Federal agencies and private industry are unpacking the fallout of the SolarWinds Orion hack. 

Thus far, the Department of Commerce, Treasury, Homeland Security, Energy and National Nuclear Security Administration are among the agencies impacted by cyberattack, which some experts are attributing to Russia. 

SolarWinds is a primary provider of network management system (NMS) platforms with a loyal customer following. Since the incident, the company contacted 33,000 customers with the Orion platform but believes 18,000 customers could be vulnerable to the compromised software update. 

Nov. 17, the Cybersecurity and Infrastructure Security Agency (CISA) disclosed the attackers have additional backdoors outside of Orion. For some organizations, the Orion backdoors were not further exploited, complicating the discovery of who and why an initial payload was dropped. 

Cybersecurity Dive is tracking the ongoing SolarWinds cyberattack and possible subsequent, related cybersecurity compromises. The most recent entries are listed first.

Updated Jan. 4, 2021 10:18 am

Microsoft last week disclosed malicious actors viewed some of its source code, creating a vulnerability for the widely used technology company. The discovery came as more organizations are working to determine the impact of the SolarWinds hack.

Thus far, at least 250 organizations, including government agencies and business, are impacted, according to a New York Times report.

Read more on Microsoft's discovery here.

— Naomi Eide

Dec. 23, 2020 10:49 am

As the fallout from the SolarWinds cyberattack continues, companies and federal agencies are assessing the impact the attack is having on their operations. 

Major technology firms from Microsoft to Cisco have begun the process of investigating the full impact of the backdoor vulnerability found on the SolarWinds Orion platform.

Meanwhile a growing number of federal agencies are fighting an ongoing battle to contain the damage, as agencies like the Department of Treasury have discovered email compromises and other non-classified material.

Read more of Cybersecurity Dive's coverage about tech sector impact here.

— David Jones

Dec. 21, 2020 10:38 am 

The actors behind the SolarWinds Orion compromise likely accessed the company's software development or distribution as early as October 2019, Microsoft said in a blog Dec. 18. The "insertion of malicious code into the SolarWinds.Orion.Core.BusinessLayer.dll likely occurred at an early stage, before the final stages of the software build."

Last week security researchers found an additional webshell, dubbed Supernova, embedded in Orion's code. However, during its research, Microsoft said the other malware impacting SolarWinds Orion DLL was "likely unrelated" to the previously-discovered backdoor and created by a different threat actor.

The news came as industry is researching the scope of the compromise to determine what the attackers were targeting. Secretary of State Mike Pompeo is attributing the attack to Russia, though private industry has yet to attribute the attack to a single advanced persistent threat (APT) group.

As of Dec. 17, Microsoft found 44% of the attack's targets are in information technology and 18% are in government. The company doesn't consider the hack "espionage as usual," said President Brad Smith. 

Solorigate, or SUNBURST, had 4,000 lines of code granting the perpetrators to act unrestricted in their targets' networks. The malware's code is "lightweight, allowing it to operate alongside the platform's operations without disrupting them, called "OrionImprovementBusinessLayer," according to Microsoft. 

After this step, the backdoor must complete a checklist before further infecting a target. The checklist has requirements including, whether or not drives are loaded from security software or if the "host 'api.solarwinds.com' resolves to an expected IP address. Without meeting each requirement, the backdoor terminates. 

— Samantha Ann Schwartz

Dec. 18, 2020 

Microsoft is among the SolarWinds customers impacted by the Orion compromise. While it found evidence of the malware, the company said it did not find a second payload was deployed. 

Microsoft found "malicious SolarWinds binaries in our environment, which we isolated and removed," Microsoft said in a blog post by President Brad Smith Dec. 17. The company has not yet found evidence suggesting its products or customer data was breached, nor "that our systems were used to attack others."

On Dec. 17, the National Security Agency (NSA) provided mitigation aid to identify two different tactics, techniques, and procedures (TTPs) for gaining a network's cloud resources, namely email. 

Microsoft Azure administrators were provided evidence of a TTP involving on-premise pieces of federated SSO infrastructure and use of stolen credentials for signing Security Assertion Markup Language (SAML) tokens, according to the NSA. The second TTP uses an administrator's credentials to "assign credentials to cloud application service principals." 

As Microsoft continues its internal investigation, the company so far has notified more than 40 customers who were targeted "more precisely." 

Microsoft began using its Defender Antivirus to block the malicious binaries related to the Orion vulnerability Dec. 16. At the time, the company suggested customers treat any drive with the binary as hazardous, including the accounts attached with the devices. 

Microsoft's products don't have vulnerabilities the threat actors are exploiting, according to the NSA. Instead, because they are abusing the federated authentication, they are exploiting "trust established across the integrated components." The Microsoft Active Directory for Federation Services and other identity provider solutions, are widely used, giving intruders access to data stored in cloud services, like Microsoft 365. 

— Samantha Ann Schwartz