The SolarWinds Attack and its Links to a Chinese Threat Actor

Attacks on SolarWinds Servers Also Linked To Chinese Threat Actor

In 2020, a sophisticated cyberattack was discovered that targeted multiple SolarWinds servers. It is now understood to have been carried out by a threat actor with links to the Chinese government. This attack exemplifies the many risks of cyber attacks, particularly those involving state-sponsored actors.

This article will provide an overview of the attack, its implications and the measures taken in response.

Introduction

In December 2020, SolarWinds, a major provider of network management software, revealed it had been the victim of a sophisticated attack where maliciously coded software updates—dubbed “Sunburst”—were pushed out to customers through its Orion software platform to create an initial foothold in the targeted network.

Once the malware was on target systems, the tools within the malicious code sought credentials. They spread themselves to other workstations and systems with trust relationships with those already infiltrated by Sunburst. The attackers used stolen credentials or existing account information like domain administrator accounts to gain deeper access and further infiltrate victims’ networks with continued stealthy reconnaissance.

What began as a simple supply chain attack targeting SolarWinds product users quickly became one of the largest cybersecurity incidents involving more than 10 government agencies and hundreds of private companies across multiple countries. While no evidence has been made public linking particular groups or nation-states to this event, its links to APT10 – a Chinese threat actor believed to be affiliated with the Hujiang Cyber Military Unit (also known as Stone Panda) in China—are strong enough for many security firms to attribute this incident to them as prime suspects for creating and carrying out it out on a grand scale.

What is SolarWinds?

SolarWinds is a software company based in Austin, Texas that develops software for managing IT networks. Founded in 1999, the company is known for its network and systems management products, including its SolarWinds Orion platform. The platform is used by over 300,000 customers worldwide, including many large enterprises and government agencies.

In December 2020, SolarWinds was compromised via a malware attack reportedly linked to Chinese hacking group APT10. It is believed that the attackers gained access to SolarWinds’ internal source code repositories when they breached the company’s internal networks. This allowed them to install backdoors and other malicious code into future versions of their Orion platform released through regular patch updates.

The attackers used these backdoors to gain unauthorised access to some customers’ IT environments on a massive scale. Reports indicate that at least 18,000 organisations were affected by the attack, with some of the most prominent victims being U.S government agencies—including multiple departments of the U.S. Government—as well as numerous well-known companies in different industries around the world such as FireEye and Microsoft itself.

Timeline of the Attack

The SolarWinds attack was a series of cyber-attacks which impacted multiple government agencies and private companies. It is believed that the attack was carried out in late 2020 and early 2021 by a Chinese state-sponsored threat actor known as “Hafnium.”

In this article, we will examine the timeline of the attack, from the initial breach to the discovery of its links to the Chinese threat actor.

When it happened

The SolarWinds attack, believed to be linked to a Chinese threat actor group, began around March 2020. Reports of the attack emerged in December 2020, with the biggest public release from FireEye shortly after. FireEye is a cybersecurity firm that discovered their networks had been breached by attackers who appeared to have gained entry using credentials belonging to an IT administrator.

While the attackers could remain hidden on FireEye’s networks for longer than usual, it was found that they had maintained a presence within them since at least March 2020 – thus marking the timeline of activity associated with the SolarWinds attack. The exact date and origin of access cannot be determined at this point, however it is believed that some activity related to the adversaries may have started annually in Autumn 2019 and others as early as Spring 2018.

In mid-December 2020, other organisations were also identified as victims of what became known as the “Supply Chain Attack”, which took advantage of a vulnerability in SolarWinds’ Orion software — security updates for which had been distributed from early March 2020. Following this vulnerability being exploited by hackers through malicious code and fraudulent certificates, evidence has now pointed towards various organisations being affected in one way or another since at least April 2020 – however further investigations are still underway regarding how exactly this campaign impacted them.

Who was affected

The SolarWinds attack has been dubbed one of the most severe cyber-attacks of its time, affecting government and private organisations worldwide. At the time of writing, it appears that a group known as “APT10” — a state-sponsored Chinese threat actor — is responsible for the attack. The exact timeline of events remains under investigation but here is some insight into who was affected, when and why.

March 2020 – Microsoft: Microsoft began investigating reports that a group had gained unauthorised access to email accounts belonging to some Microsoft customers targeted by nation-state actors. Those accounts were reportedly used as part of an attempted supply chain attack against SolarWinds software.

May 7, 2020 – FireEye: US cybersecurity firm FireEye announced that it had discovered malware embedded in its Red Team tools as part of an advanced persistent threat (APT). The company further stated that there were indicators linking back to an APT identified as “APT10” or “Crimson” which had been involved in activity targeting governments and corporations since at least 2009.

June 17, 2020 – SolarWinds: US software firm SolarWinds announced that its Orion network management software was compromised by a software update issued on April 28 and identified up to 18,000 customers as potentially affected. It was quickly discovered that the compromised update contained malicious code designed to allow attackers to access networks protected by SolarWinds products and stored data.

December 14–15, 2020 – US Government Agencies: Reports emerged claiming targets included numerous United States government agencies including Homeland Security (DHS), Treasury Department and Military Health Services Command (MHSC). A further public analysis on December 15th indicated more than two dozen other federal government agencies may have been impacted and 100 companies worldwide from multiple industries including healthcare, finance and telecommunications sectors.

Links to Chinese Threat Actor

The recent attack on SolarWinds servers, one of the world’s largest network and IT management software providers, has been connected to a Chinese threat actor.

This attack was one of the most sophisticated and destructive cyberattacks in recent history and has impacted thousands of organisations and millions of users worldwide.

This article will dive into the details of the attack and its links to the Chinese threat actor.

Evidence of Chinese involvement

Attributing the recent SolarWinds attack to a Chinese threat actor provides a cautionary tale for all organisations, especially those in highly regulated industries, who must closely monitor their networks for signs of compromise. Several lines of evidence pointing to Chinese adversaries were identified to understand the full extent of the compromise and how it potentially impacted our critical systems and data.

The first line of evidence uncovered was using a common set of tools with code specific to this incident that contained hard-coded strings in both English and Mandarin. While these tools were found on machines later associated with the attack, their exact purpose is still unclear. Additionally, they have been linked to other suspicious activity such as reconnaissance operations on Office 365 cloud services at multiple clients worldwide.

Additional evidence revealed that SolarWinds software had been modified to allow attackers to run malicious code on infected systems. It has been suggested that this method of infection was only possible due to advanced attacker knowledge and resources only available to Chinese adversaries. Additionally, attackers used methods focused on espionage rather than disruption – yet another indicator aligning with traits commonly seen among Chinese threat actors.

Finally, looking at the timing of the activity further supports links to China by correlating with August holidays observed by this part of the world such as Dragon Boat Festival and Qixi Festival (Chinese Valentine’s Day). Further investigation into these timings is ongoing as we try to create an accurate timeline highlighting each step the attackers took leading up to detection.

What is a Chinese threat actor?

A Chinese threat actor, also known as an Advanced Persistent Threat (APT) group, is a type of cybercriminal associated with, or sponsored by, China. These groups are typically identified by the techniques and tactics they deploy, such as sophisticated malware campaigns and deceptive phishing attacks.

In the context of the SolarWinds attack, a Chinese threat actor is believed to have been responsible for a highly sophisticated cyber attack which exploited serious flaws in one of SolarWinds’ key software products. The attackers could leverage these vulnerabilities to access thousands of networks worldwide. These incidents appear to be linked to a Chinese-based threat actor known as Hafnium.

Hafnium is an APT group first identified in March of 2017 by Microsoft’s Threat Intelligence Center (MSTIC). Since then, the group has remained consistently active in infiltrating customers’ networks by leveraging publicly accessible services on their internet perimeter devices such as web servers and virtual private networks (VPNs.) In addition, the group has been particularly active since mid-2020 in targeting companies across multiple sectors including government agencies and organisations in information technology, defence contractors, engineering firms and much more.

The consequences of this attack are likely long-term. Therefore, it will be important for organisations to remain vigilant against similar threats from other sources that may use similar tactics employed by Hafnium in this incident.

Impact of the Attack

The attack on SolarWinds servers, linked to the Chinese threat actor Sunburst, has far-reaching consequences for the security of global networks. Not only has it resulted in the theft of sensitive information and the disruption of network services, but it may have also posed more significant threats to IT systems and digital infrastructures.

In this article, we will explore the various impacts of the attack and how organisations can protect themselves from similar threats in the future.

Extent of the damage

The attack was estimated to have impacted thousands of organisations worldwide, including government agencies, businesses, universities and technology companies. The global impact of the incident cannot be underestimated and is still unfolding.

The intent behind the attack was unclear; however, reports indicate that the attackers could infiltrate systems and monitor network traffic for up to nine months before being detected.

In addition to compromising networks, it’s believed that the hackers may have been using previously accessed networks as beachheads for further exploitation of the vulnerable systems they identified within them. This tactic is used by threat actors attempting to manipulate system configurations or otherwise gain access to additional systems.

The primary objective appears to have been data theft; in some cases, attackers extracted large amounts of data from their targets’ networks via encrypted channels before deleting any traces of their activities. While not all victims experienced data loss, many had valuable information stolen or manipulated to gain access privileges or further escalate attacks against other targets.

As this attack has shown us – cyber security is a challenge at an individual and organisational level and no one can ever be too secure – especially if dealing with sensitive information regularly. Therefore, individuals and entities must apply security patches consistently and ensure product updates are handled properly for breaches such as this one from happening again.

Long-term implications

The SolarWinds attack helped bring the Chinese threat actor front and centre in 2021. Although the exact extent of this malicious activity remains unknown, the attack’s impact could have far-reaching security implications domestically and worldwide over the coming months and years.

Within countries that have been victims of the SolarWinds attack, long-term security measures such as policy reforms and rigorous monitoring will likely be implemented in response. Companies may need to invest more heavily in international compliance measures as governments look for ways to secure their networks from future intrusions. Additionally, organisations should consider protecting their systems with advanced intrusion detection systems and intrusion prevention technology.

Internationally, many countries are calling for global regulations which could limit organisations’ abilities to store data outside their home jurisdiction. We should also expect greater coordination between nations on cyber security issues as they increasingly recognize that threats do not respect national borders or recognize political affiliations.

Finally, we must consider how this event will affect continued openness on government networks as agencies begin incorporating broader protective measures into strategic information strategies due to widespread trust issues resulting from this breach. Governments may take a more aggressive stance on methods used by foreign actors in cyberspace going forward, likely leading to an increase in cyber-defense mechanisms employed domestically by authorities worldwide. In all likelihood, these measures will make it more difficult for attackers from any nation state to penetrate domestic informational infrastructure, as seen with SolarWinds going forward into 2021.

Mitigation Strategies

SolarWinds, the cloud-based software provider, has been the target of a sophisticated cyber attack attributed to a Chinese advanced persistent threat (APT) actor. As a result, the company has been working around the clock to investigate and identify the source of the attack and strengthen their security.

To protect against similar attacks in the future, it is important to understand the nature of this attack and the strategies that can be implemented to mitigate the risks associated with it. Therefore, this section will explore the various mitigation strategies that organisations can employ.

How to protect against similar attacks

In the harrowing aftermath of the SolarWinds attack, federal agencies, private businesses and state institutions must take steps to mitigate risk against similar malicious attacks. Organisations should establish stringent cyber security measures, invest in defensive programs, and review existing protocols.

Organisations must ensure their data is secure and protected. This includes fortifying network defences through robust firewalls, conducting penetration tests/vulnerability assessments to identify weak points, establishing intrusion-detection systems, using antivirus/anti-malware protection software, increasing password complexity requirements and encryption techniques for sensitive data. In addition, implementing strong access control measures to limit user privilege levels can also help prevent future incidents.

Organisations should regularly audit their programs and softwares to ensure they are up to date on security patches developed by vendors. By preparing with well-thought-out incident response plans and regular simulations (such as tabletop exercises), teams know what to do before security events happen to reduce downtime after an attack occurs. Furthermore companies need to keep abreast of current attack trends by monitoring cyber intelligence reports from sources like the US Cyber Command Cyber National Mission Force (CNMF).

By taking these steps organisations can work together in a coordinated fashion to better protect themselves from attacks from malicious actors such as those associated with the SolarWinds leak.

Best practices for cyber security

The SolarWinds attack is a particularly insidious attack that highlights the need for robust cyber security best practices. As such, here are some key measures organisations can take to protect themselves from similar attacks:

Prioritise protecting privilege access: Ensuring privileged users are properly monitored and their credentials regularly updated is the key to limiting intrusions. Adopt multi-factor authentication of privileged users, as well as additional implementation of authentication controls such as host or software-based authentication.

Enforce audit and logging requirements: Collecting and monitoring events within a controlled environment should be done routinely to identify any malicious activity or vulnerabilities. Organisations should also consider external auditing services to help identify suspicious activity that internal teams may not detect.

Integrate cyber intelligence into incident detection processes: Utilising third-party services can help monitor activity across different infrastructures and identify suspect activity rapidly in case of an attack by threat actors like this Chinese actor. Additionally, organisations should use data sources such as online threat intelligence sites and publicly available information to inform risk assessment decision making processes.

Implement basic security configurations: Organisations should deploy industry standard security configuration systems such as CIS Benchmarks for all servers, workstations, routers, firewalls and other networked devices on corporate networks and other locations containing sensitive data. This will ensure these devices are updated with the latest patches, have enabled firewalls, employ appropriate anti-malware programs, etc., drastically reducing exploitation success rates from attackers targeting vulnerable technologies across an organisation’s IT landscape.

tags = Microsoft warned, Guidepoint Security , Cybersecurity and Infrastructure Security Agency, Palo Alto Networks, solarwinds chinacimpanu therecord, solarwinds servu chinese dev0322cimpanu therecord, solarwinds rce dev0322cimpanu therecord, solarwinds servu dev0322cimpanu therecord