Towards the end of 2020, there was one name dominating the security landscape: SolarWinds.

Attackers used SolarWinds software as a jumping point to other targets in a process known as a supply-chain attack.

The result was tens of thousands of victims, data breaches at multiple government agencies, and a Congressional hearing featuring some of the top names in tech and security, including Microsoft, FireEye, and CrowdStrike.

So what is SolarWinds? What happened during one of the biggest cyberattacks in recent times?

What Is SolarWinds?

SolarWinds is a well-known company that develops and delivers system management tools. Among its clientele are hundreds of Fortune 500 companies, as well as numerous US and foreign government agencies.

SolarWinds develops and distributes a management system called Orion. Companies can use Orion to manage IT resources, perform administrative duties, on- and off-site monitoring, and more.

SolarWinds Orion software is at the center of the SolarWinds attack.

What Happened to SolarWinds Orion Software?

SolarWinds Orion has over 33,000 customers. Each of these customers receives software updates directly from SolarWinds, who push updates live to customers. The Orion customer installs the update when it arrives, and everything continues working as normal.

In early 2020, a group of hackers silently breached SolarWinds infrastructure and added malicious code to a SolarWinds Orion update package. When the update was pushed out to the thousands of SolarWinds Orion customers, the malicious files went with it.

Orion software website

Once the update hit customer networks, it was just a matter of waiting for the customer to install the malicious files, creating a backdoor into their network in the process.

The Trojanized version of the Orion software was installed on thousands of computers across multiple high-profile networks. This is a core part of the supply-chain attack. A vendor with access to other networks is identified and attacked but isn't the sole target. The attackers are using the vendor as a launchpad into the networks of other targets.

Microsoft Products Also Hit in Supply Chain Attacks

SolarWinds wasn't the only tech company whose products featured in a supply chain attack. Microsoft was a victim of the overall attack, but Microsoft product resellers and distributors were also targeted to compromise other linked networks.

The attackers first attempted to gain access to Microsoft's Office 365 infrastructure directly. But when they failed, attention turned to Microsoft resellers. At least one Microsoft cloud service provider was targeted and used as a springboard into other networks.

Another Microsoft product vulnerability, this time in the Outlook web app, allowed the attackers to bypass two-factor authentication checks, accessing private email accounts that were then used for data harvesting.

Furthermore, Microsoft confirmed that the attacker accessed source code for Windows 10 and other products, although the code wasn't important enough to be deemed a risk.

Who Was Hit by the SolarWinds Attack?

The attackers didn't strike immediately. Having gained access to a series of high-profile networks, the hacking group waited for months to begin the second phase of the attack.

The hacking group breached SolarWinds back in March 2020, but the first inkling of the scale of the breach didn't arrive until December 2020, some nine months later.

Leading security firm FireEye announced they were the victims of the hack and that the attackers had stolen some of their offensive hacking tools in the process. At this time, the FireEye breach wasn't linked to SolarWinds.

A steady flow of reports emerged from multiple US government agencies around a week later regarding a backdoor attack. The US Treasury and the National Nuclear Security Administration were breached, along with the Departments of Homeland Security, State, Defence, Commerce, and Energy, and parts of the Pentagon.

At the time, speaking to the BBC, cybersecurity researcher Prof Alan Woodward said:

Post Cold War, this is one of the potentially largest penetrations of Western governments that I'm aware of.

The list of victims is extensive, covering multiple countries, numerous tech companies, and thousands of networks. Names such as Cisco, Intel, Nvidia, Microsoft, MediaTek, Malwarebytes, and Mimecast all suffered breaches.

Related: Microsoft Blocks Sunburst Malware at Root of SolarWinds Hack

How Did the SolarWinds Attack End?

As you might expect from an attack of this size, it wasn't as simple a flicking a switch and shutting the SolarWinds breach down.

First of all, SolarWinds wasn't a one-size-fits-all attack. Although SolarWinds Orion was the primary launchpad into the target networks, the attackers used their time to craft a series of unique malware types, paired together with other previously unseen exploits after gaining access.

The Microsoft Security Blog provides a detailed explanation of how some of these malware types work, but you can read a short overview below:

  • GoldMax: GoldMax is written in Go and acts as a command and control backdoor that hides malicious activities on the target computer. As found with the SolarWinds attack, GoldMax can generate decoy network traffic to disguise its malicious network traffic, giving it the appearance of regular traffic.
  • Sibot: Sibot is a VBScript-based dual-purpose malware that maintains a persistent presence on the target network and to download and execute a malicious payload. Microsoft notes that there are three variants of the Sibot malware, all of which have slightly different functionality.
  • GoldFinder: This malware is also written in Go. Microsoft believes it was "used as a custom HTTP tracer tool" for logging server addresses and other infrastructure involved in the cyberattack.

Once Microsoft and other security companies learn enough about the malware types in play, they can attempt to block their use. Only then can the complete clean-up begin.

The Microsoft Security Blog also provides another important snippet regarding the "end" of the SolarWinds attack:

With this actor's established pattern of using unique infrastructure and tooling for each target, and the operational value of maintaining their persistence on compromised networks, it is likely that additional components will be discovered as our investigation into the actions of this threat actor continues.

Who Was Behind the SolarWinds Attack?

The big question: who was it? Which hacking group has the skills to perpetrate one of the biggest and most advanced hacks in history?

The tech companies and US government are pointing the finger squarely at a Russian government-backed hacking group, though a specifically named group is still hard to come by.

This might mean the infamous Cozy Bear (APT29) hacking group. Security firm Kaspersky said some malware samples resemble malware used by a hacking known as Turla, who have links to the Russian federal security service, the FSB. Multiple US officials have gone on the record accusing Russia or a Russian-influenced hacking group too.

Speaking at a US Senate hearing into the cyberattack, Microsoft President Brad Smith also asserted that Russia was behind the attack. He also reiterated that Microsoft was "Continuing to investigate as we do not believe all supply chain vectors have yet been discovered or made public."

The other tech companies' leaders speaking at the hearing, CrowdStrike, FireEye, and SolarWinds, issued similar statements.

However, without confirmation or a piece of killer evidence that the US government can reveal, it remains a strong allegation. As the above tweet indicates, the CISA is still holding a piece of evidence but cannot reveal it, lest it burns contacts, sources, and perhaps ongoing investigations into the attack.

Is SolarWinds Over?

According to Microsoft, it might not be. But the truth is that, with an attack of this nature, one that has breached so many different networks to varying degrees, we'll probably never know the true extent of SolarWinds.

There are likely companies that were breached, but their network was deemed insufficient in value to continue exploiting, and such is the skill of the hacking group, they may have left no trace of entry.

In that, SolarWinds wasn't about causing a scene and shaking things up. It was the polar opposite: carefully orchestrated, requiring massive amounts of precision movements to work in step to avoid detection.

It certainly opens up the conversation regarding responsible vulnerability disclosure, bug reporting, and other ways to strengthen security protocols against such attacks.

Should I Worry About SolarWinds?

As far as regular consumers like you and I go, this is way, way above our pay grade.

Attacks of this nature typically don't impact regular consumers, at least not directly like a phishing attack or someone installing malware on your computer.