SolarWinds suffers severe supply chain attack.
Network monitoring and management platform provider SolarWinds disclosed over the weekend that it had become apprised of "a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020." The hack was discovered by FireEye as the source of the security firm's own breach. SolarWinds said in an SEC filing on Monday that 33,000 of its 300,000 customers were using its Orion product, and around 18,000 are believed to have installed the Trojanized update.
The Washington Post, citing anonymous sources, says APT29 (Cozy Bear), a threat actor associated with Russia's SVR, is believed to be responsible for the hack. The US government targets known to be affected so far include the Department of Defense, the Department of Homeland Security, the State Department, the Department of Energy, the Treasury Department, the Commerce Department, and the National Institutes of Health. FireEye says additional victims include "government, consulting, technology, telecom, and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals."
An op-ed by former US Homeland Security adviser Thomas Bossert probably has it right in saying that the gravity of the breach is "hard to overestimate":
"The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian SVR will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks and gained what experts call persistent access, meaning the ability to infiltrate and control networks in a way that is hard to detect or remove. While the Russians did not have the time to gain complete control over every network they hacked, they most certainly did gain it over hundreds of them. It will take years to know for certain which networks the Russians control and which ones they just occupy. The logical conclusion is that we must act as if the Russian government has control of all the networks it has penetrated, but it is unclear what the Russians intend to do next. The access the Russians now enjoy could be used for far more than simply spying."
Microsoft was also affected by the incident, stating, "Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious SolarWinds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others."
It's worth noting that the incident, while devastating, so far appears to be a case of traditional espionage, and not an act of war (as some have suggested). It's also worth emphasizing, as Bossert did, that just because an organization installed the malicious update doesn't mean they were actively prospected by the threat actor; the hackers presumably focused their efforts on the most valuable targets (of which there were many).