But they had been at it for only 24 hours when they found the passage they had been looking for: a single file that seemed to be responsible for the rogue traffic. Carmakal believes that it was December 11 when they found it.
The file was either a .dll or a dynamic link library: code components shared by other programs. This .dll was large, containing around 46,000 lines of code that performed over 4,000 legitimate actions and, as they discovered after analyzing it for an hour, one illegitimate one.
The main job of the .dll was to inform SolarWinds about a client’s use of Orion. But the hackers embedded malicious code that caused it to transmit intelligence about the victim’s network to his command server instead. Ballenthin dubbed the malware “Sunburst,” a play on SolarWinds. They were delighted with the discovery. But now they had to figure out how the intruders had gotten it into Orion’s .dll file.
This was far from trivial. The Orion .dll file was signed with a digital certificate from SolarWinds, which was supposed to verify that the file was a legitimate company code. One possibility was that the attackers had stolen the digital certificate, created a corrupted version of the Orion file, signed the file to make it appear authentic, and then installed the corrupted .dll on Mandiant’s server. Or, more alarmingly, they could have breached the SolarWinds network and altered the legitimate source code of the Orion .dll. before SolarWinds compiled it, turning the code into software, and signed it. The second scenario seemed so far-fetched that the Mandiant team didn’t really consider it, until a researcher downloaded an Orion software update from the SolarWinds website. The back door was there.
The implication was amazing. The Orion software suite had around 33,000 customers, some of whom had started receiving the pirated software update in March. That meant some customers could have been compromised for eight months. Mandiant’s team was faced with a textbook example of a software supply chain attack—the nefarious alteration of software trusted at its source. In one hit, attackers can infect thousands, potentially millions, of machines.
In 2017, hackers sabotaged a software supply chain and delivered malware to more than 2 million users by compromising a computer security cleanup tool. Cleaner. That same year, Russia distributed the malicious NotPetya Worm in a software upgrade to the Ukrainian equivalent of TurboTax, which was later rolled out around the world. Not long after, Chinese hackers also used a software update to slip a backdoor into thousands of asus customers. Even at this early stage of the investigation, Mandiant’s team was able to say that none of those other attacks would rival the SolarWinds campaign.
SolarWinds joins the chase
Was a On Saturday morning, December 12, when Mandia called the President and CEO of SolarWinds from his cell phone. Kevin Thompson, a 14-year veteran of the Texas company, would step down as CEO at the end of the month. What he was about to hear from Mandia, that Orion was infected, was a great way to wrap up his term. “We will make this public within 24 hours,” Mandia said. He promised to give SolarWinds a chance to post an ad first, but the schedule was non-negotiable. What Mandia did not mention was that he himself was under external pressure: a reporter had been tipped off about the back door and had contacted his company to confirm it. Mandia expected the story to break on Sunday night and he wanted to get ahead of it.
Thompson began making calls, one of the first to Tim Brown, SolarWinds’ head of security architecture. Brown and his staff quickly confirmed the presence of the Sunburst backdoor in Orion software updates and discovered, to their alarm, that it had been delivered to as many as 18,000 customers since spring 2020. (Not all Orion users had downloaded it ). Thompson and others spent most of Saturday frantically assembling teams to oversee the technical, legal and publicity challenges they faced. They also called in the company’s outside legal counsel, DLA Piper, to oversee the leak investigation. Ron Plesco, Piper’s attorney and a former prosecutor with forensic experience, was in his backyard with friends when he received the call around 10 p.m.
—————————————————-
Source link