- Variation and/or disabling of audit logs, timestamps, and other security measures;
- Manipulation of software builds through reusable automated processes and deployment of novel, sophisticated malware to effect exploitation and malicious goals;
- Modification through laundering of legitimate code from malicious code injection (SUNSPOT) and monitoring of disk space and activities before executing or creating files;
- Deletion of files and programs following use to avoid forensic discovery and masquerading of file names and activity to mimic legitimate applications and files;
- Variation of file names and other indicators across victims and within environments and active reconnaissance of victim environments and users for indicia of detection; and
- Automated dormancy periods of two weeks or more prior to activation, utilization of servers outside the monitoring authority of U.S. intelligence.
Findings From Our Ongoing Investigations
February 3, 2021
SolarFocus
SolarWinds was one of a growing number of targets of a highly sophisticated, broad, and coordinated nation-state cyber operation that compromised multiple software and hardware companies. Along with our partners in industry and government, we believe other additional attack vectors unrelated to SolarWinds will continue to come to light over the coming weeks.
This nation-state operation was a broad-based attack on the IT infrastructure on which we all rely. According to the Cybersecurity and Infrastructure Security Agency (CISA), other companies were compromised before the impacted versions of the Orion Platform were deployed to customers last year. Given its breadth, CISA’s acting director, Brandon Wales, told the Wall Street Journal recently that “this campaign should not be thought of as the SolarWinds campaign.”
We’ve committed to sharing what we learn from this experience and continuing to fortify our systems as we work closely with our customers to protect their systems. This operation, however, highlights the need for enhanced collaboration within the industry to collectively improve how we prevent, manage, and remediate these kinds of threats and operations in the future. It also underscores the need for deeper public and private partnerships to create a more secure environment for everyone.
As SolarWinds continues collaborating with private experts, law enforcement, and government agencies to investigate the attacks, we’re exploring several potential theories about how the threat actors were able to enter and access our environment, and what actions the threat actors took once inside.
Together with our third-party forensic investigators, we’re pursuing numerous theories but currently believe the most likely attack vectors came through a compromise of credentials and/or access through a third-party application via an at the time zero-day vulnerability. Investigations are still ongoing and given the sophistication of these attacks and the actions taken by the threat actors to manipulate our environment and remove evidence of their activities, combined with the large volumes of log and other data to analyze, our investigations will be ongoing for at least several more weeks, and possibly months.
As we previously shared, FireEye contacted us December 12, 2020 regarding malicious code that was identified in the SolarWinds Orion Platform. Additionally, Microsoft notified us December 13, 2020 about a compromise related to our Office 365 environment.
We’ve analyzed data from multiple systems and logs, including from our Office 365 and Azure tenants, along with logs from SolarWinds Security Event Manager, and our build environment platforms. As previously reported, this analysis has determined threat actors gained unauthorized access to our environment and conducted reconnaissance prior to the trial conducted on our Orion Platform software build in October 2019. We have not yet determined the exact date that the threat actors first gained unauthorized access to our environments.
While we’ve confirmed suspicious activity related to our Office 365 environment, our investigation has not identified a specific vulnerability in Office 365 that would have allowed the threat actor to enter our environment through Office 365.
We’ve confirmed that a SolarWinds email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles. By compromising credentials of SolarWinds employees, the threat actors were able to gain access to and exploit our Orion development environment.
Research community investigations have highlighted these nation-state operators displayed determination, patience, extremely high operational security (OpSec), and advanced tactics, techniques, and procedures (TTPs). As part of our commitment to ensuring the industry has a more complete understanding of the increasingly sophisticated and organized threats, we’re sharing these examples that come from the cybersecurity research community and our investigations: