Breaching the U.S. government through software supply chains: Tracing the SolarWinds exploit upstream

December 14, 2020 By Ax Sharma

4 minute read time

In the past week the US Treasury, US Department of Commerce and cybersecurity company FireEye experienced breaches tied to their reliance on software supply chains and a compromise of a SolarWinds software application. Officials stated that the exploit path demonstrated all signs of a nation-state sponsored cyberattack.

Each of these breaches have one thing in common: The adversaries infiltrated SolarWinds Orion software applications used by each of the targets. The attack path required malicious software code to be injected upstream in the software supply chain of SolarWinds, where it would then flow downstream into their user community.

SolarWinds develops network and IT infrastructure management software solutions, including the Orion platform. The company's clientele includes multiple federal agencies and US government organizations, such as, all five US military branches, the Pentagon, NSA, the National Oceanic and Atmospheric Administration, and the Department of Justice. It is no surprise then that this would make SolarWinds an attractive target to nation state actors looking to get their hands on mission critical government systems.

Sophisticated supply chain attack propagated downstream to 18,000 customers

The Microsoft Security Response Center team explained, the SolarWinds Orion attack started with attackers intruding through malicious code that was implanted into SolarWinds Orion instances via trojanized updates. These updates delivered a backdoor known as SUNBURST and Solorigate, which were deployed on systems running Orion platform versions. The impact? Roughly, 18,000 customers automatically pulled these malicious updates.

SolarWinds called this a "highly sophisticated, manual supply chain attack"  in a security advisory further adding:

"We have been advised this attack was likely conducted by an outside nation-state and intended to be a narrow, extremely targeted, and manually executed attack, as opposed to a broad, system-wide attack."

The company has since advised users to upgrade their Orion instances to patched versions and has also issued hotfixes.

By attacking the SolarWinds software supply chain and mingling their malicious code with the legitimate, trusted code being delivered to their clients, attackers are able to cast a much wider net downstream. In this particular case, by delivering tainted software updates, the attackers had planted backdoors on the systems of tens of thousands of SolarWinds' customers.

Given the seriousness of the incident, DHS-CISA issued an emergency advisory over the weekend directing all federal agencies using SolarWinds to check for signs of compromise and malicious network activity related to this large scale attack. CISA additionally demanded a "completion report" from the agencies today.

"What we see here is a highly targeted software supply chain attack that leveraged commercial code to deliver a malicious payload," says Brian Fox, CTO at Sonatype. "Compared to the sophistication and extensive planning required to attack physical technology supply chains in the public and private sector, software supply chain attacks are easier, faster, and more effective for adversaries."

"While this specific attack targets just one vendor, we see the same types of attack behaviors occurring on open source software supply chains, such as Octopus Scanner that had compromised at least 26 OSS projects, and 700 typosquating RubyGems running Bitcoin miners."

According to Sonatype's 2020 State of the Software Supply Chain report, next-generation upstream software supply chain attacks are far more sinister because bad actors are no longer waiting for public vulnerability disclosures. Instead, they are taking the initiative to contribute code to open source projects and then - unbeknownst to the other OSS project maintainers - injecting malicious code. Those code changes then make their way into open source projects that feed the software supply chains of developers around the world.

By shifting their focus upstream (i.e., injecting malware in SolarWinds Orion platform updates trusted by thousands), bad actors can infect a single component, which will then be distributed downstream using trusted software workflows and update mechanisms.

Our 2020 report also shows that this is happening at a rapidly increased rate. In fact, there was a 430% increase in upstream software supply chain attacks over the past year. Keeping this in mind, it is virtually impossible to manually chase and keep track of such components.

Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: features, featured, News and Views, Industry commentary

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.