A follow up to my earlier posting about the hacking of Fireeye, and theft of their intrusion toolkit.

As you may have heard, the hacking of many US Government Agencies, including Treasury, and Energy, was carried out via an exploit of SolarWind's Orion. SolarWinds is a Windows-based enterprise grade network monitoring and automation suite. Basically the Enterprise version of Nagios. It has extensive scripting, dashboarding and automation abilities, and many enterprises use it to not only monitor their infrastructure, but provide provisioning and backup of networking appliances and the like.

The intruders, suspected to be Russia, infiltrated Solarwind's development pipleine, perhaps as early as mid-2019. By doing this they were able to write new code directly into Solarwind's software, then have that code signed by Solarwind's certificates, and pushed out thru software updates. It's quite a brilliant supply-side attack. They wrote their own backdoor into a DLL in Solarwinds, then signed it, and when Solarwinds did their next software update, companies installed it.

The backdoor basically did a search of the local network, then contacted a Command and Control server and reported back, then it waited for instructions such as changing files, installing new files, rebooting, etc. In this way they could install more rootkits and backdoors. It appears this is how the intruders were able to (as an example) read emails, move around the network, and conduct further espionage.

How was all this discovered? By accident of course. Fireeye was investigating the hacking of their own tools, and noted unusual VPN logins, which lead them down the path to the discovery that Orion was compromised.

Interesting further reading:

https://www.fireeye.com/current-threats/sunburst-malware.html

Bob Roberts

... It's always the OVERtakers who keep the UNDERtakers busy.
--- SBBSecho 3.11-Linux
* Origin: Halls of Valhalla =-= Happy Holidays (700:100/58)