SolarWinds disclosed yesterday afternoon (SolarWinds 8-K filing, December 13) that the company's Orion network-management product update infrastructure had been compromised, with backdoored updates distributed to approximately 18,000 customer organisations between March 2020 and June 2020. FireEye, who disclosed their own compromise on the 8th, has published the technical analysis of the SUNBURST backdoor that was distributed via the SolarWinds update mechanism (FireEye blog post on SUNBURST analysis, December 13). The picture from the past 24 hours is that the FireEye intrusion, the SolarWinds compromise, and what is now visibly a multi-customer intrusion campaign are elements of a single state-actor operation of substantial scale and sophistication.
The supply-chain-attack mechanism is, in shape, what NotPetya / M.E.Doc demonstrated in 2017 — vendor-side compromise of an update channel, distribution of malicious content to the vendor's customer base, downstream compromise of customer networks via the trusted update path. The SolarWinds case differs from NotPetya in two operational respects. First, the targeting is precise rather than indiscriminate; SUNBURST includes operational logic to evade most environments and activate selectively against specific high-value targets, with the apparent operator selection being made on per-victim criteria. Second, the timeline is sustained rather than acute; the backdoor was distributed for several months before discovery, with selective post-compromise activity continuing through the autumn before the FireEye-driven discovery.
The customer-organisation impact is, on the early information, broad. SolarWinds Orion is widely deployed in US federal-government environments and in major enterprise customers. The CISA emergency directive issued yesterday (CISA Emergency Directive 21-01 on SolarWinds Orion) requires US federal agencies to identify and disable Orion deployments by an immediate deadline, which is the appropriate operational response and which sets the customer-organisation expectation across the wider deployment population. The known affected federal agencies include Treasury, Commerce, the National Telecommunications and Information Administration, and several others; the full picture will firm up over the coming weeks.
For the customer-portfolio impact, none of our customers run SolarWinds Orion. The portfolio is on alternative network-management tooling. The customer-side action this week has therefore been the standard supply-chain-incident response — verify the absence of the specific affected product, audit the broader software-bill-of-materials for any related vendor relationships, monitor for any indicators-of-compromise consistent with the broader campaign, elevate alert posture. The customer-organisation conversations have been substantive and the briefing material I have prepared this week emphasises the structural lessons rather than the specific Orion-and-SUNBURST detail.
The structural lessons are continuous with the supply-chain-security theme that I have been writing about since at least 2017 — NotPetya in 2017, the various Magecart cases through 2018-2019, the Marriott acquisition-integration case in 2018, the various IoT-supply-chain cases through 2019. The SolarWinds case is, in scale and operational sophistication, the most consequential supply-chain attack of the decade and possibly of the post-internet era. The defensive disciplines — vendor security verification, software-bill-of-materials, update-content monitoring, segmentation of update channels, downstream-effect monitoring — are the substantive answer, and the customer-organisation programme work that has invested in those disciplines through the past several years has the better posture against the SolarWinds-style threat. The customer-organisation programmes that have been treating supply-chain security as an abstract concern rather than a substantive practice are now, on the SolarWinds case, demonstrably exposed.
The political and policy implications are going to develop substantially over the coming months. The attribution will firm up — the technical evidence so far points at a Russian state actor cluster — and the political response will follow. The regulatory environment around supply-chain security is going to attract more legislative attention than the previous several years' has produced, in the US, in the EU, and in the UK. The customer-organisation programme work for 2021 is going to incorporate supply-chain security as a more central programme component than 2020's planning envisaged, and the budget conversations across the customer portfolio for 2021 are starting to reflect that shift.
I will be writing more on this through the rest of December and into 2021. The SolarWinds case is going to define the supply-chain-security conversation for several years, and the customer-organisation programmes will need to absorb the operational lessons across multiple subsequent cycles. The 2020 retrospective at the end of this month will treat SolarWinds as the defining event of the year, ahead of the COVID-related changes to operational posture and ahead of the ransomware-targeting escalation.
The work continues.