SolarWinds - Supply chain attacks
Date: annnounced 2020-12-13, first detected late 2019(?)
Method: Supply chain attacks, updated version of Orion SolarWinds.
Impact: Many companie got hacked through supply chain attac, including Cisco, MSFT, PAN, Mandian, etc.
Attacker: APT29, SVR, Cozy Bear, the Dukes.
Noteworthy: The attack was undetected for months. A lot of companies were compromised via SolarWind Orion. The Orion software suite had about 33,000 customers, only the updated versions were compromised. Interestingly, cusomers who did not update their SolarWinds, did not get breached. The first back door: Sunburst. There is a second backdoor: Teardrop - collecting more info.
The attacker has planted a build server on 19-20 Feb 2020, embedded a rouge dll file. On June 4th they shutdown from the operation.
2019-01-30: Employee’s VPN account got compromised. 2019-01-31: Download 129 source code repo & customers info. 2019-03-12: returned and accessed the build environmen. 2019-09-04: retured back 2020-02-XX: dropped test code into an Orion software update. 2020-11-26: user the VPN for the last time. 2020-12-12: Continue to monitor until Kevin Mandia contacted Kevin Thompson.
References
Wired:The Untold Story of the Boldest Supply-Chain Hack Ever
Washington Post Russian government hackers are behind a broad espionage campaign