Full Report
What seemed to be at first a targeted attack against FireEye, turned out to be a much worse espionage campaign associated with APT29 that the United State has suffered from.The SolarWinds attackers, linked to a Mimecast attack on Jan 13th, executed a sophisticated supply chain...
Analysis Summary
# Incident Report: The SolarWinds Supply Chain Espionage Campaign
## Executive Summary
A sophisticated state-sponsored espionage campaign, attributed to the Russian-linked group APT29 (Cozy Bear), targeted the SolarWinds Orion platform via a supply chain compromise. By injecting a backdoor (Sunburst) into legitimate software updates, the attackers gained access to thousands of public and private sector organizations worldwide, including US government agencies. The campaign focused on long-term intelligence gathering through privileged access to email systems and cloud environments.
## Incident Details
- **Discovery Date:** December 8, 2020 (FireEye detection)
- **Incident Date:** September 2019 (Initial infrastructure testing) – December 2020
- **Affected Organization:** SolarWinds (Primary), FireEye, Mimecast, Microsoft, US Treasury, DHS, and others.
- **Sector:** Technology, Government, Critical Infrastructure
- **Geography:** Global (Primary focus on United States)
## Timeline of Events
### Initial Access
- **Date/Time:** September 2019
- **Vector:** Supply Chain Compromise
- **Details:** Attackers gained access to SolarWinds' internal build environment and injected malicious code into the `SolarWinds.Orion.Core.BusinessLayer.dll` as part of a software update.
### Lateral Movement
- Attackers utilized the "Sunburst" backdoor to establish a footprint.
- They moved from on-premises servers to the cloud (Azure/Office 365) by forging SAML (Security Assertion Markup Language) tokens using stolen administrative credentials.
### Data Exfiltration/Impact
- Theft of internal documents, emails from high-ranking government officials, and proprietary source code.
- Specific compromise of FireEye’s "Red Team" security tools.
### Detection & Response
- **Discovery:** FireEye detected an unauthorized login using a secondary device for Multi-Factor Authentication (MFA) and subsequently identified the SolarWinds backdoor.
- **Response:** Global notification to customers, decommissioning of compromised Orion servers, and revocation of compromised SAML signing certificates.
## Attack Methodology
- **Initial Access:** Supply chain injection of malicious code into legitimate software updates.
- **Persistence:** Sunburst backdoor; replacement of legitimate system files; creation of new administrative accounts in Azure AD.
- **Privilege Escalation:** Compromise of SAML signing certificates to grant unauthorized access to cloud resources.
- **Defense Evasion:** Use of steganography, masquerading as legitimate Orion protocols, and a 2-week dormant period before executing commands.
- **Credential Access:** Dumping of the AD FS (Active Directory Federation Services) container to steal token-signing certificates.
- **Discovery:** Scanning for security software and identifying high-value targets via internal network reconnaissance.
- **Lateral Movement:** Golden SAML attacks; pivoting from on-premises to cloud environments.
- **Collection:** Targeting of O365 email accounts and SharePoint/OneDrive files.
- **Exfiltration:** Data sent via HTTPS to C2 servers disguised as legitimate API traffic.
- **Impact:** Strategic espionage and theft of intellectual property.
## Impact Assessment
- **Financial:** Massive remediation costs; SolarWinds shares dropped significantly; Mimecast reported high incident costs.
- **Data Breach:** Exposure of sensitive government communications and cybersecurity toolsets.
- **Operational:** Disruption of IT services for 18,000+ customers who had to disconnect SolarWinds software.
- **Reputational:** Massive loss of trust in the software supply chain model.
## Indicators of Compromise
- **Network:** `avsvmcloud[.]com` (C2 domain), `deftsecurity[.]com`
- **File:** `SolarWinds.Orion.Core.BusinessLayer.dll` (SHA256: `ce77d116a074dab7a22434454ad5535a90c4e509c2539dea0c4307cf64b971a0`)
- **Behavioral:** Unexpected outbound traffic from SolarWinds Orion servers to external domains; unauthorized creation of SAML tokens.
## Response Actions
- **Containment:** FireEye released over 300 countermeasures to detect their stolen tools. CISA issued Emergency Directive 21-01.
- **Eradication:** SolarWinds released patched versions (2020.2.1 HF 1) to remove the backdoor.
- **Recovery:** Massive rotation of global credentials and certificates across impacted federal agencies and private firms.
## Lessons Learned
- **Supply Chain Fragility:** Deeply trusted software updates can be the ultimate Trojan horse.
- **Cloud Trust Models:** The "Golden SAML" attack highlighted that if the identity provider is compromised, MFA can be bypassed.
- **Visibility Gaps:** Many organizations lacked visibility into lateral movement between on-premises and cloud environments.
## Recommendations
- **Software Bill of Materials (SBOM):** Implement strict verification of all third-party components.
- **Zero Trust Architecture:** Assume initial access has occurred and limit lateral movement via micro-segmentation.
- **Hardened Identity Management:** Secure AD FS and signing certificates with Hardware Security Modules (HSMs).
- **Outbound Filtering:** Heavily restrict outbound internet access for internal management servers (like SolarWinds).