After much speculation about the length of dwell time involved in the SolarWinds supply chain attack, the IT management vendor confirmed that the breach began at least as early as September 2019.
SolarWinds president and CEO Sudhakar Ramakrishna published an update Monday regarding the supply chain attack in which nation-state threat actors compromised numerous high-profile enterprises and government agencies via malware inserted into software updates. In the post, Ramakrishna provided a detailed timeline that dates the initial breach against SolarWinds.
"Our current timeline for this incident begins in September 2019, which is the earliest suspicious activity on our internal systems identified by our forensic teams in the course of their current investigations," he wrote in the update.
Prior to this post, security researchers believed, based on technical evidence, that attackers may have first breached SolarWinds in late 2019.
After the threat actors initially breached SolarWinds on Sept. 4, they conducted test code injections through November. The Sunburst malware was deployed in February 2020, and in June, the threat actors removed the Sunburst malware from SolarWinds' environment.
"The perpetrators remained undetected and removed the SUNBURST malicious code from our environment in June 2020. During that time, through to today, SolarWinds investigated various vulnerabilities in its Orion Platform. It remediated or initiated the process of remediating vulnerabilities, a regular process that continues today. However, until December 2020, the company did not identify any vulnerabilities as what we now know as SUNBURST," the post read.
Ramakrishna also said the investigation team, which includes CrowdStrike and KPMG, discovered "a highly sophisticated and novel malicious code injection source" that the nation-state threat actors used to place the Sunburst backdoor into the Orion software platform. Ramakrishna highlighted a companion post from CrowdStrike on the discovery.
According to the updated timeline, SolarWinds learned of the attack on Dec. 12 before going public two days later.
In a previous SolarWinds update, the company mentioned that there could potentially be other victims, and Ramakrishna reiterated this in Monday's post, saying that, "Our concern is that right now similar processes may exist in software development environments at other companies throughout the world."
SearchSecurity contacted SolarWinds for clarification on this point, but SolarWinds had not responded at press time.
CrowdStrike provides additional context
CrowdStrike published a blog post, also Monday, with technical details about how the attackers obtained access to the Orion build environment and inserted the Sunburst backdoor into software updates for the platform. According to the post, a different piece of malware, which CrowdStrike calls "Sunspot," was discovered on a SolarWinds software build server. The Sunspot malware hijacked the compilation process for Orion software and replaced legitimate source files with the backdoor.
CrowdStrike researchers believe the Sunspot tool was developed to quietly abuse the compilation process without altering SolarWinds' development team. The vendor said Sunburst is the work of the attackers behind SolarWinds supply chain attack, which CrowdStrike identifies as "StellaParticle," but it did not attribute the threat activity to any known advanced persistent threat group or specific nation-state.
"The design of SUNSPOT suggests StellarParticle developers invested a lot of effort to ensure the code was properly inserted and remained undetected, and prioritized operational security to avoid revealing their presence in the build environment to SolarWinds developers," the post said.
CrowdStrike released indicators of compromise for Sunspot, as well as tools, techniques and procedures for the threat actors and Mitre ATT&CK framework information to defend against the malware.
Security news editor Rob Wright contributed to this report.
Alexander Culafi is a writer, journalist and podcaster based in Boston.