As we previously reported, the SolarWinds Hack of 2020 was massive in its scope and the extent of the damage it caused. In this article, we take a detailed look the timeline of the attack, from the perspectives of the perpetrators, SolarWinds, the American public, and risk mitigation measures.
From the standpoint of the Cyberattackers:
- September 4, 2019: The Cyberattackers gain the first known foothold into the SolarWinds IT and Network Infrastructures.
- September 12, 2019: The Cyberattacker group deploys the first malicious payload into the Orion Software platform. This appears to be a test run, as the hackers used numerous servers located in various parts of the US in order to cover their network tracks.
- February 20, 2020: The Cyberattackers do a second test run of the malicious payload make sure that it will cause the damage that it was created to do. They then remove the test code so that it cannot be detected.
- June 4, 2020: The Cyberattackers conduct another trial run, and it appears all is working according to their plan. Once again, the test code is removed to prevent detection.
From the standpoint of SolarWinds:
- December 8, 2020: FireEye, one of the world’s leading Cybersecurity firms, makes it known to the public that its IT and Network Infrastructures were hacked into, and that the Cyberattackers even disabled its Red Team Penetration Tools.
- December 11, 2020: FireEye discovers that SolarWinds has also been compromised, to a great degree. The realization that this was actually a Supply Chain style attack comes when FireEye further discovers that the Orion Platform, which was used to deploy the software updates, was also hacked into between the timeframe of March 2020 and June 2020.
- December 12, 2020: FireEye formally notifies SolarWinds that their Orion Platform has been the vehicle for deploying the malware, through the software upgrades and patches. At this time, the National Security Council of the US Federal Government also intervenes in order to ascertain if any government agencies have been impacted by the Cyberattack.
From the standpoint of the American public:
On December 13, 2020, the following key events occurred:
- The Cybersecurity and Infrastructure Security Agency (aka “CISA”) requires that all US Federal Government agencies immediately discontinue use of the Orion Platform.
- SolarWinds releases temporary fixes that the impacted entities can use to mitigate the risk of further damage taking place.
- FireEye categorizes this Cyberattack as a Supply Chain hack, because other third parties were also impacted, namely some of the largest companies in the Fortune 500.
- Microsoft also intervenes and explains to the public how its customer base may be impacted by this Cyberattack.
- The SolarWinds hack makes the news for the first time, with finger pointing and blame aimed at nation state threat actors.
From the standpoint of Risk Mitigation:
On December 15, 2020, the following key events transpired:
- SolarWinds releases the first software fixes to further mitigate the damage that has already been done.
- The first victims are identified.
- The CISA and the FBI launch joint efforts to determine how the SolarWinds breach occurred in the first place, and to further investigate the damage that has been done to US Federal Government agencies.
Whenever a Cyberattack strikes a business entity, no matter how large or small, it’s important to reconstruct a detailed timeline such as the one we have covered here. The primary advantage of doing this is that it can aid in the process of attribution, that is, is determining who the actual perpetrators are. Such a timeline can also pinpoint areas in which latent evidence may lie, which is crucial in carrying out the forensics investigation. And finally, a timeline such as this can help identify vulnerabilities in the software and databases of the business entities affected by the Cyberattack. With similar attacks, such as the recent Kaseya ransomware attack, on the rise, vigilance against Cyberattacks has become more critical than ever.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.