On 16 December 2020 the following joint statement was issued by the FBI, the Cybersecurity & Infrastructure Security Agency and the Office of the Director of National Intelligence: “Over the course of the past several days, the FBI, CISA, and ODNI have become aware of a significant and ongoing cybersecurity campaign.”
What’s been widely labelled as the SolarWinds attack was presumably the longest-lasting, most sophisticated and impactful penetration of the global IT infrastructure.
Others called it a digital 9/11.
What the heck happened and why should we care?
In a 14 December 2020 SEC filing, SolarWinds Corp described the features of the hack, a so-called supply-chain attack. A presumably state-sponsored cyber foe managed to compromise the software build system of its Orion platform. This system is an automated tool to create software (and updates) by compiling (translating) source code into machine-digestible binary code, packaging binary code and running tests (debugging).
During the course of the attack intruders added malicious code, a so-called backdoor, into one of Orion’s platform updates released to and installed by SolarWinds Orion customers around the world between March and June 2020. This backdoor enabled third parties to siphon off data and/or insert malware into the customer’s software applications. The features of the hack (small footprint, in-country IP disguise, digital signatures etc.) indicate highly sophisticated actors.
What is the SolarWinds Orion platform being used for?
SolarWinds marketing folks describe it in a nutshell as follows: “One vendor. One platform. One single pane of glass.” (One is inclined to add: One single point of entry!)
Looking closer, the platform acts as a one-stop-shop to monitor and manage an organisation’s entire IT environment comprised of its physical, virtualised and cloud IT components.