Microsoft, FireEye confirm SolarWinds supply chain attack

Known victims so far include the US Treasury, the US NTIA, and FireEye itself.
Written by Catalin Cimpanu, Contributor

Hackers believed to be operating on behalf of a foreign government have breached software provider SolarWinds and then deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks, US security firm FireEye said today.

FireEye's report comes after Reuters, the Washington Post, and Wall Street Journal reported on Sunday intrusions at the US Treasury Department and the US Department of Commerce's National Telecommunications and Information Administration (NTIA).

The SolarWinds supply chain attack is also how hackers gained access to FireEye's own network, which the company disclosed earlier this week.

The Washington Post cited sources claiming that multiple other government agencies were also impacted.

Reuters reported that the incident was considered so serious that it led to a rare meeting of the US National Security Council at the White House, a day earlier, on Saturday.

Sources speaking with the Washington Post linked the intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).

FireEye wouldn't confirm the APT29 attribution and gave the group a neutral codename of UNC2452, although several sources in the cyber-security community told ZDNet the APT29 attribution, done by the US government, is most likely correct, based on current evidence.

In security alerts sent to its customers in private on Sunday, Microsoft also confirmed the SolarWinds compromise and provided countermeasures to customers that may have been affected.

Hackers deployed SUNBURST malware via Orion update

SolarWinds published a press release late on Sunday admitting to the breach of Orion, a software platform for centralized monitoring and management, usually employed in large networks to keep track of all IT resources, such as servers, workstations, mobiles, and IoT devices.

The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.

FireEye named this malware SUNBURST and published a technical report earlier today, along with detection rules on GitHub.

Microsoft named the malware Solorigate and added detection rules to its Defender antivirus.

Image: Microsoft

The number of victims was not disclosed.

Despite initial reports on Sunday and the hacking campaign doesn't appear to have been targeted at the US, specifically.

"The campaign is widespread, affecting public and private organizations around the world," FireEye said.

"The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals," FireEye added.

SolarWinds said it plans to release a new update (2020.2.1 HF 2) on Tuesday, December 15, that "replaces the compromised component and provides several additional security enhancements."

The US Cybersecurity and Infrastructure Agency (CISA) has also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.

Update 23:45 ET to add the information about the Microsoft and CISA security alerts.

Editorial standards