As the infosec research community and cyber-security firms remain focused on figuring out the extent of the damage from the supply chain attack on SolarWinds systems, more details surface every day. It all started with FireEye, then blew fully with the U.S. Treasury, and soon after that, it became clear that many federal agencies had been compromised in the same way. The first estimations by experts talked about the high chances of this being the work of “Cozy Bear,” the elusive Russian state actor, but it now appears that there’s a lot more going on.
According to forensic analysts in the field, the “Sunburst” malware contained in the laced Orion update came from two different directions, i.e., two hacking groups. The diligent and highly-sophisticated one that bothered to sign the backdoor with a valid digital certificate, and one that didn’t. The latter sounds like a “Fancy Bear” practice, so the two Russian hacking groups may have used the same malware but differently.
Then there are the details that emerge about who has been affected. Initially, SolarWinds said the number could be as high as 18,000, so there’s a lot to figure out on that part. So far, the following firms have confirmed Sunburst breaches:
Many of the giants mentioned above have admitted the breach via a statement but clarified that the malware hadn’t found its way downstream to client-facing solutions. Others are suspected of having played a key role in the infection.
Some firms found indicators of compromise on their internal networks but didn’t see any indication of exploitation. With the malicious Orion update being pushed to such a large number of systems, it is obvious that hackers couldn’t follow up with all targets.
And to make matters even more complicated, CISA has previously stated that they have evidence the hackers didn’t use only the SolarWinds backdoor as a way in, but at least one more backdoor. However, no further details have been publicly shared about this possibility yet.