The FireEye SolarWinds Attack – What You Need to Know

On the 8th December, FireEye, a large player in the cybersecurity world, disclosed that they were hit by a nation state-sponsored attack that they later found was the result of a backdoor in the SolarWinds Orion management and monitoring platform.

We all too often hear during disclosures of the attack being sophisticated, but in a rare occurrence this was indeed both a highly sophisticated and evasive attack. Combined this resulted in a complex supply chain attack, that compromised the supplier in order to target its high profile victims.

It was confirmed that the hacker group managed to steal the red team tools of FireEye’s professional security team, consisting of simple scripts used for automating reconnaissance to entire frameworks that are similar to technologies such as CobaltStrike and Metasploit. It was however confirmed by FireEye that the stolen tools did not contain any zero-day exploits.

Since FireEye’s announcement, there has been a lot of investigation & updates from cyber experts; mitigation techniques and threat advisories are now being released. The advisories from SolarWinds confirmed that the exploits only affect the Orion platform; we strongly advise any SolarWinds customers to review and update their platforms as soon as possible.

We are not going to try and cover the details of this attack here, but instead want to bring together a timeline of posts related to the disclosures, security advisories and recommendations from the multiple experts directly and indirectly associated with investigating the attack.

FireEye Red Team Tools Stolen by State Sponsored Hacker Group | 8th December

Unauthorized Access of FireEye Red Team Tools | FireEye Inc

SolarWinds Security Advisory | Released 13th December | Updated as of 17th December

Security Advisory | SolarWinds

Hacker Group Leverages SolarWinds Backdoor | 13th December

Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor | FireEye Inc

Important steps for customers to protect themselves from recent nation-state cyberattacks | 13th December

Important steps from the Microsoft Blog | Microsoft

Customer Guidance on Recent Nation-State Cyber Attacks | 13th December

Detailed Guidance and recommendations | Microsoft Security Response Center

SolarWinds Orion Mitigation | 13th December

Emergency Directive 21-01 | cyber.dhs.gov

SolarWinds Supply Chain Attack Threat Advisory | 14th December

Cisco Talos Intelligence Group – Comprehensive Threat Intelligence: Threat Advisory: SolarWinds supply chain attack

Kill Switch Forces Backdoor Termination | 16th December

FireEye, Microsoft create kill switch for SolarWinds backdoor | Bleeping Computer

Details on Advanced Persistent Threat Compromise | 17th December

Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations | CISA

What you will see throughout the FireEye posts in particular is a great and commendable approach to the disclosure of the attack. FireEye have been clear, open, concise and actively trying to help the public defend against the threats that may result from the theft of their offensive tools.

With the potential for approx. 18,000 impacted customers, and numerous organisations already confirming they are also victims, this story may run for some time, so we will aim to keep this posted updated where possible.

To close, Microsoft’s President posted an interesting article giving his account of what has been a challenging year for us all when it comes to cyber security threats.

A moment of reckoning: the need for a strong and global cybersecurity response | Brad Smith – Microsoft


Updates [21st Jan 2021]:

SuperNova Webshell Adds a Second Vector to the SolarWinds Attack | 17th December

SUPERNOVA: A Novel .NET Webshell | Palo Alto Networks

Protecting Microsoft 365 from On-premises Attacks | 18th December

Understanding the threat to prevent on-premise to cloud attacks | Microsoft AAD Identity Blog

SolarWinds Compromise May Have Begun 5 Months Earlier | 18th December

Detailed information into how SolarWinds was compromised as early as October 2019 | Security Scorecard

Identity Compromise & Incident Response | 21st December

Advice for incident responders on recovery from systemic identity compromises | Microsoft DART

SAML Identity Anomalies and IOCs | 21st December

Understanding “Solorigate”‘s Identity IOCs – for Identity Vendors and their customers | Microsoft AAD Identity Blog

Microsoft Solorigate Resource Centre | 21st December

Summary, background, and guidance resource centre | MSRC

Joint Statement by the FBI, CISA, ODNI and NSA – Attribution | 5th January

Statement and engagement from the task force known as the Cyber Unified Coordination Group (UCG) attributing the attack to Russia | cisa.gov

FireEye Releases Tool for Auditing Networks for Techniques Used by SolarWinds Hackers

FireEye have released a report with detailed techniques used by the SolarWinds hackers | ZDNet.com


Updates [26th Feb 2021]:

Microsoft have released additional details and findings for the Solorigate incident | 18th February

Microsoft Internal Solorigate Investigation | MSRC