The SolarWinds attack highlights how targeting high-profile organizations directly can be incredibly difficult, requiring significant time, effort, and often yielding fewer results. Large-scale organizations, such as the government, are well-funded, well-protected, and have entire teams dedicated to maintaining the latest security software to safeguard their networks.
To compensate, attackers shift upstream to the software supply chain, pursuing vendors that their targets rely on to gain access. This is precisely what happened in the case of the SolarWinds attack, where attackers infiltrated through a trusted vendor to reach their targets.
What were SUNBURST’s exact capabilities?
The attackers successfully infiltrated software vendor SolarWinds by focusing on its Orion network monitoring and management tool. They breached one of Orion's build servers and implanted a backdoor into one of the update modules. This compromised update, digitally signed, was distributed to approximately 18,000 SolarWinds customers, including Fortune 500 companies, and made available through their website. Cybersecurity firm FireEye discovered the backdoor, named SUNBURST, and notified SolarWinds. Just a few days after FireEye’s report, the backdoor was removed.
Since the backdoor was delivered to such a large number of Orion’s customers, it raised the risk bar for the attacker and forced them to make it as unnoticeable as possible. The change to Orion’s update module was very lightweight and could easily go unnoticed. Also, for defense evasion, the backdoor would be inactive at first. After a couple weeks it would make DNS requests and upload data that would help identify the victims and machines of high interest to target and give the attackers hands-on-keyboard access to the compromised machines. After the connection to the command and control servers was established, it would download a second stage malware. This was delivered to a small number of Orion customers that were of interest for cyber-espionage purposes.
SolarWinds: Anatomy of a Supersonic Supply Chain Attack
Who were the SUNBURST victims, and how were they compromised?
The SolarWinds attack had highly selective and strategic targets. Among the 18,000 customers that installed the compromised update were critical U.S. agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the National Treasury. Private companies like FireEye, Microsoft, Cisco, Intel, and Deloitte, as well as organizations like the California Department of State Hospitals and Kent State University, were also targeted.
The attackers were able to infiltrate these high-profile entities because the update was digitally signed and came from a trusted source, allowing them to blend in undetected. This shows why supply chain attacks are so difficult to identify—they exploit the trust we place in software vendors, which is essential for secure online operations.
Unfortunately, the supply chain attack extended beyond SolarWinds' direct customers.
Microsoft revealed that the attackers leveraged vendor access to breach 40 additional organizations, even those without a direct relationship with SolarWinds. Among these were companies like MalwareBytes, Palo Alto Networks, Mimecast, and Crowdstrike. In Mimecast's case, a certificate issued by the company to authenticate certain products with Microsoft 365 Exchange Web Services was compromised. This allowed the attackers to intercept traffic or potentially access customers’ Microsoft 365 Exchange Web Services, putting sensitive data at risk of theft and further exploitation.
Code Signing Machine Identity Management for Dummies
Machine identities were the main cause behind the SUNBURST attack
Machine identities played a key role in the success of the SolarWinds attack. The attackers exploited weaknesses in SolarWinds' supply chain, largely due to insufficient policies and enforcement around code-signing and signature verification in the build process. What allowed the attackers to reach their targets was the use of a trusted machine identity—the SolarWinds code-signing certificate—paired with digitally signed software, enabling them to infiltrate systems under the guise of legitimate updates.
Plus, after the initial access, the attackers were after cryptographic keys to secure access to systems across the whole organization. Using the elevated privileges achieved by the initial Orion compromise, they were able to steal a SAML token-signing certificate and forge SAML tokens for any existing users and accounts and authenticate against any on-prem and any cloud resource in that environment.
By using authorized and legitimate machine identities they were able to blend in with normal traffic without raising any red flags. They hid in plain sight for months.
What is so unique about the SolarWinds SUNBURST attack?
This was far from the first supply chain attack, and it certainly won’t be the last. What sets this incident apart is the attackers' stealth and patience, as well as their strategic focus on operational security rather than rushing their actions. While the full scope and impact are still being discovered, it's evident that this event will have lasting effects on both the software development and cybersecurity industries. This should serve as a wake-up call for all companies, as no industry is exempt. Every aspect of the software development pipeline—from source code to content distribution—must be secured.
If your organization is lagging behind, you can start your digital transformation right now. Venafi CodeSign Protect secures your code signing private keys, automates approval workflows, and maintains an irrefutable record of all code-signing activities.
Related posts