Browse Definitions :

SolarWinds hack explained: Everything you need to know

Hackers targeted SolarWinds by deploying malicious code into its Orion IT monitoring and management software used by thousands of enterprises and government agencies worldwide.

2020 was a roller coaster of major, world-shaking events. We all couldn't wait for the year to end. But just as the 2020 was about to close, it pulled another fast one on us: the SolarWinds hack, one of the biggest cybersecurity breaches of the 21st century.

SolarWinds is a major software company that provides system management tools for network and infrastructure monitoring and other technical services to hundreds of thousands of organizations around the world. Among the company's products is an IT performance monitoring system called Orion.

What is the SolarWinds hack?

With the SolarWinds hack, suspected nation-state hackers gained access to the networks, systems and data of thousands of SolarWinds customers. The breadth of the hack is unprecedented and one of the largest, if not the largest, of its kind ever recorded.  

Over 30,000 public and private organizations -- including local, state and federal agencies -- use the Orion network management system to manage their IT resources. As a result, the hack compromised the data, networks and systems of thousands when SolarWinds inadvertently delivered the backdoor malware as an update to the Orion software.

SolarWinds customers weren't the only ones affected. Because the hack exposed the inner workings of Orion users, the hackers could potentially gain access to the data and networks of their customers and partners as well -- enabling affected victims to grow exponentially from there.

Orion Platform hack compromised networks of thousands of SolarWinds customers.
Hackers compromised a digitally signed SolarWinds Orion network monitoring component, opening a backdoor into the networks of thousands of SolarWinds government and enterprise customers.

How did the SolarWinds hack happen?

The hackers used a method known as a supply chain attack to insert malicious code into the Orion system. A supply chain attack works by targeting a third party with access to an organization's systems rather than trying to hack the networks directly.

The third-party software, in this case the SolarWinds Orion Platform, creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations. The malware could also access system files and blend in with legitimate SolarWinds activity without detection, even by antivirus software.

SolarWinds was a perfect target for this kind of supply chain attack. Because their Orion software is used by many multinational companies and government agencies, all the hackers had to do was install the malicious code into a new batch of software distributed by SolarWinds as an update or patch.

The SolarWinds Orion Platform creates a backdoor through which hackers can access and impersonate users and accounts of victim organizations.

SolarWinds unknowingly started sending out Orion software updates with the hacked code to customers at the beginning of March 2020. Over 18,000 SolarWinds customers installed the update, with the malware spreading undetected. Through this code, hackers accessed SolarWinds customers' information technology systems, which they could then use to install even more malware to spy on other companies and organizations.

Who was affected?

According to reports, the malware affected many companies and organizations. Even government departments such as Homeland Security, State, Commerce and Treasury were affected, as there was evidence that emails were missing from their systems. Private companies like FireEye, Microsoft, Intel, Cisco and Deloitte also suffered from this attack.

The breach was first detected by cybersecurity company FireEye. The company confirmed they had been infected with the malware when they saw the infection in customer systems. FireEye labeled the SolarWinds hack "UNC2452," and identified the backdoor used to gain access to its systems through SolarWinds, "Sunburst."

Microsoft also confirmed that it found signs of the malware in its systems, as the breach was affecting its customers as well. Reports indicated Microsoft's own systems were being used to further the hacking attack, but Microsoft denied this claim to news agencies. Later, the company worked with FireEye and GoDaddy to block and isolate versions of Orion known to contain the malware to cut off hackers from customers' systems.

They did so by turning the domain used by the backdoor malware used in Orion as part of the SolarWinds hack into a kill switch. The kill switch here served as a mechanism to prevent Sunburst from operating further.

Nonetheless, even with the kill switch in place, the hack is still ongoing. Investigators have a lot of data to look through, as many companies using the Orion software aren't yet sure if they are free from the backdoor malware. It will take a long time before the full impact of the hack is known.

What was the purpose of the hack?

The purpose of the hack remains largely unknown. Still, there are many reasons hackers would want to get into an organization's system, including having access to future product plans or employee and customer information held for ransom. It is also not yet clear what information, if any, hackers stole from government agencies. But the level of access appears to be deep and broad.

There are speculations that many enterprises might be collateral damage, as the main focus of the attack was government agencies that makes use of the SolarWinds IT management systems.

Who was responsible for the hack?

Federal investigators and cybersecurity agents believe a Russian espionage operation -- mostly likely Russia's Foreign Intelligence Service -- is behind the SolarWinds attack.

The Russian government has denied any involvement in the attack, releasing a statement that said, "Malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and understanding of interstate relations." They also added that "Russia does not conduct offensive operations in the cyber domain."

Not the first time

The SolarWinds hack is the latest in a series of recent attacks blamed on Russian operatives. It is believed a Russian group known as Cozy Bear was behind attacks targeting email systems at the White House and the State Department in 2014. The group has also been mentioned as responsible for the infiltration of the Democratic National Committee's email systems and members of Hillary Clinton's presidential campaign in 2015 in the lead-up to the 2016 election, as well as further breaches around the 2018 midterm elections.

Contrary to experts in his administration, then-President Donald Trump hinted at around the time of the discovery of the SolarWinds Hack that Chinese hackers might be behind the cybersecurity attack. He did not present any evidence to back up his claim, however.

Shortly after his inauguration last month, President Joe Biden vowed that his administrations intended to hold Russia accountable, through the launch of a full-scale intelligence assessment and review of the SolarWinds attack and those behind it. The president has also created the position of deputy national security advisor for cybersecurity as part of the National Security Council. The new role, to be held by veteran intelligence operative Anne Neuberger, is part of an overall bid by the Biden administration to refresh the federal government's approach to cybersecurity and better respond to nation-state actors.

Why is the SolarWinds hack important?

The SolarWinds supply chain hack is a global hack, as hackers turned the Orion software into a weapon gaining access to several government systems and thousands of private systems around the world. Due to the nature of the software -- and by extension the Sunburst malware -- having access to entire networks, a large number government and enterprise networks and systems face the risk of significant breaches.

The hack could also be the catalyst for rapid, broad change in the cybersecurity industry. Various companies and government agencies are now in the process of devising new methods to react to these types of attacks before they happen. Governments and organizations are learning that it is not enough to build a firewall and hope it protects you. You have to actively seek out vulnerabilities in your system, and either shore them up or turn them into traps against these types of attacks.

Since the hack was discovered, SolarWinds has recommended customers update their existing Orion platform. The company has released patches for the malware and other potential vulnerabilities discovered since the initial Orion attack. SolarWinds also recommended customers not able to update Orion isolate SolarWinds servers and/or change passwords for accounts that have access to those servers.

The greater White House cybersecurity focus will be crucial, say some industry experts. But organizations should consider adopting modern software-as-a-service tools for monitoring and collaboration. While the cybersecurity industry has significantly advanced in the last decade, these kinds of attacks show that we still have a long way to go to get really secure systems.

Podcast: SolarWinds attacks come into focus

Next Steps

6 common types of cyber attacks and how to prevent them

10 cybersecurity best practices and tips for businesses

Cybersecurity challenges in 2021 and how to address them

Dig Deeper on Security

  • compliance risk

    Compliance risk is an organization's potential exposure to legal penalties, financial forfeiture and material loss, resulting ...

  • information governance

    Information governance is a holistic approach to managing corporate information by implementing processes, roles, controls and ...

  • enterprise document management (EDM)

    Enterprise document management (EDM) is a strategy for overseeing an organization's paper and electronic documents so they can be...

  • hacker

    A hacker is an individual who uses computer, networking or other skills to overcome a technical problem.

  • Extensible Authentication Protocol (EAP)

    The Extensible Authentication Protocol (EAP) is a protocol for wireless networks that expands the authentication methods used by ...

  • session key

    A session key is an encryption and decryption key that is randomly generated to ensure the security of a communications session ...

  • risk mitigation

    Risk mitigation is a strategy to prepare for and lessen the effects of threats faced by a business.

  • call tree

    A call tree is a layered hierarchical communication model that is used to notify specific individuals of an event and coordinate ...

  • Disaster Recovery as a Service (DRaaS)

    Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers by a third party to provide ...

  • cloud storage

    Cloud storage is a service model in which data is transmitted and stored on remote storage systems, where it is maintained, ...

  • cloud testing

    Cloud testing is the process of using the cloud computing resources of a third-party service provider to test software ...

  • storage virtualization

    Storage virtualization is the pooling of physical storage from multiple storage devices into what appears to be a single storage ...