The ongoing investigation into the SolarWinds breach continues to reveal the intricate tactics employed by the attackers who infiltrated the company’s internal systems and manipulated its software update processes. This meticulous and well-coordinated supply chain attack appears to have been in the making since at least October 2019, when the adversaries reportedly compromised the software build and signing mechanisms of the SolarWinds Orion platform.
A recent report from ReversingLabs, disclosed to The Hacker News, indicates that the attackers directly modified the source code of a critical library to introduce a backdoor, allowing them to distribute malicious updates seamlessly via the company’s existing update infrastructure. Tomislav Pericin from ReversingLabs emphasized that these modifications were both subtle and calculated, allowing the adversaries to infiltrate the software lifecycle without raising suspicion.
Between March and June 2020, multiple updates containing the backdoored code, identified as “SolarWinds.Orion.Core.BusinessLayer.dll” or SUNBURST, were stealthily deployed. Although FireEye, a notable cybersecurity firm, has so far refrained from attributing the attack to a specific nation-state actor, numerous media outlets have linked the operation to APT29, a threat group associated with Russian intelligence.
The initial version of the compromised Orion software was linked to version 2019.4.5200.9083, but further analysis revealed that an earlier version, 2019.4.5200.8890, also harbored modifications that laid the groundwork for the eventual deployment of the backdoor. This added a layer of complexity to the intrusion, illustrating a protracted effort to compromise the build system and integrate malicious code into the legitimate software pipeline.
The tactics observed during this attack suggest a sophisticated understanding of the SolarWinds internal processes. The adversaries not only embedded their backdoor code within the existing functionality of the software but also employed techniques such as obfuscation using compression and Base64 encoding to evade detection by security tools and code reviews. Such strategic choices highlight their intent to remain covert while executing their malicious objectives.
The breach raises critical questions about how such significant changes could be made without detection. It implies that attackers likely compromised either the version control system or physically accessed the build environment where updates were created. Recent disclosures about SolarWinds’ update server revealing weak security practices, such as a publicly accessible GitHub repository containing sensitive credentials, indicate potential pathways for the attackers to gain entry.
As a consequence of this breach, SolarWinds has warned that up to 18,000 customers may have been affected, urging them to update to a more secure software version. Among the compromised entities are numerous reputable organizations across various sectors, showcasing the extensive implications this attack has for cybersecurity across the board. Security expert R. Bansal notes that over 4,000 subdomains from well-known companies and educational institutions, including Intel and NVIDIA, were reportedly infected with the SUNBURST backdoor.
This event underscores the evolving threat landscape where sophisticated attacks leverage supply chain vulnerabilities to achieve far-reaching impacts. In the wake of SUNBURST, organizations need to reassess their cybersecurity strategies, with a keen focus on monitoring software integrity and ensuring that all updates are thoroughly vetted for potential malign modifications. The SolarWinds incident serves as a cautionary tale regarding the critical importance of cybersecurity hygiene, especially within complex software ecosystems.
Ultimately, the attack’s execution points to various tactics identified in the MITRE ATT&CK framework, including initial access through compromised credentials, persistence via the injected backdoor, and potential privilege escalation to further manipulate target environments. As threat actors become increasingly skilled in exploiting systemic weaknesses, businesses must remain vigilant and proactive in defending their digital infrastructure against similar sophisticated exploits.
