Lessons Learned Investigating SUNBURST Software Supply Chain Attack

INTRODUCTION

THE SECURITY IMPLICATIONS OF A CONNECTED WORLD

To go forward sometimes we need to look back in time. In 2017, the NotPetya cyberattack temporarily crippled the shipping industry and many global organizations. It also revealed the depth of interdependence between global information systems. The attack started from a single stack of servers responsible for updates to a piece of common Ukrainian tax software, M.E.Doc, and used that foothold to access tens of thousands of systems around the world. Sound familiar?

Like NotPetya, the recent SolarWinds Orion SUNBURST attack exploited the software supply chain to gain access to multiple organizations with a single piece of malware. Where NotPetya was overt in its mission to wreak havoc on its targets, SUNBURST was designed to be covert, prioritizing stealth and the creation of backdoors.

What attackers intend to do with that access remains to be seen. What we do know is that the advanced defense-evasion techniques used in SUNBURST successfully bypassed most—but not all—of the security tools defenders rely on, including perimeter defenses, endpoint detection, and antivirus. Even an attack as sophisticated as SUNBURST cannot cover its tracks in network traffic.

In this report, we show how network data can be used to gain a more comprehensive understanding of the SUNBURST supply chain attack. This includes proprietary research that identified additional indications of compromise (IOCs) associated with SUNBURST. It also includes new insight into the specific attack patterns cybercriminals used to move laterally within networks, escalate privileges, and exfiltrate data. Finally, we delve into real case studies of how our customers used network detection and response (NDR) to identify affected SolarWinds binaries, forensically investigate post-compromise activity, and take swift remediative action.

Cloud Implications

Microsoft research has indicated that, after gaining a foothold, attackers then moved to gain access to cloud-based assets. Other researchers have pointed out that SolarWinds can hold cloud API keys. Large, hybrid attack surfaces pose unique challenges to understanding the extent of SUNBURST compromise.

Further complicating the investigation is the fact that the initial intrusion happened months prior. Security teams have to search backward in time, across complex (and likely hybrid) environments, to find where and when to focus deeper investigations—if evidence even still exists for that time period. This is blurring the lines between threat hunting, detection, and incident response, making it harder to answer questions like “did attackers access critical cloud infrastructure?”