Hackers persistently accessed SolarWinds’ internal systems, Microsoft Office 365 environment and software development environment for months before carrying out their vicious cyberattack.
The IT infrastructure management vendor said hackers compromised SolarWinds’ credentials and conducted research and surveillance via persistent access for at least nine months prior to their October 2019 trial run. Hackers tested their ability to inject code into SolarWinds Orion network monitoring software in fall 2019, months before they actually started putting poisoned code into Orion.
“While unfortunate, it’s not uncommon for threat actors to be in target environments for several months to years,” SolarWinds CEO Sudhakar Ramakrishna wrote in a blog post published Friday. “[This] illustrates the lengths to which outside nation-states will go to achieve their malicious goals and the need for the industry and public sector to work together to protect critical systems and infrastructure.”
SolarWinds’ stock is up $0.58 (3.45 percent) to $17.40 per share in after-hours trading Friday, which is the highest the company’s stock has traded since April 28. Microsoft didn’t immediately respond to a CRN request for comment.
Ramakrishna said the hackers exfiltrated information from SolarWinds during their research and surveillance process. The Biden administration last month formally attributed the colossal SolarWinds campaign to the Russian Foreign Intelligence Service (SVR), with hackers compromising nine U.S. government agencies and roughly 100 private sector companies through the malicious Orion update.
For starters, Ramakrishna said the hackers accessed SolarWinds employee email accounts containing information about the company’s current or former employees and customers. SolarWinds is currently in the process of identifying all personal information contained in these emails and intends to provide notices to any impacted individuals and other parties as appropriate, according to Ramakrishna.
Hackers also created and moved files that SolarWinds believes contained source code for both Orion software as well as non-Orion products, according to Ramakrishna. The hackers also handled a file that may have contained a customer name, email addresses, billing addresses, encrypted portal login credentials, IP addresses downloading any software, and MAC addresses of the registered Orion servers.
Finally, Ramakrishna said the hackers moved files to a jump server to more easily exfiltrate the sensitive information out of SolarWinds’ environment. The investigation was executed by CrowdStrike and KPMG, with CrowdStrike’s threat-hunting tools providing ongoing monitoring for suspicious activity and KPMG’s forensics team analyzing SolarWinds’ historical firewall logs, access control logs, and SIEM events.
“At this time, we’re substantially completed this process and believe the threat actor is no longer active in our environments,” Ramakrishna said.
SolarWinds doesn’t know precisely when or how the hackers first gained access to its environment, but Ramakrishna said the company has narrowed it down to three most likely candidates for initial entry. Initial access most likely occurred through: a zero-day vulnerability in a third-party application or device; a brute-force attack such as a password spray attack; or social engineering, such as a targeted phishing attack.
The company has excluded the possibility that initial access was through a known, unpatched vulnerability, according to Ramakrishna. SolarWinds customers who installed a poisoned version of Orion could only be targeted for further attack if Orion was installed on a server with access to the internet, Ramakrishna said.
Going forward, Ramakrishna said SolarWinds plans to conduct its software builds in three separate environments with separate user credentials, thereby forcing hackers to replicate an attack across multiple heterogenous environments with no overlapping privileges to be successful. The build process now includes requirements analysis, secure development, security testing, release and respond, he said.
As part of this process, Ramakrishna said SolarWinds is now using Checkmarx for static code analysis, WhiteSource for open source discovery and analysis, and Burp Suite for internal penetration testing. In addition, Ramakrishna said business critical assets are identified, tracked, and reviewed on a regular basis, with security controls defined for each asset.
“We see an opportunity to help lead an industry-wide effort we believe will position SolarWinds as a model for secure software environments, development processes, and products,” Ramakrishna said.