Image credit to Wikimedia Commons. Image modified from original.
Last week, a CISA emergency directive called on all federal civilian agencies to review and power down or disconnect all SolarWinds Orion Products.
experts on the Internet, a certain version of SolarWinds contained a backdoor since March of 2020.
On December 13, several news outlets, including Reuters, The Washington Post, and The Wall Street Journal, reported that multiple U.S. government agencies were the victims of a significant breach reportedly linked to hackers associated with a nation-state. Additional reporting has since confirmed a direct connection between this breach and last week’s cybersecurity firm FireEye breach. According to a tweet from Dustin Volz, a reporter for The Wall Street Journal, the source of the breach was “a flaw in IT firm SolarWinds.”
The backdoor has been available since March after the June versions of SolarWinds were rolled out.
The backdoor resides in a dynamic-link library (DLL) file name SolarWinds.Orion.Core.BusinessLayer.dll. The file was digitally signed by SolarWinds with a valid certificate on March 24, meaning it would be trusted by the underlying operating system and would not raise any alarms. The backdoored DLL file was seeded as part of SolarWinds software builds between March and June 2020, accessible via the SolarWinds website. Once an organization installed the malicious software update, the backdoored DLL file would remain in hibernation for a period of two weeks before beginning its operation. This is one of the stealthy elements of this operation. FireEye says in its blog post that the backdoor also managed to “blend in with legitimate SolarWinds activity” to evade detection.
At that point, SolarWinds filed a report with the SEC where they mentioned that 18,000 customers had the backdoor problem.
On December 14, SolarWinds filed a Form 8-K with the U.S. Securities and Exchange Commission that sheds light on this incident’s potential impact. In the 8-K, SolarWinds says it believes the number of customers with an active installation of Orion products containing this backdoor is “fewer than 18,000.” According to the Microsoft TAR and the FireEye blog post, a “highly sophisticated” adversary managed to breach the supply chain of SolarWinds, a company that develops IT infrastructure management software, resulting in malicious code placement inside of the company’s Orion Platform software builds.
The question here that begs to be asked is, did SolarWinds and Dominion know of the breach, and were they secretly working with the “foreign adversary” to ensure that the backdoor remained open in the 2020 election?