Orion is a network monitoring platform that is particularly popular with the US and UK public sector as well as the world’s largest corporations. We asked FireEye straight up if it was hacked via a SolarWinds update, and a spokesperson told us simply: "Our investigation is still ongoing." Who are the hackers and how did they get in?
Solarwinds software manual#
Our analysis indicates that these compromises are not self-propagating each of the attacks require meticulous planning and manual interaction." "Based on our analysis, we have now identified multiple organizations where we see indications of compromise dating back to the spring of 2020, and we are in the process of notifying those organizations. "The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors. "This compromise is delivered through updates to a widely used IT infrastructure management software - the Orion network monitoring product from SolarWinds," added FireEye CEO Kevin Mandia. The campaign demonstrates top-tier operational tradecraft Cryptically, FireEye has glued together its early-December public statements that it was hacked, and its investigation into what it says is "a global campaign that introduces a compromise into the networks of public and private organizations through the software supply chain." It's not clear whether the FireEye intrusion and exfiltration stemmed directly from a bad installation of Orion.
Solarwinds software upgrade#
Everyone using the product is urged to upgrade to a fixed version, assume compromise, and work from there.įireEye, meanwhile, probed the backdoor smuggled into the SolarWinds code, and documented its findings in detail, here. The dodgy updates were said to have been slipped onto the site between March and June this year.Īmerica's Cybersecurity and Infrastructure Security Agency (CISA) put out an emergency directive on Sunday night calling on all federal civilian agencies to review their networks immediately and pull the plug if they are running the Orion software. That's likely how the US government networks were compromised: by installing tainted downloads – which are, we're told, still available from the SolarWinds website at time of writing though it is no longer linked-to. Once on a box, the backdoor could be used by miscreants from afar to run commands, hijack the computer, steal data, and so on. It appears someone – again, Moscow is in the firing line – altered downloads from the SolarWinds website so that the code contained a remote-controlled backdoor. It was quickly suspected that the computers were infected via SolarWinds Orion, a network monitoring tool for Microsoft Windows. Backdoored SolarWinds software, linked to US govt hacks, in wide use throughout the British public sector READ MORE