On Thursday, December 18, the Cybersecurity and Infrastructure Security Agency notified the public of a wide-spread hack that is believed to have compromised government agencies, critical infrastructures, and private sector organizations across the United States.

Stemming from a prior attack that took place on December 13, a breach of SolarWinds has proven to be the primary culprit that provided the currently unidentified hacking group with direct access to the sensitive data of major U.S. agencies and businesses.

What is SolarWinds?

Formed in 1999, SolarWinds is a company that develops software allowing businesses to manage their networks, systems, and information technology infrastructure and has provided network surveillance services to organizations around the world. While the organization offers a series of management tools, it’s the company’s Orion product for on-premise and hosted infrastructures that has placed clients at risk.

Using SolarWinds’ update service as a method of deployment, hackers distributed malware to an estimated 18,000 customers.

Who Was Hit by the SolarWinds Breach?

Although many victims have yet to determine if their specific networks were  infiltrated, the U.S. Treasury, Department of Commerce, and Department of Energy have confirmed that the recent breach resulted in attackers reading private emails. Unfortunately, information beyond that aspect is limited, with representatives from these agencies stating that logs of accessed files were deleted by the malware. In turn, the House Homeland Security Committee and Oversight Committee are launching an investigation to ensure the tax information of all U.S. citizens is secure. 

On the private sector side, leaders at Microsoft have also come forward to inform customers of its similarly breached network. “Like other SolarWinds customers, we have been actively looking for indicators of this actor and can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed,” a Microsoft spokesperson said.

While Microsoft is home to multiple cloud services, capable of pushing updates to millions of individuals, the organization has no indications that its systems were used to attack others.

Alongside Microsoft, notable internet service provider, Cox Communications also fell victim to the attack. Although Cox Communications is currently unaware of the extent of the damage, a spokesman for the organization assures customers that it is working “around the clock” to investigate the attack. Like Microsoft, Cox Communications has taken all SolarWinds platforms offline.

Did SolarWinds Compromise My Network?

Despite the virus being sent out via an Orion update, the CISA warns that even those that did not receive an update may still be at risk; noting that not every accessed network was exploited by the hacking group. As the investigation continues, cybersecurity firm Kaspersky is using proprietary code to decrypt online web records left by the malicious attacks; alerting those organization that may have been breached.

Since the exploit’s discovery, software companies have followed Microsoft’s lead, sealing off backdoors that gave the hackers’ such a wide-scale reach. Until the investigation is completed, many large agencies and businesses have halted email communications, moving to more secure networks. 

While completely removing the threat from compromised environments will be a difficult task, the CISA offers a few recommendations from mitigating the fallout of the attack,

First and foremost, a full evaluation is needed to seek out any indication of a compromised network.

Should any signs of an attack be found, all instances of SolarWinds Orion must be disconnected from the network immediately. Additionally, all traffic to and from SolarWinds Orion needs to be blocked and compromised accounts must be identified and removed.

Entities using SolarWinds products with outdated firmware should update to the newest version available. For more information on the most current product version available, click here.

After all compromised accounts and prior instances of SolarWinds have been updated or removed, all credentials used by or stored in SolarWinds Orion must be reset. Furthermore, multifactor authentication should be set up for all accounts attempting to access a SolarWinds product.

For organizations that believe administrative level credentials were accessed, backups will be needed to launch a full rebuild of the entire network. Should your organization need assistance with this step or any of the other steps listed above, please feel free to reach out to Rocket IT for further assistance.