Home » Blog » Solarwinds Data Breach

Solarwinds Data Breach

Cybersecurity company Fireeye discoveres major breach of Solarwinds.

Last week, details began to emerge about a major data breach at Solarwinds involving thousands of large companies across the globe. Another victim of this breach: the United States Federal Government. Reportedly, the software called Orion which is used in companies and governments around the world had malware inserted into an update file which was distributed to many of SolarWind’s customers.

The attack was first identified by cybersecurity firm FireEye while surveying their own internal networks. FireEye is a large and globally known cybersecurity firm who not only protect others’ networks but whom also have a very skilled “ethical hacking” team within the organization called Mandiant.

FireEye employees spotted the potentially malicious activity on their networks and quickly moved to notify the authorities and SolarWinds to which they believe the attack was coming from. The identified malicious files came from an infected update file from SolarWinds which granted the foreign actors access to the network in ways previously very difficult to obtain.

"According to FireEye, once installed in a system, the malware remained quiet for a couple of weeks and then masqueraded as the Orion Improvement Program protocol."

Once the threat was known to impact the US Federal Government, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Homeland Security (DHS) released emergency advisories ordering the entire federal government who have SolarWinds Orion servers running to “shut them down immediately”. This was the first time such an order has ever been given and goes to speak for the serious and complicated nature of this attack.

"CISA ISSUES EMERGENCY DIRECTIVE TO MITIGATE THE COMPROMISE OF SOLARWINDS ORION NETWORK MANAGEMENT PRODUCTS"

Through threat intelligence and other intelligence gathering techniques, experts believe there is sufficient evidence which points to APT 29, who are Russian state-funded cyberspace actors. APT 29 are believed to be responsible for several other high-level cyber incidences. Such incidences as the spear phishing campaign against the Pentagon and utilization of zero-day vulnerabilities are common practice for these types of hacking groups who are liked to the Kremlin.

So far, the exact size and scale of this attack on thousands of organizations world-wide is unknown. And likely will be so for some time. However, due to the impact this threat has on organizations, if you are running the SolarWinds Orion software, it is advised that you shut down these servers immediately. There is information on potential remedies listed by DHS.

In the mean time, while we continue to follow this story, we want our customers to know that Midshore Technology Services does in fact use some SolarWinds products. However, these products are not know to be exploited at this time. We have taken multiple countermeasures proactively to ensure that our systems and by extension, your systems are safe and secure. As the situation develops, we will continue to adapt our operating procedures to continue providing the same level of due diligence and care for your networks as is expected of us.

We have taken the following steps to ensure our customers are safeguarded:

  • All SolarWinds products have been updated with the latest encryption keys
  • We have utilized the information provided by CISA and DHS to include signatures for the malware in our endpoint protection suite (installed on all managed customer PCs)
  • Coordinate with the Federal Government to ensure we have the latest information and safeguards as they are made available
  • Coordinate with SolarWinds and take actions as suggested by their incident response teams
Additionally, if your organization is concerned you may be breached… rest assured, it is unlikely if you do not run the SolarWinds Orion product. If you do utilize this software, and want assurances or an assessment, contact us and we can investigate.

We will continue to post updates as they come in.