Full Report
SolarWinds attack explained by Wiz CTO Ami Luttwak
Analysis Summary
# Incident Report: SolarWinds Supply Chain Attack Campaign
## Executive Summary
This comprehensive incident involved a highly sophisticated, nation-state-sponsored cyber espionage campaign, initially centered around the SolarWinds software supply chain, that rapidly expanded into hybrid attacks targeting both on-premises networks and critical cloud assets like Microsoft Office 365. The attackers leveraged compromised software updates to gain initial access, leading to widespread discovery, lateral movement, and the subsequent exfiltration of sensitive data from numerous government agencies and private organizations. Response efforts focused on rapidly developing guidance specifically for cloud security teams alongside traditional SOC/IR efforts.
## Incident Details
- **Discovery Date:** December 13, 2020 (Initial FireEye report)
- **Incident Date:** Attack campaign began months prior to discovery, with timeline stretching back to at least December 2020 reports of related activity.
- **Affected Organization:** SolarWinds (Primary initial vector), FireEye, and at least 250 US federal agencies and organizations, plus additional third-party cloud vendors.
- **Sector:** Government (Federal Agencies), Technology, Cybersecurity.
- **Geography:** Primarily United States (US Federal Agencies).
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to December 13, 2020.
- **Vector:** Compromised SolarWinds Orion software updates (SUNBURST malware injected via CI/CD pipeline). Secondary vector included using credentials of a cloud service provider to access customer tenancy.
- **Details:** The attackers successfully injected malicious code (SUNBURST) into the SolarWinds Orion software updates. Later, evidence suggested they used a vendor's secret key to infiltrate a cloud service provider, gaining immediate access via cloud APIs.
### Lateral Movement
- **Date/Time:** Beginning shortly after initial compromise (specific dates vary by victim).
- **Vector:** Leveraging initial footholds to pivot from on-premises environments to cloud service credentials, including exploiting SAML tokens ("Golden SAML" technique) to target Office 365.
- **Details:** Attackers were not solely focused on on-premise networks; they actively expanded into cloud resources, indicating strong hybrid environment exploitation capabilities. A secondary vector, SUPERNOVA zero-day exploit in SolarWinds products, was also observed.
### Data Exfiltration/Impact
- **Date/Time:** Ongoing during the campaign.
- **Vector:** Exploitation of compromised infrastructure and cloud permissions granted to the upstream vendor.
- **Details:** Attackers targeted Office 365 emails and other cloud assets. The campaign aimed at espionage, evidenced by the scope and sophistication.
### Detection & Response
- **Date/Time:** Detection began December 13, 2020 (FireEye discovery) and subsequent public escalation through January 2021.
- **Response Actions:** CISA, NSA, and FBI jointly attributed the attack to a likely Russian APT actor (January 5th). CISA issued multiple guidance updates. Security vendors (like Wiz) provided specialized tools and guidance for cloud security teams responding to identity-based attacks.
## Attack Methodology
- **Initial Access:** Supply chain compromise (SolarWinds SUNBURST malware injection) and use of vendor secret keys/cloud reseller credentials.
- **Persistence:** Likely maintained through backdoors established via the initial software update and potentially leveraging compromised cloud identity tokens.
- **Privilege Escalation:** Exploiting SAML tokens ("Golden SAML" attack) to gain elevated access within Office 365 tenants, bypassing MFA/traditional authentication checks.
- **Defense Evasion:** Using an undetectable method to inject malware via legitimate software update channels (CI/CD pipeline manipulation).
- **Credential Access:** Unspecified, but inferred through SAML token manipulation and likely internal network credential theft post-initial access.
- **Discovery:** Standard reconnaissance within internal networks and cloud tenancy.
- **Lateral Movement:** Pivoting between on-premises environments and cloud tenancy based on established trust relationships (e.g., using vendor access).
- **Collection:** Targeting Office 365 email systems and other cloud assets.
- **Exfiltration:** Via cloud APIs leveraged through compromised vendor permissions.
- **Impact:** Espionage and wide-scale compromise of US federal agencies and technology companies.
## Impact Assessment
- **Financial:** Not specified, but substantial costs associated with remediation, government investigation, and service interruption expected.
- **Data Breach:** Highly sensitive government and organizational data believed to be compromised, particularly involving email systems and cloud assets.
- **Operational:** Significant disruption across at least 250 breached organizations, requiring immediate shifts in security focus toward cloud identity protection.
- **Reputational:** Severe damage to trust in third-party software supply chain integrity and cloud security postures.
## Indicators of Compromise
Identification of specific IOCs was generally managed by vendor advisories (e.g., CrowdStrike discovering SUNSPOT) and official CISA guidance.
- **Network Indicators (Defanged):** Related infrastructure associated with the attack group (e.g., Turla/APT 29 tooling).
- **File Indicators:** The SUNBURST malware payload within SolarWinds Orion updates.
- **Behavioral Indicators:** Use of compromised vendor access; manipulation of SAML authentication tokens for cloud access.
## Response Actions
- **Containment:** Immediate steps for affected organizations included isolating compromised identity providers, revoking potentially compromised vendor access tokens, and scanning for SUNBURST and associated malware.
- **Eradication:** Identifying and removing all malicious implants related to SUNBURST and SUPERNOVA. For cloud environments, this included forced token reissuance and deep inspection of identity roles.
- **Recovery:** Rebuilding systems and ensuring that patched/clean versions of software (SolarWinds Orion) were deployed. Significant efforts dedicated to auditing and securing complex cloud identity chains, especially involving third-party access.
## Lessons Learned
- **Supply Chain Risk is Paramount:** Infiltration via legitimate software updates (CI/CD pipeline compromise) provides exceptional stealth and scale.
- **Cloud Identity is a New Front:** The attacker successfully leveraged an organization's trust in a third-party vendor to gain immediate, high-privilege access to cloud environments via APIs (a major gap in traditional perimeter defense).
- **Visibility Gaps:** Existing security tools provided only partial coverage for detecting complex, identity-focused attacks in ephemeral cloud environments.
## Recommendations
- **Focus on Cloud Access Visibility:** Implement cloud-native monitoring solutions capable of deep, full-stack visibility to track privileged identities, including third-party service accounts and their associated escalation paths.
- **Harden Identity Infrastructure:** Review and strengthen controls around SAML token issuance and validation processes to mitigate "Golden SAML" style attacks.
- **Supply Chain Due Diligence:** Increase scrutiny and monitoring of software build pipelines and vendor-supplied artifacts.
- **Implement Proactive Scanning:** Utilize tools capable of software asset management, vulnerability scanning, and identity analysis across the entire cloud stack to detect compromised software versions and associated misconfigurations rapidly.