SolarWinds disclosed over the weekend that it had become apprised of “a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.” This would appear to be the source of the FireEye breach, which is now known to have not been confined to FireEye: the Washington Post says the US Departments of Commerce and the Treasury were also hit. The attack involved the introduction of a backdoor into the Orion Platform. That backdoor was subsequently propagated in the form of a software update that contained the malware.
FireEye calls the backdoor “Sunburst.” Microsoft’s Security Response Center has a detailed account of how the malware functions. Both FireEye and Microsoft have upgraded their security products to include measures for detecting and protecting against the attack. SolarWinds urges its customers to “upgrade to Orion Platform version 2020.2.1 HF 1 as soon as possible.”
Late yesterday evening the US Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 21-01, outlining immediate steps Federal agencies should take to protect themselves from attacks exploiting the SolarWinds backdoor. Agencies have until noon today to apply the measures required by the Emergency Directive.
Cozy Bear (also called APT29, a known unit of Russia’s SVR foreign intelligence service) appears to have been behind the attack, the Wall Street Journal reports. Moscow denies any involvement in the incident. Reuters adds that the Kremlin thinks the Americans should have been more mutual, more cooperative.
