CDI’s Statement on SolarWinds Orion and Similar Advanced Threats
By Josh More, Chief Information Security Officer, CDI
*Last Updated January 14, 2021*
Summary of Issue:
On December 13, 2020, it was publicly announced that state-level attackers had compromised three versions of SolarWinds Orion – a network monitoring platform – and used it to access many high-profile organizations. Organizations known to be impacted include the U.S. Department of Homeland Security and the Pentagon, as well as several other agencies. Certain businesses were also successfully attacked, such as the information security firm FireEye.
It is believed that attackers have had access to these organizations since October of 2019, possibly as early as 2017, when the SolarWinds software was initially compromised. There are also indications that a similar attack group engaged in supply chain attacks on other vendors. At the time of this writing, these indications have not been officially confirmed.
Impact on CDI and CDI’s Customers:
CDI does not use and has not used SolarWinds Orion for network monitoring, so there is no impact to CDI’s operations. Certain CDI customers have used SolarWinds during the period of concern, however CDI’s network connections to customers are highly segmented, and any compromise at one CDI customer cannot impact another across CDI’s network. At this time, no compromise at any customer has been found.
In short, if you are not running SolarWinds Orion on your own network, there is no risk to you from this attack.
At present, CDI is completing our process of reaching out to CDI customers known to be using SolarWinds Orion and verifying:
- Whether each potentially impacted customer was running a vulnerable version of the software
- If a vulnerable version was in use, whether the configuration of the software and firewalls could have facilitated network intrusion
- If a threat was technically possible, which actions should be taken to further identify the level of risk
For further questions or to schedule a call with CDI’s information security team, please contact us at CDI.Security@cdillc.com.
For technical details of this issue, please see previous notifications from CDI or contact us at firstname.lastname@example.org.
This attack builds on previous patterns seen by advanced state-funded attacker groups. The attacks focused on the supply chain, allowing access to a large number of organizations. The attackers demonstrated a high level of skill in terms of both gaining access to networks and maintaining such access, undiscovered, for several months, despite significant investment by the US in monitoring for such attacks.
While SolarWinds Orion is used in many organizations, SolarWinds has reported that only 18,000 organizations downloaded the compromised software, greatly reducing the number of potential intrusions. Additionally, while attacker attribution is difficult, indications are that the group behind this attack was largely focused on U.S. agencies and high-profile companies in the information security industry, greatly reducing the number of entities believed to be targeted. The same pattern appears to hold for related attacks. While it is unreasonable to believe that all supply chain attacks will result in widespread vulnerability with very minimal exploitation, this does appear to be the case today.
Additionally, once the issue was known, several groups publicly released detection methods for both the vulnerabilities and signatures for attacks exploiting the vulnerabilities. Furthermore, steps were taken by infrastructure providers – such as Microsoft – to interfere or eliminate the attackers’ ability to exploit the issues through new attacks.
If you were running a vulnerable version of SolarWinds Orion, Mimecast with Windows 365 integration, Microsoft Windows Defender, or similarly targeted software, it is CDI’s recommendation that you consider a forensics process to identify potential indications of compromise. However, it is also important to realize that most organizations do not collect the level of logging data necessary to know, for certain, whether compromise occurred, and there will usually be some level of uncertainty around events like these. There will inevitably be a point of diminishing returns and, for many firms, it will make sense to move resources towards improving detection and defense instead of Forensics.
CDI is available for discussion, should any clients wish to discuss these issues in greater detail.