The SolarWinds Hack: Here’s A Run Down

You’ve likely heard a lot about the SolarWinds hack or an epic hack by presumably Russian actors of numerous US government departments. It’s kind of confusing to keep track of so I’ve decided to write up a quick summary of this hack.

This incident began last week when security firm FireEye said that a state-sponsored hacking group, likely Russians, accessed its internal network, stole pen-testing tools and tried to access documents on its government contracts. That was bad. But it got worse when while investigating the hack, FireEye found that the source of the hack to a malware-laced version of SolarWinds Orion, a network monitoring tool used inside large enterprise networks. SolarWinds was notified and admitted to the hack last week. But by that point, US government departments were hacked on a huge scale. On top of that SolarWinds admitted to getting everything from its internal networks to their Office365 accounts hacked. Along with their 18,000 or so of their customers.

On Wednesday, Microsoft took steps to protect users by taking over the web domain that the first-stage malware used to report to attackers. Together with GoDaddy and FireEye, Microsoft turned the domain into a kill switch in order to prevent the malware from pinging back to its creators and downloading second-stage payloads. Though by that point the damage has been done. I’m sure that there was some self interest there as one of the victims of this attack was Microsoft itself.

As for the Russians who are allegedly behind this, The Washington Post claimed that Russia’s APT29 hacking group is behind the SolarWinds hack, but no government or security firm has backed up the paper’s claim. Though this group has been behind other epic hacks and is linked to the Russian government. So this claim seems plausible.

Chris Hickman, chief security officer at digital identity security vendor Keyfactor ( had this to say about the hack and how the bad actors were able to pull it off:

“Code signing is one component of the SolarWinds breach, but not because of a stolen certificate. Attackers were able to inject malware into the build process, which is difficult to detect. They were able to compromise certificates allowing them to fabricate fake tokens for network access, transversing that to cloud access and subsequently manage network access and user permissions.

Lovely. And it is likely we have not heard the last of this story. Stay tuned for updates as this story evolves.

Leave a Reply

%d bloggers like this: