CTA Members Respond to Ongoing SolarWinds Incident

On December 13, FireEye and Microsoft released information regarding a newly discovered nation-state campaign actors leveraging access to the SolarWinds Orion Platform. The SolarWinds Orion Platform is used for IT infrastructure management in many government agencies and corporate networks. Nation-state actors compromised the SolarWinds supply chain to trojanize their software updates and gain access to SolarWinds’ customers. In response, the United States Cybersecurity and Infrastructure Security Agency (CISA) released an emergency directive to US Government agencies to disconnect or power down SolarWinds Orion products immediately. Several departments and agencies are known to be compromised and a Cyber Unified Coordination Group has been established to respond to this incident.

CTA members are working to identify and assist their customers that may be at risk of this incident and are publishing blogs and reports to detail their actions, as well as protections and mitigations that would be helpful for response efforts. As a part of this effort, CTA members are sharing information to ensure that we are coordinated and working together for the greater good. We will provide links to our members’ reports and updates related to this incident in this blog, regularly updating it with new information.

 

Anomali
Actionable Threat Intelligence Available for Sunburst Cyber Attacks on SolarWinds
Anomali ThreatStream Sunburst Backdoor Custom Dashboard Provides Machine Readable IOCs Related To SolarWinds Supply Chain Attack
FireEye, SolarWinds Hacks Show That Detection Is Key to Solid Defense

Check Point
SUNBURST, TEARDROP and the NetSec New Normal
Best Practice: Identifying and Mitigating The Impact of Sunburst
SolarWinds Sunburst Attack: What Do You Need to Know and How Can You Remain Protected

Cisco (Talos Intelligence Group)
SolarWinds Orion Platform Supply Chain Attack
Cisco Event Response: SolarWinds Orion Platform Software Attack
Threat Advisory: SolarWinds Supply Chain Attack
FireEye Breach Detection Guidance

Dragos
SolarWinds Compromise and ICS/OT Networks Webinar Recording
Responding to the SolarWinds Software Compromise in Industrial Environments

Fortinet
What We Have Learned So Far About The “Sunburst”/SolarWindwinds Hack
FireEye Red Team Tool Breach

Intsights
The FireEye Breach and the SolarWinds Supply Chain Compromise Campaign
Flash Alert: FireEye Breach

McAfee
Why SolarWinds-SUNBURST is our Cyber Pearl Harbor
How a Device to Cloud Architecture Defends Against the SolarWinds Supply Chain Compromise
Additional Analysis Into the SUNBURST Backdoor
SUNBURST Malware and SolarWinds Supply Chain Compromise
McAfee Coverage for SolarWinds Sunburst Backdoor

Palo Alto Networks (Unit42)
SolarStorm Supply Chain Attack Timeline
You Think You’re Prepared for the Next SolarWinds. You Are Not.
Palo Alto Networks Rapid Response: Navigating the SolarStorm Attack
SUPERNOVA: SolarStorm’s Novel .NET Webshell
Threat Brief: SolarStorm and SUNBURST Customer Coverage
Threat Brief: FireEye Red Team Tool Breach

Panda Security
Multiple Government Agencies Hacked by Russia-backed Actors

Radware
FireEye Hack Turns Into a Global Supply Chain Attack

Rapid7
Update on SolarWinds Supply-Chain Attack: SUNSPOT and New Malware Family Associations
SolarWinds SUNBURST Backdoor Supply Chain Attack: What You Need to Know

ReversingLabs
SunBurst: The Next Level of Stealth

SecurityScorecard
SolarWinds Compromise May Have Begun 5 Months Earlier Than Suspected and May Still Be Delivering Compromised Components

SonicWall
SolarWinds Orion Vulnerability
Massive Supply-Chain Attack Targets SolarWinds Orion Platform

Sophos
How SunBurst Malware Does Defense Evasion
Incident Response Playbook for Responding to SolarWinds Orion Compromise
SolarWinds Breach: How to Identify if You Have Been Affected
Reassuring Sophos Customers Following the Theft of Mandiant/FireEye Tools

Symantec – A Division of Broadcom
SolarWinds: How a Rare DGA Helped Attacker Communications Fly Under the Radar
SolarWinds Attacks: Stealthy Attackers Attempted To Evade Detection
Sunburst: Supply Chain Attack Targets SolarWinds Users

 

(Last updated 2:00PM EST, January 15, 2020)

CTA SolarWinds
Headshot of Neil Jenkins.

Author: Neil Jenkins

As Chief Analytic Officer, Neil leads CTA’s analytic efforts, focusing on the development of threat profiles, adversary playbooks, and other analysis using the threat intelligence in the CTA Platform. Previously, he served in various roles within the Department of Homeland Security, Department of Defense, and Center for Naval Analyses, where he spearheaded numerous initiatives tied to cybersecurity strategy, policy, and operational planning for both the public and private sectors.