Foreign government-funded hackers have compromised the computer networks of US software maker SolarWinds and deployed a malicious update to its Orion software to infect government and commercial organizations using it. This was announced on Sunday, December 13, by the information security company FireEye.
Fireeye Attack
The FireEye report follows media reports of a cyberattack against the US Treasury Department and the US Department of Commerce Telecommunications and Information Administration (NTIA), which resulted in the theft of sensitive data. Notably, the hackers used the SolarWinds hack on the supply chain and sent out a malicious update to compromise FireEye’s own networks, which the company reported last week.
Group Behind Attack to Solarwinds and Fireeye
According to Washington Post sources, the APT29 group, often associated with Russian intelligence services, is responsible for the attacks. However, FireEye experts did not mention APT29, but gave the cybercriminals a neutral codename UNC2452. Nevertheless, several sources from the information security community confirmed to ZDNet that, judging by the available evidence, APT29 is indeed behind the attacks.
SolarWinds was also reported on Sunday by Microsoft, which privately sent instructions to its potentially affected customers.
Solar Winds Vulnerability
On Sunday evening, SolarWinds issued a press release confirming the fact of a cyberattack on Orion, a software platform for centralized monitoring and management of IT resources in large networks, including servers, workstations, mobile and IoT devices, etc. The attackers injected malware in Orion update versions 2019.4 to 2020.2.1, released in March-June 2020.
In their report, FireEye experts call the malware SUNBURST (the detection rules are available here ). Microsoft called it Solorigate and added detection rules to its Windows Defender.
According to the FireEye report, the malware company does not strictly target the US and affects “public and private organizations around the world.”
“The victims include government, consulting, technology, telecommunications and mining companies in North America, Europe, Asia and the Middle East. We expect additional casualties in other countries and areas, ”the researchers said.