain through the Orion update mechanismAn insider SolarWinds employee was paid anonymously by the attackers to provide them with Orion administrative credentials

How were the attackers able to propagate their SUNBURST malware to SolarWinds clients?The attackers performed a denial of service attack to bring SolarWinds offline temporarily, at which time they used a backdoor to switch the legitimate Orion software with their own modified versionThe attackers did not intend for their malware to reach SolarWinds clients to avoid being detected; their main target was SolarWinds themselvesAttackers hacked each client individually to ensure that SUNBURST reached the intended targetSolarWinds unknowingly signed and pushed the malware themselves when they updated Orion

Who did the United States formally accuse as perpetrators of the attack?Russian SVRIranian MOISChinese MSSNon-state individuals

What was the American government response to the attack?The United States hacked Russia back in retaliation with a similar-style exploitAn executive order was issued by President Biden to deter and protect from future attacks of this natureThe United States pulled diplomats back from RussiaA UN Resolution was brought forth by the United States seeking to make these types of attacks illegal in international cyberspace

What is an important lesson learned from the SolarWinds attack?SolarWinds was uniquely susceptible to a supply-chain hack and it is rare that a copycat attack will take place somewhere elseMost attacks of this nature can be tied back to the Russian governmentThis one a very difficult, one-off style attack, and companies needn't worry much that an attack like this will happen to themSupply chain attacks can be extremely hard to detect if they are performed correctly