The Department of Homeland Security, itself a user of the Orion Platform, has issued an Emergency Directive in response to the attack. The directive required federal agencies to immediately disconnect all Orion Platform products until the Cybersecurity and Infrastructure Security Agency deemed any forthcoming patches or updates safe for use.
How Did the Attack Happen?
Malicious actors, thought by some to be part of the Cozy Bear hacker group run by Russia’s Federal Security Service, inserted malware into version updates of SolarWinds Orion Platform software products, which help users monitor IT network systems. When clients upgrade to the infected versions, they download the malware to their own systems. Once in place, it granted hackers remote access into an organization’s networks.
In a statement, SolarWinds acknowledged that attackers had “inserted a vulnerability” into three software updates: specifically, the 2019.4 HF 5, 2020.2 with no hot fix installed, and 2020.2 HF 1 builds. It also advised that customers immediately upgrade to versions that show no evidence of tampering.
The attack was discovered by cybersecurity firm FireEye, who itself had been targeted in the days before the SolarWinds breach came to light. FireEye announced that attackers had stolen a set of elite hacking tools the company uses to test client network vulnerabilities, and that the attack was likely a part of a much larger campaign to hit high profile government and corporate targets. It also acknowledged that the sophistication and scope of the attack made it likely that the hackers were highly organized, well trained and state sponsored.
Who Was Affected?
Prior to the attack, SolarWinds had a page on its website documenting its large and influential client base. That page was subsequently taken down by the company, as was a copy in Google cache. The contents of the customer page was included in a recent Krebs on Security post. SolarWinds says its clients include 425 of the Fortune 500 companies in the U.S. In addition to the Office of the President of the United States and all five branches of the U.S. military, the client list also include the NSA, NASA, major energy and telecoms companies, and hundreds of colleges and universities.
Reporting by the New York Times and others have included the State Department, the Department of Homeland Security, and parts of the Pentagon among those compromised by the malware infecting SolarWinds. Two other organizations, aerospace company Boeing and the Los Alamos National Laboratory, were also said to have been potentially compromised. Of the 33,000 organizations that use SolarWinds products, only about 18,000 specifically use the Orion Platform, according to the company.
Who Is Cozy Bear?
According to an explainer by Business Insider, Cozy Bear (also known as APT29) has been responsible for at least five major data breaches against the U.S. government in the last six years. The group has been blamed for the hacking of Democratic Party servers during the 2016 presidential election. More recently, the group is said to have tried to steal COVID-19 vaccine research.
U.S. government officials and cybersecurity experts believe Cozy Bear and related groups operate under the supervision of Russian state security forces. The size and sophistication of the attacks attributed to Cozy Bear suggest a level of expertise and planning that would require substantial resources and support.
Russian officials have denied any connection to the cyberattacks, and U.S. officials have been reluctant to release evidence of Russian involvement for fear of giving away details about how they investigate and identify cybercriminals.
Make Sure You Have a Data Protection and Recovery Plan
Consumers should always use antivirus software and regularly back up their computers to help in recovering from a malware infection. When that isn’t enough to remove the threat, you might need a data recovery expert to restore access to data that has been lost or compromised by malware.
Secure Data Recovery Services is SSAE 18 SOC 1, 2, and 3 audited, has the most industry-specific data recovery certifications, and operates three Class 10 ISO 4 cleanrooms to ensure a particulate-free environment. Our data recovery engineers provide free diagnostic analysis, and you pay nothing until the work is successfully completed.
If you have experienced data loss, call Secure Data Recovery Services at 1-800-388-1266 to open a case now. We have more than 250 partner locations across North America where you can drop off your media. We’ll also pay for inbound shipping direct to one of our labs if that’s more convenient. And we offer a no data, no recovery fee. You pay nothing until your data is fully restored.