The SolarWinds Hack

Along with the rest of the cyber security world, I’ve been thinking a lot about the compromise of the SolarWinds network. The implications behind this attack are endless and it is unlikely that we will every know the full details. Some sources have said that up to 18,000 SolarWinds customers have been compromised in this supply-chain attack, including some of the most important United States government organizations.

SolarWinds provides IT tooling that grants system administrators the ability to manage their environment under a single pane of glass. Often times administrators will give this RMM tool full administrator access (domain admin in a AD domain) allowing them to run commands, install software, manage patches, and read logs remotely. Essentially, this is the keys to the castle. Any hacker that can compromise a system like this is going to be pleased – they’ve got control of the entire environment and can do whatever they want. They can implant droppers to communicate with c2 servers and then they can delete the logs and obscure their movement easily. Now, imagine having this kind of access in the Department of Treasury or the Department of Commerce or any of the other 18,000 customers that are stated to be compromised. You’ve not only hit a goldmine, you’ve discovered the secret behind alchemy.

Reputable researchers have credited this attack to Fancy Bear. The Russian advanced persistent threat organization managed under the GRE. This is the organization that was behind the 2016 DNC hack and John Podesta compromise. This is the organization that is partners with the other GRE hacker group, Sandworm – a group of Dune enthusiasts that cost the world over 10 billion dollars of damage via the NotPetya attack.

This is a fresh attack and the details are just trickling out now. We may never know the full extent of what the Russian operatives were able to steal from the United States government. We may never know if they implanted malware to be set off at a future date. What we do know is that SolarWinds may have been compromised since March of 2020 and that is more than enough time for the GRE to gather information and leverage future attacks. We should be grateful they didn’t drop a NotPetya variant on the servers of those 18,000 customers.