On Dec 8 2020, FireEye announced that it had been breached and a subset of their tools were taken. FireEye's response was quick and to the point – they immediately disclosed the tools that had been taken, and they were able to run forensics on their systems in order to identify the origination of the breach.
Upon learning the source of the breach, an update package in the software "Orion" distributed by SolarWinds, the disclosure was immediate, and all 33,000 or more companies that utilized the software were swiftly made aware of the potential breach. The software was deployed in both government and corporations, including the department of Commerce, Energy, Homeland Security, State and Treasury.
How was this possible?
The attackers were able to conduct a supply chain attack on SolarWinds, a large IT firm based in the US that supplied monitoring tools to a varied number of corporations and government offices.
It was believed that the attackers had breached into Texas based SolarWinds system between September 2019 and March 2020, and during this period added a malicious package in one of its updaters named "Orion". It was later learned that in October 2019, the attackers had stealthily added malicious code inside the supply chain update. SolarWinds unwittingly sent out the update package together with the malicious code as early as March 2020. The malicious code deployed here was a Stage 1 dropper – malware that allows the attackers backdoor access SolarWinds customers IT systems. This allowed the attackers to pivot within SolarWinds customer systems in order to install more malware to conduct multi-staged attacks that eventually culminated in the exfiltration of FireEye's tools for one example.
Who could have done this?
Only a nation-state-backed group would have the capabilities, discipline, and patience in order to deploy such an attack.
First, the group had to be both patient and disciplined during the breaching of the SolarWinds supply chain code infrastructure. They also needed to hide their tracks in order to stay as silent as possible while dropping further malware through the initial backdoor. The people responsible were all of the above, and such a well-orchestrated attack can only be exhibited by a nation-state actor.
Second, this attacker was extremely professional. The attackers did their best to stay hidden as as possible. Very similar techniques have been employed by groups dedicated to clandestine spying with a singular goal to accomplish their mission's objective. Their techniques were efficient, effective and planned. Another clear descriptor of a nation-state actor.
Third, the attacker used an unknown infrastructure to attack SolarWinds. Everything from IP addresses and servers were new and were not previously used in other incidents. This means the attackers set up infrastructure specifically for this attack. That takes a lot of time, money, people, and coordination, not to mention the ability to maintain these servers. Most malicious groups employ shared infrastructure to conduct attacks. The very fact this was not the case in the SolarWinds attack points to a nation state actor.
What was the damage?
We really don't know the extent and reach of the SolarWinds attack.
However, we do know that over 18,000 of the software packages with the embedded malicious code was update on systems between March 2020 and October 2020. It will still be months on before anyone truly understands the extent of the damage that was caused.
It is very expensive and difficult to secure systems that have been breached. It requires time, resources, and manpower. Understanding the extent of the different breaches may take months, but fully securing the systems may take years.