The FireEye SolarWinds Attack – What You Need to Know
On the 8th December, FireEye, a large player in the cybersecurity world, disclosed that they were hit by a nation state-sponsored attack that they later found was the result of a backdoor in the SolarWinds Orion management and monitoring platform.
We all too often hear during disclosures of the attack being sophisticated, but in a rare occurrence this was indeed both a highly sophisticated and evasive attack. Combined this resulted in a complex supply chain attack, that compromised the supplier in order to target its high profile victims.
It was confirmed that the hacker group managed to steal the red team tools of FireEye’s professional security team, consisting of simple scripts used for automating reconnaissance to entire frameworks that are similar to technologies such as CobaltStrike and Metasploit. It was however confirmed by FireEye that the stolen tools did not contain any zero-day exploits.
Since FireEye’s announcement, there has been a lot of investigation & updates from cyber experts; mitigation techniques and threat advisories are now being released. The advisories from SolarWinds confirmed that the exploits only affect the Orion platform; we strongly advise any SolarWinds customers to review and update their platforms as soon as possible.
We are not going to try and cover the details of this attack here, but instead want to bring together a timeline of posts related to the disclosures, security advisories and recommendations from the multiple experts directly and indirectly associated with investigating the attack.
FireEye Red Team Tools Stolen by State Sponsored Hacker Group | 8th December
SolarWinds Security Advisory | Released 13th December | Updated as of 17th December
Hacker Group Leverages SolarWinds Backdoor | 13th December
Important steps for customers to protect themselves from recent nation-state cyberattacks | 13th December
Customer Guidance on Recent Nation-State Cyber Attacks | 13th December
SolarWinds Orion Mitigation | 13th December
SolarWinds Supply Chain Attack Threat Advisory | 14th December
Kill Switch Forces Backdoor Termination | 16th December
Details on Advanced Persistent Threat Compromise | 17th December
What you will see throughout the FireEye posts in particular is a great and commendable approach to the disclosure of the attack. FireEye have been clear, open, concise and actively trying to help the public defend against the threats that may result from the theft of their offensive tools.
With the potential for approx. 18,000 impacted customers, and numerous organisations already confirming they are also victims, this story may run for some time, so we will aim to keep this posted updated where possible.
To close, Microsoft’s President posted an interesting article giving his account of what has been a challenging year for us all when it comes to cyber security threats.