SolarWinds Cyberattack: Threat Intelligence Primer

Two Weeks in, Attack Continues to Expand Across Public and Private Sectors

Exposure to the SolarWinds cyberattack continues to grow in size and scope for companies of all sizes, as well as federal, state, and local government agencies. Given the scale of the attack—which targeted the company’s IT management platform, SolarWinds Orion—it’s clear that all organizations must take swift action to assess their own exposure and reevaluate the controls, processes, intelligence they use to mitigate third-party risk.

For a quick summary of where things stand two weeks after news of the attack first broke, here’s a brief recap of what we know:

1. The U.S. government has blamed Russia for the attack: U.S. officials, including Secretary of State Mike Pompeo, have publicly pinned the attack on Russia’s threat actor group APT29, also known as “CozyBear.” (Washington Post)
2. This sophisticated third-party supply chain attack is one of the largest to come to light. By compromising SolarWinds Orion, an IT management platform widely used by tens of thousands of organizations, Russian hackers distributed their “Sunburst” malware to as many as 18,000 of SolarWinds’s more than 33,000 global customers. The attack was conducted with novel methods and techniques circumventing traditional security controls. (WSJ, FireEye)
3. Targets of the Sunburst malware include US federal, state, and local agencies, Fortune 500 corporations, and critical infrastructure. SolarWinds notified 33,000 customer organizations and designated less than 18,000 of them as high-risk. The list of confirmed victims continues to grow and includes banks, federal agencies, municipal governments, hospitals, telecommunications providers, and public schools and universities. (WSJ, SolarWinds SEC Filing)
4. Intruders remain active with fallout ongoing—it may take months to remediate impacted organizations. Some intrusions reportedly go as far back as March 2020, and it may take months for organizations to identify the malware, clean up and verify their networks, and ensure the attack has been mitigated. As new developments continue, organizations will learn more about the scope and scale of the attack and how to bolster security to prevent or mitigate such incidents in the future. (Washington Post).

SolarWinds: News and Events Timeline

December 8, 2020: FireEye discloses a significant security breach. Attackers successfully infiltrated FireEye networks and stole their proprietary suite of “red team” tools, a suite of software that the company uses in its penetration testing services to detect and remediate security flaws.

December 13, 2020: SolarWinds acknowledges its breach, formally disclosing it in a filing with the US Securities Exchange Commission (SEC) the following day. In an SEC filing, SolarWinds reveals that it had notified 33,000 customer organizations with around 18,000 SolarWinds customers using compromised versions of its software. The US Cybersecurity and Infrastructure Security Agency (CISA) issues Emergency Directive 21-01 on the SolarWinds compromise.

December 14, 2020: The Washington Post confirms reports that Russian-sponsored APT29, “CozyBear,” is behind the cyberattack.

December 16, 2020: To coordinate their response efforts across US government agencies to the unfolding cyber incident, the FBI, CISA, and ODNI formed a new Cyber Unified Coordination Group (UCG).

December 17, 2020: Additional malware dubbed “Supernova” was discovered, along with strong indicators of a second threat actor, unrelated to APT29, also compromising SolarWinds.

December 18, 2020: U.S. Secretary of State Mike Pompeo confirms that Russia was behind the attack.

December 21, 2020: The SolarWinds victim list grows as new reports add more government agencies, tech giants, accounting firms, and Fortune 500 companies, among many others.

December 24, 2020: CISA says the cyberattack extends beyond federal agencies, hitting state and local governments, as well as critical infrastructure entities.

Continuing exposure: With intrusions still active, we can expect new information and events to continue well into 2021 and widen internationally. For instance, the US recently called for joint international condemnation of the intrusion during a meeting with international sharing alliance members, including Five Eyes countries Canada and the United Kingdom. 

Leveraging Threat Intelligence to Mitigate the Risk of the SolarWinds Hack

While the SolarWinds hack is extraordinary in its scale and sophistication, there are steps that security and intelligence professionals can take to safeguard their organizations and mitigate associated risks of these types of attacks. Actionable threat intelligence, in particular, can play the same critical role as it does in more targeted attacks: rapidly identify a threat’s impact to an organization, understand the organization’s exposure, take action to remediate the threat, and apply learnings to further bolster the organization’s security posture. 

Especially in cases like SolarWinds, where rapidly changing information and updates need to be validated, trusted external threat intelligence is essential. Through the painstaking work of vetting, validating, testing, and confirming the flood of inbound information and claims, external threat intelligence provides organizations a competitive edge as they stay laser-focused on their response and taking necessary action, rather than trying to keep pace with today’s nonstop news cycle. 

To help our customers rapidly mitigate the risks presented by the SolarWinds attack and the accompanying Sunburst and Supernova malware, Flashpoint offers a suite of intelligence tools to rapidly assess and address the hack:

• Dedicated knowledge centers, hand-curated by Flashpoint analysts. For new, critical, and unfolding events, Flashpoint sets up Analyst Knowledge Pages in which Flashpoint analysts serve as human-readable touchstones for the latest news, happenings, technical information, and aftermath related to the hack. Likewise, Flashpoint debunks rumors and misinformation that lead to ineffective decision-making and wasted time. 


• Peer-led collaboration and sharing via Flashpoint Collaborative Community. Especially with front-page news attacks affecting massive numbers of organizations, the Flashpoint Collaborative Community (FPCollab) jumps into high gear. In an incredible showing of that community, our customers share closed source information, indicators, and other intelligence with each other, often uncovering data and information not yet available in the public domain. In this way, our customers keep each other one step ahead of the news.


• Continually-updated technical intelligence. By applying threat intelligence in vulnerability management processes, organizations can better address and prioritize known exposures automatically in the days, weeks, and months following the attack. Flashpoint’s malware experts develop, validate, and expand on known technical indicators providing unique context on the vulnerabilities sent through customer systems via our API and integration ecosystem.


• Threat actor chatter and behavior monitoring. As the SolarWinds exploits continue to spread, there will surely be new threat actors who try to leverage the same vulnerabilities and tooling to execute subsequent cyberattacks. Through our industry-leading threat collection and monitoring of underground threat actor communities, discussion boards, and marketplaces, Flashpoint will continue to monitor and identify new related threats. In fact, just last week, Flashpoint identified an anonymous threat actor purporting to sell SolarWinds tools on the text storage site, Deep Paste, which prompted Flashpoint to run an immediate credibility assessment.

Where Do We Go from Here?

In the short term, the focus remains on identifying and remediating threats associated with the current SolarWinds cyberattack. Flashpoint will also continue to trace the attack’s influence through global threat actor communities and help organizations quickly identify and mitigate subsequent derivative attacks.

More broadly, it’s clearer than ever that no organization—no matter how small or well-protected—is immune from these massive supply-chain attacks. Third-party risk remains an intractable issue for public and private sector organizations alike. Since no IT or security provider has unfettered access to all the internal data, security, and intelligence of other organizations, the external perspective that threat intelligence provides is critical to stay ahead of unknown risks. And when attacks do occur, we deploy our skills, experience, and resources immediately so that organizations remain informed and able to take rapid, decisive action.

See Flashpoint Intelligence in Action

Sign up for a 30-day trial. See firsthand how Flashpoint Intelligence offerings support leading organizations worldwide daily and during their most critical times.