My guess is it's probably the reason FireEye got compromised. They haven't explicitly stated it, but the timing ain't a coincidence. Based on the "highly sophisticated, manual supply chain attack", it sounds like they had someone inside slipping something extra into their patches.
Solarwinds Advisory
CRN Article
FireEye Analysis
Solarwinds Advisory
Quote:
SolarWinds has just been made aware our systems experienced a highly sophisticated, manual supply chain attack on SolarWinds Orion Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020. We have been advised this attack was likely conducted by an outside nation state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack.
CRN Article
Quote:
SolarWinds confirmed in a security advisory issued late Sunday that it experienced a manual supply chain attack on versions of Orion released between March and June of this year.
"The campaign demonstrates top-tier operational tradecraft and resourcing consistent with state-sponsored threat actors," Mandia said. "Our analysis indicates that these compromises are not self-propagating; each of the attacks require meticulous planning and manual interaction."
...
"This campaign may have begun as early as Spring 2020 and is currently ongoing," FireEye's threat researchers said. "The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security."
The malware masquerades its network traffic and stores reconnaissance results within legitimate plugin configuration files, allowing it to blend in with legitimate SolarWinds activity, according to FireEye threat researchers. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers, they said.
FireEye Analysis
Quote:
- FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.
- The attacker's post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.
- The campaign is widespread, affecting public and private organizations around the world.
- FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.
...
FireEye has detected this activity at multiple entities worldwide. The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.