This post will summarize news on the SolarWinds hack from CISA’s (Cybersecurity and Infrastructure Security Agency) perspective.

CISA updates posts in place but documents the change dates and the nature of changes in their posts’ body.

Dec 13, 2020 1

  • Determined that SUNBURST posed an unacceptable risk to Federal Civilian Executive Branch agencies and required emergency action
  • Required federal agencies (with the requisite expertise) to conduct forensic analysis of the systems hosting Solarwinds Orion and analyze historical network traffic for communication with the attackers’ command-and-control system
  • Required federal agencies with infected Orion software to disconnect (from the network) or power down their systems with Orion
  • Required federal agencies to take several additional steps to understand the scope of the attacker’s efforts and limit damage

Dec 17, 2020 2

  • Issued an alert on “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations”
  • Documented (in the alert) IOCs relevant to the attack and remediation mechanisms

Dec 18, 2020 3

  • Issued supplemental guidance identifying affected versions of Orion
  • Listed requirements for federal agencies using hosting (cloud) services
  • Listed conditions under which unaffected version of Orion could be connected back to the network

Dec 30, 2020 3

  • Required all federal agencies operating versions of Orion other than those identified as “affected versions” to use Orion version 2020.2.1HF2 or later

Jan 6, 2021 4

  • Provided additional clarity on required actions
  • Superceeded previously issued supplemental guidance

Jan 8, 2021 5

  • Documented UNC2452’s use of compromised applications in a victim’s Microsoft 365 (M365)/Azure environment
  • Noted UNC2452’s use of additional credentials and Application Programming Interfaces (APIs) to access cloud resources of private and public sector organizations
  • Released a tool called Sparrow to help network defenders detect possible compromised accounts and applications in the Azure/M365 environment

Jan 29, 2021 6

  • Indicated that approximately 30% of both the private-sector and government victims linked to the UNC2452 campaign had no direct connection to SolarWinds

Apr 15, 2021 7

  • Published a noticed with FBI and NSA outlining several vulnerabilities that were used by UNC2452 (in addition to compromising Orion)

References

  1. https://cyber.dhs.gov/ed/21-01/ 

  2. https://us-cert.cisa.gov/ncas/alerts/aa20-352a 

  3. https://cyber.dhs.gov/ed/21-01/older-supplemental-guidance/  2

  4. https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3 

  5. https://us-cert.cisa.gov/ncas/alerts/aa21-008a 

  6. https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601 

  7. https://r-dube.github.io/solarwinds/2021/05/03/us-attribution.html