Skip to content

IT company SolarWinds says it may have been hit in ‘highly sophisticated’ hack.

“A statement from Kevin Thompson, SolarWinds president and CEO says the company is “aware of a potential vulnerability which if present is currently believed to be related to updates which were released between March and June 2020 to our Orion monitoring products.”

He said: “We believe that this vulnerability is the result of a highly-sophisticated, targeted and manual supply chain attack by a nation state. We are acting in close coordination with FireEye, the Federal Bureau of Investigation, the intelligence community, and other law enforcement to investigate these matters. As such, we are limited as to what we can share at this time.”

SolarWinds is a network monitoring tool that allows collection and configuration of network devices including geographical mapping of locations, and equipment, monitoring, alerting, log collections and remote modification of devices.

Companies who may have been affected by this can call our FREE cyber incident response helpline on 01786 437 472.

Commenting on the breach, Cyber Incident and Response Manager, Mark Cunningham-Dickie said:

“SolarWinds have provided an update to their product that does not include the malicious file (Source: Security Advisory).  However, this is an interim fix with another expected in the coming days.  Not only that, but there’s so far no information about how the update chain has been compromised or assurances that the compromise is now been closed.

“Just updating SolarWinds will not ensure that the issue is resolved within your environment. As with FireEye, the compromise came in via SolarWinds but from there it exfiltrated data.  You need to check for secondary compromise and data loss. 

“These checks also need to include firmware integrity.  Nation State level malware tools such as Trickbot have been seen to have incorporated new modules for firmware reconnaissance and can write to the UEFI  (Source:  PDF). 

“This means that as the compromise onboard/on chip, even if you clean the compromise from the application/OS or reinstall from scratch, there is a level of persistence that allows them to re-infect the device.  NCSC understands the risks and threats that this presents and have published advice on ensuring that your firmware is up-to-date (source: NCSC).

“At the moment, advice would be to shut down the SolarWinds Server(s), Check them in isolation for the Indicators of Compromise (IoC) provided by FireEye (Source: FireEye’s Github), update any vulnerability scanning tools that you may have and run it across your networks.  Isolate any compromised devices, collect evidence, appropriately notify and authorities (such as the ICO or any sector regulators), eradicate and recover.”