What OT Needs to Know About the SolarWinds Compromise
By Grant Geyer | December 17, 2020
The compromise of SolarWinds’ Orion IT network management platform has dominated headlines due to the scope, impact, and stealthy nature of the attack. In what is known as a “supply chain” attack, SolarWinds’ internal build and update-distribution systems were compromised and malicious updates were sent to 18,000 of 33,000 Orion customers, according to SolarWinds’ SEC 8-K filing on Monday, enabling hackers to hide in plain sight for several months of espionage activities.
Numerous high-value U.S. government agencies are Orion customers, and several have announced that they were attacked, including the U.S. Department of Commerce, the U.S. Department of Treasury, and the U.S Department of Homeland Security, and FireEye publicly disclosed it was compromised and hundreds of its red-teaming tools were accessed, the company said.
Given SolarWinds’ ubiquity inside enterprises and public-sector agencies, the extent of the impact of the attacks—allegedly by Russian intelligence agencies—may not be known for some time. But the stealthy nature of this supply-chain attack, and the advanced capabilities and backdoors in use, should put any organization that includes nation-state actors as part of their threat mode on alert, including critical infrastructure, industrial control systems (ICS), and SCADA operators.
While IT security teams have scrambled to assess risk and remediate, it’s critical for operational technology (OT) asset owners and operators to think through the risk and remediation activities. Here are some things you need to know today if you manage OT networks and are responsible for industrial cybersecurity:
First, some good news. On Wednesday, domain registrar GoDaddy, along with FireEye, and Microsoft announced that a domain under the attackers’ control, avsvmcloud[.]com, had been seized and was now being operated by Microsoft. The domain has been turned into a killswitch under a collaboration between the three organizations, according to Krebs on Security. To be clear, while the killswitch does prevent malware updates, it does not remove the SUNBURST malware and backdoor from compromised systems, nor does it prevent intruders from continuing to exploit their footholds in organizations—so don’t take your foot off the pedal in terms of remediation activities.
What Industrial Enterprises Need to Know
Businesses that use SolarWinds’ Orion platform to manage IT should also understand how their OT networks and industrial processes may also be impacted by this attack.
The malicious Sunburst backdoor included in the Orion updates is difficult to detect because it is digitally signed by SolarWinds and treated as legitimate software traffic by the target host and enterprise-grade detection software. There is no “vulnerability to detect” per se—the software is the vulnerability. Asset operators need to be able to catalog the software in the OT environment to understand if they have affected versions SolarWinds Orion running.
The Orion platform is largely a network performance management system that pulls data from connected systems in order to pinpoint any significant issues that need remediation. Organizations use it to centrally manage an IT environment from a single dashboard. The platform also locally stores credentials to assets and applications throughout the environment. Therefore the scope of the potential compromise for any organization is much larger than the SolarWinds Orion software. Ensure you’re thinking about compromise scoping in this context.
With the previous two points in mind, if you find any instances of SolarWinds in the environment that means you need to rebuild the Orion system, and any system it has credentials to access. That’s the only way to address the full scope of the compromise.
Attackers had been using Orion to distribute multiple signed malicious updates since March and into May. The SUNBURST backdoor has enabled the attackers a seemingly legitimate presence on networks. Once inside, it’s likely that they have been able to move laterally on Orion customer networks to gain access to other network domains in order to steal data or exploit other vulnerabilities. As organizations tend to “whitelist” network management systems to prevent false positives, the attackers have been able to use this foothold to hide in plain sight. Asset operators, therefore, need to leverage detection techniques to look for anomalous traffic in the OT environment.
Security teams should inspect domain (DNS) activity for unusual or suspicious requests. In particular, look for connections to avsvmcloud[.]com which is a beaconing indicator of compromised instances of SolarWinds Orion.
Even if you’ve taken all of these steps, it is possible that attackers are in the environment and have established additional footholds or backdoors. Therefore it’s critical that you have detection tools in place that rely upon a variety of different detection methodologies to spot an attacker. Doing this ensures you have a broad set of traps and snares to catch lateral movement.
We are all still learning about the SolarWinds compromise, and this is a very fluid situation with an impact and scope not yet fully understood. Yet, asset owner-operators can and should take purposeful steps to triage their environments, assess risk, and drive remediation activities.
Organizations running the following affected versions should update to the corresponding hotfix versions:
Orion Platform v2019.4 HF 5 ———-> update to Orion Platform version 2019.4 HF 6
Orion Platform v2020.2 with no hotfix ———-> update to Orion Platform version 2020.2.1 HF 2
Orion Platform v2020.2 HF 1 ———-> update to Orion Platform version 2020.2.1 HF 2