Huge SolarWinds Systems Hack Of Government

Major Corporations too. Banks, White House, NASA and more.

The hack involved getting to the vendor equipment, then inserting a backdoor into an update that was then pushed to major companies and government agencies all over the place. Between March and June last.

“Most impactful ever”…

Also got their hacking tools used to test security, i.e. world class hacking tools.

Active Exploitation of SolarWinds Software
Original release date: December 13, 2020

The Cybersecurity and Infrastructure Security Agency (CISA) is aware of active exploitation of SolarWinds Orion Platform software versions 2019.4 through 2020.2.1, released between March 2020 and June 2020.

CISA encourages affected organizations to read the SolarWinds and FireEye advisories for more information and FireEye’s GitHub page for detection countermeasures:

SolarWinds Security Advisory
FireEye Advisory: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
FireEye GitHub page: Sunburst Countermeasures

Threat Research
Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
December 13, 2020 | by FireEye

Executive Summary

We have discovered a global intrusion campaign. We are tracking the actors behind this campaign as UNC2452.

FireEye discovered a supply chain attack trojanizing SolarWinds Orion business software updates in order to distribute malware we call SUNBURST.

The attacker’s post compromise activity leverages multiple techniques to evade detection and obscure their activity, but these efforts also offer some opportunities for detection.

The campaign is widespread, affecting public and private organizations around the world.

FireEye is releasing signatures to detect this threat actor and supply chain attack in the wild. These are found on our public GitHub page. FireEye products and services can help customers detect and block this attack.


FireEye has uncovered a widespread campaign, that we are tracking as UNC2452. The actors behind this campaign gained access to numerous public and private organizations around the world. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software. This campaign may have begun as early as Spring 2020 and is currently ongoing. Post compromise activity following this supply chain compromise has included lateral movement and data theft. The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security.

Just little things like Department Of Finance, Treasury, NASA, etc. etc.

Then “lateral movement” means that once inside, they spread out inside the agencies likely leaving other malware and backdoors all over the place. This kind of intrusion needs a top-to-bottom scrub to get rid of it. Depending on the skill involved, and these guys look to have high skillz, that can include binaries embedded in disk drive firmware and other nearly impossible to detect places.

I doubt the ability of Government Agencies to effectively scrub all of it.

Subscribe to feed

About E.M.Smith

A technical managerial sort interested in things from Stonehenge to computer science. My present "hot buttons' are the mythology of Climate Change and ancient metrology; but things change...
This entry was posted in News Related, Security & Privacy, Tech Bits. Bookmark the permalink.

27 Responses to Huge SolarWinds Systems Hack Of Government

  1. President Elect H.R. says:

    Is it any wonder why I don’t do anything online except comment on a few blogs, look up info on things I will go and buy in person, and watch how-to videos?

    Still, I’ve got ‘stuff out there’ because I have a mortgage, a bank account, Social Security, Medicare, and Medicare supplemental insurance. Oh… and titled vehicles.

    There are not too many people without at least a digital thumbprint. Most everyone has some sort of digital trail of footprints, and then there are those that give away anything and everything about themselves if they are rewarded with a “free” game for their smart phone.

    I don’t know who is rooting hardest for a cashless society; GEBs or cyberthieves?

    The ultimate irony will come when the cyberthieves steal everything from the GEBs. “Mr. Gates, you were a multibillionaire yesterday. Today? Well, my cousin Bernie needs a dishwasher at his restaurant. Are you interested?”

  2. Nancy & John Hultquist says:

    Not that this is relevant but a problem with companies is they have “coders” or programmers, but wordsmithing is a concept not apparent. Consider this from the web site:
    The SolarWinds Orion Platform can help conquer your infrastructure monitoring and management by offering superior tool consolidation for your environment while providing unique integrated functionalities, allowing customers to join the dots and solve problems with accuracy and speed at an affordable price.

    Note the last word: price
    Nothing before that makes much sense, but the reader is left with a power-packed word. Who doesn’t know what “price” means. Translation: You are going to pay!
    Our tools can help you make your company better. [ you – your – better ]

  3. V.P. Elect Smith says:

    @N.&J. H:

    The real problem is that often high end sales (like big software buys) are at a minimum signed off by “Executives” or often “recommended” by them to the staff based on what they did before, what a friend did somewhere else, or what their “Executives Magazine” promoted last month.

    I’ve had that happen more than a few times.

    “Why are we not using FOO!?” (“like my friends company BAR” or “like I just read about in BAR” or “like we did at my last company”)

    EVERY fad that comes along, comes via that route. The “centralize decentralize” cycle is part of it. Now it’s “Cloud Computing”. Before it was “Service Bureaus”. Rinse and repeat.

    Similarly the “just use one box for everything” sales pitch. “Why do we need 12 computers to do that?” so the I.T. guy looks to buy the one bigger costlier box to do it all and turns in the P.O. Never mind that “all on one box” means “Something goes wrong you lose it all”.

    At one company I was using COTS hardware (black box rack mount cheap PCs) for core services. MY Mantra was “One Service, One Box”. If we lost, for example, the email server, it was ALL we lost. Also, we could expediently bring it back up as a secondary service on some lightly used other box while making repairs, or swap to a hot spare in the rack if available. Often just unplug / re-plug a disk and flip a config switch…

    I got asked why I needed so many boxes, and enjoyed explaining that 10 x $400 was much much less than $10,000 and gave more durable and reliable services…

    It was also pleasant for me when a server would go down, and ONLY that one service generated “trouble ticket” calls to the desk, and ONLY one guy needed to fix one thing, and OFTEN the “service” was back up before most people even noticed it was out.

    IIRC, we once lost in-house DNS service, and it was back up inside about 4 minutes with small single digit calls about issues. (Had an alternative hardware / software setup we could spin up ‘just in case’. Then went about swapping the hardware out, restarting the primary, and refurbishing the pulled box to put back in later). Another time the email server lost the PSU. Disks were in the front on a slot, so just unscrewed retainer, moved down a rack to the empty PC, plugged in, power on, service back up.

    So the “fad” now is to put everything on “Virtual Machines” either in your own Big Box farm or in “the cloud” somewhere. OK, having a bunch of VM images you can spin up makes sense, and a watchdog to spin one up if there’s a service outage. Having a “big enough” physical server farm to always have one spare unit of capacity, preferably 2, would work OK. But “the cloud”? What happens if your network is down? (Do you really have redundant POPs, cables, ISPs?) What do you do when under DDoS attack? What do you do if you need to do a sudden network disconnect as you found a serious security breach in progress? Yeah, it can work, but with a big hit on risk and risk response choices available. Lose one network and you lose all services? No thanks.

    I can see putting selected services “in the cloud”, especially those not critical to immediate operations, so an outage doesn’t stop the whole company. Engineering R&D with big peaks of compute demands. Marketing web development where an outage for a day is not a big impact. But corporate financials? Internal services like email and file storage? Ummm…

    Why I was not a big fan of IP Phones. How does someone call the help desk about a network down issue if the phones don’t work? Eh? (Now mitigated by the ubiquitous cell phone… Now I think I’d just not have a corporate phone system. Issue anyone who needs one a corp cell phone with WiFi telephony for internal calls.)

    Any way, my griping digresses…

  4. V.P. Elect Smith says:

    @P.E. H.R.:

    That’s another point. Limiting your activity.

    I don’t do social media. I don’t post photos of me and mine to the world (other than 2 graduation photos here). I don’t have a dozen credit cards. I prefer to pay “cash only”. I only pay one bill on-line and only from one account with one of two computers (that do little else). I only occasionally do any on-line shopping (when someone gives me an “Amazon Gift Card” for Christmas or Birthday).

    Yeah, kind of ironic… the hard core Computer Geek being essentially computer phobic for on-line uses ;-)

    What happens to you after several decades of fighting cyber-threats daily… You KNOW it is only a matter of when not if.

    Oh Well… Not my problem anymore. Someone else can be responsible for keeping the barn door shut at companies.

    The Gates Point:

    Yeah, that would be fun to watch. Unlikely to happen though. He’ll just show statements demonstrating his ownership and move the cost to the folks who screwed up. Now if his BANK goes bankrupt, we already know that the GEBs just have their pet Governments print up more money to keep their bank funded…

  5. Ed Forbes says:

    Antrim Michigan Forensics Report

    Click to access antrim_michigan_forensics_report_%5B121320%5D_v2_%5Bredacted%5D.pdf

    Court ordered review of 1 Michigan county’s election software shows 69% error rate requiring human intervention with NO audit trail.

  6. YMMV says:

    News item today — Google hit with outage of all services, worldwide.
    I don’t know what the reality is, but there is something to this.
    They have a status page. I don’t know if there are better ones.

    China testing? poor design?

  7. President Elect H.R. says:

    OK. I don’t know what’s going on, but when I am searching for some tool or supplies or odd hardware for a project, I get all sorts of results for “FOO for sale near me.”

    I get Detroit locations, I get Cleveland and Northeast Ohio locations, Indianapolis locations, and Seminole Florida locations, and a couple of other locations; not all at the same time. It’s just that it homes in on me as being in one of those areas when I am online.

    Now I am in the Eastern Mid-west, so those locations are, well… within a day’s drive. And we stay in Seminole, Florida, so something has been embedded on my laptop about that location. I can be at home and it picks the Home Depot in Seminole.

    So I’m not complaining. It seems like a good thing to me. I just don’t know what’s going on. Maybe locations those are embeds from the 32 trackers I have remaining. However, I’ve never been to some of the places it chooses and the places, like Indianapolis, I haven’t been to in years and definitely never with the 2-year old laptop.

    It’s all good, though.

  8. ossqss says:

    Oh the IOT is wonderfully connected. Reminiscent of the Target HVAC hack?

    How many backdoors are in those self driving cars just waiting for the trigger to be pulled.

    Who makes that coding decision to drive off the cliff to avoid hitting a school bus anyhow? Just sayin, autonomous isn’t really independent of some other’s preconcieved analytic thoughts. .

  9. ossqss says:

    @HR, if you use a google product or have a account, you may want to check your profile and dig in a bit. You will be amazed at what, by default, most folks permit to be gathered including an advertising profile. The same goes for just about every site or search engine out there with a few exceptiins.

    Then there is the GDPR from the EU.

  10. President Elect H.R. says:

    @Ossqss – Hey, there’s a thought. I lied through my teeth setting up my gmail and my old hotmail account was worse.

    At least the addresses were consistent; Wrigley Field in Chicago 😁It’s not like I’m the only one who ever used that address for a gmail account. (Oooo… just corrected a really good typo. I initially typed ‘gmaul’.)

    I’m a 103-year old black woman, but I keep up with the times and so I got me a gmail account.

    The best I know, I don’t use google products directly, BUT, when searching for campgrounds and trailer friendly gas stations, I suppose those little inset maps are most likely google maps.

    That must be why they have me all over the place. Althoughhhhhhh… some of those locations I don’t recall ever calling up. I just never was going anywhere near them.

    But that’s a good tip. Thanks!

  11. President Elect H.R. says:

    Just little things like Department Of Finance, Treasury, NASA, etc. etc.

    Talk about the Great Global Reset. Wooowee, mama!

    I wonder where my Social Security check is going this month?

  12. V.P. Elect Smith says:

    One of the most commonly collected things is your IP Address. Then you finger that to get the location. So, say we wanted to look up a hypothetical IP#

    ems@OdroidN2:~$ nslookup	name =

    Then a Duckduckgo search on

    WideOpenWest (doing business as WOW!) is the sixth largest cable operator in the United States. The company offers landline telephone, cable television, and broadband Internet services. As of June 30, 2020, WOW! has about 844,500 subscribers.

    After a 2017 initial public offering, WideOpenWest is publicly traded with Avista Capital Partners and Crestview Partners retaining significant stakes. As of August 6, 2019 Avista Capital Partners sold their shares in the company, leaving Crestview Partners WOW’s largest shareholder holding a 37% stake in the company.
    State Population Covered by WOW![17]
    Michigan 1,856,779
    Ohio 1,506,425
    Alabama 624,286
    Illinois 1,604,922
    South Carolina 260,628
    Florida 804,085
    Indiana 316,534
    Georgia 494,673
    Tennessee 139,600

    So we can know pretty much just from that the max places possible. (There are other ways to narrow it down to much smaller geographies…) and we can make a Very Good Guess that as it is cable internet, the person is “at home”.

    FWIW, one of the “ways” is your WiFI name history. Folks like Google snarf up every WiFI signal / router name and map them. So even if YOU have 100% of everything “locked down” on your laptop, use it at Starbucks where Lucy Loosey has lots of beacons and trackers and just everything, the suck up the “wifi profile AND location”. Anyone ELSE with that IP is fingered down the restaurant itself (and possibly even inside vs outside where a different WiFi fingerprint registers…)

    Using other common tools, I’ve usually been able to place a person to a few blocks. On a bad day a few square miles.

  13. A C Osborn says:

    EM, did you read the Dominion Forensic Report that Ed Forbes posted?

  14. A C Osborn says:

    EM, sorry, I see you have commented on the Dominion report on the WOOD post.

  15. V.P. Elect Smith says:

    #A.C. Osborn:

    nothing to be sorry about. I read some of it then got interrupted by household duties.

    So on my “ToDo” for today is read it through, after coffee ;-)

  16. philjourdan says:

    @P.E. H.R. – I always put down a millennial age. Maybe I should put down a Michigan voter age?

  17. WatchinIt says:

    Would you also take a read on this stuff?
    Know you talked about the Guccifer2.0 stuff in 2017 (I was out-of-the-loop then and am reading through it now). This guy is carrying it on through Mueller, RussiaRussiaRussia! and ongoing.

  18. Pingback: ASOG Dominion Report, Review Part 2 | Musings from the Chiefio

  19. V.P. Elect Smith says:


    Finally got time to read through that thoroughly.

    My take on it is that the guy has some decent computer chops (or rents them) and knows how to connect the dots.

    It is likely his end speculation about “Bob’s Network” being the Head Bob has some credibility, but could just as easily be one or two layers down. Usually Head Cheese of a place doesn’t know or care about things like network names. That the number of the mail site matches FBI phone prefix could just be an inside joke.

    Overall, I’m finding the SSL Cert & IP chunk registrations most damning. They pretty much prove it was entirely owned and operated by the FBI using their resources and trying to hide it. NOBODY gives a way a segment of their IP range to an outside party. Too hard to come by.

    As to “why?”, I think there are too many ways it could go to say for sure. My guess would be that most likely it was for clandestine things involving the Ukraine / Russia war and various persons, money laundries, and support of “irregular” units off books. Provided a detailed fine grain line up of those dates to the recorded computer server dates line up.

    Related to Trump? I doubt it. Started before he was the selected candidate.

  20. WatchinIt says:

    Thanks so much – hard to tell the fever swamps for intentional muck without expertise. Appreciate your take – and the blog!

  21. V.P. Elect Smith says:


    Dan Bongino may have the answer. Seems the FBI knew about Hillary’s email, and that they were pwnd by a Foreign Agent already, and were setting up the Russia Hoax to assure that when the story breaks, the focus would be on Trump / Russia not Hillary / {some foreign actor}.

    Would make a lot of sense to have an external non-reported email server to circulate HER emails and to discuss strategy… Timing matches too. Just before the 2016 election and “for a while”…

  22. WatchinIt says:

    Will check it out. That is the assertion of “Loaded for Guccifer2.0,” written by the guy whose blog post I asked you about. On another topic – here’s the deal about turkey prices I buy turkeys cheap during the Thanksgiving price wars then keep them in the freezer until whenever. Just baked one that had been frozen for over a year and it was perfect.

  23. President Elect H.R. says:

    WatchinIt: “Just baked one that had been frozen for over a year and it was perfect.”

    Well, I think it’s Kays Jewelers that advertises Forever diamonds. Maybe you should start advertising Forever turkeys. 😜

    Hey! The preppers would “flock” to it. 🙄

  24. WatchinIt says:

    A mammalogist friend of mine attended a meeting in Siberia in which the hosts served up frozen mammoth burgers – he said they were good despite being frozen for eons. It was a bit of an “up yours” because some of the American attendees had been asking for samples to use to extract DNA and were refused.

  25. President Elect H.R. says:

    @WatchinIt re mammoth burgers: 🤣🤣👍

    I read that to Mrs. H.R. and she got a laugh out of it, too.

  26. Taz says:

    Anyone else tired of paying for incompetent government employees?

    You can’t compartmentalize while simultaneously opening all your systems so you can play IT god. They knew this – but did not care.

    Why I’m in favor of massively cutting their budget then ruthlessly purging their bullshit IT staff. And of course, Solarwinds needs to be sued until they die….with zero chance that any player involved can find further IT employment elsewhere. Prison for the executives.

    Taleb’s Black Swan-proof World: Ten Principles
    Nassim Nicholas Taleb Financial Times

    1. What is fragile should break early while it is still small. Nothing should ever become too big to fail. Evolution in economic life helps those with the maximum amount of hidden risks – and hence the most fragile – become the biggest.

    2. No socialisation of losses and privatisation of gains. Whatever may need to be bailed out should be nationalised; whatever does not need a bail-out should be free, small and risk-bearing. We have managed to combine the worst of capitalism and socialism. In France in the 1980s, the socialists took over the banks. In the US in the 2000s, the banks took over the government. This is surreal.

    3. People who were driving a school bus blindfolded (and crashed it) should never be given a new bus. The economics establishment (universities, regulators, central bankers, government officials, various organisations staffed with economists) lost its legitimacy with the failure of the system. It is irresponsible and foolish to put our trust in the ability of such experts to get us out of this mess. Instead, find the smart people whose hands are clean.

    4. Do not let someone making an “incentive” bonus manage a nuclear plant – or your financial risks. Odds are he would cut every corner on safety to show “profits” while claiming to be “conservative”. Bonuses do not accommodate the hidden risks of blow-ups. It is the asymmetry of the bonus system that got us here. No incentives without disincentives: capitalism is about rewards and punishments, not just rewards.

    5. Counter-balance complexity with simplicity. Complexity from globalisation and highly networked economic life needs to be countered by simplicity in financial products. The complex economy is already a form of leverage: the leverage of efficiency. Such systems survive thanks to slack and redundancy; adding debt produces wild and dangerous gyrations and leaves no room for error. Capitalism cannot avoid fads and bubbles: equity bubbles (as in 2000) have proved to be mild; debt bubbles are vicious.

    6. Do not give children sticks of dynamite, even if they come with a warning . Complex derivatives need to be banned because nobody understands them and few are rational enough to know it. Citizens must be protected from themselves, from bankers selling them “hedging” products, and from gullible regulators who listen to economic theorists.

    7. Only Ponzi schemes should depend on confidence. Governments should never need to “restore confidence”. Cascading rumours are a product of complex systems. Governments cannot stop the rumours. Simply, we need to be in a position to shrug off rumours, be robust in the face of them.

    8. Do not give an addict more drugs if he has withdrawal pains. Using leverage to cure the problems of too much leverage is not homeopathy, it is denial. The debt crisis is not a temporary problem, it is a structural one. We need rehab.

    9. Citizens should not depend on financial assets or fallible “expert” advice for their retirement. Economic life should be definancialised. We should learn not to use markets as storehouses of value: they do not harbour the certainties that normal citizens require. Citizens should experience anxiety about their own businesses (which they control), not their investments (which they do not control).

    10. Make an omelette with the broken eggs. Finally, this crisis cannot be fixed with makeshift repairs, no more than a boat with a rotten hull can be fixed with ad-hoc patches. We need to rebuild the hull with new (stronger) materials; we will have to remake the system before it does so itself. Let us move voluntarily into Capitalism 2.0 by helping what needs to be broken break on its own, converting debt into equity, marginalising the economics and business school establishments, shutting down the “Nobel” in economics, banning leveraged buyouts, putting bankers where they belong, clawing back the bonuses of those who got us here, and teaching people to navigate a world with fewer certainties.

  27. philjourdan says:

    Hey Taz! Here’s a clue for you (given politely). The government employees are NOT the ones running the IT. They do not know a bit from a byte! It is all the beltway bandits that do the actual work! But they are under the direction of the incompetent idiots.

    I have worked with the idiots in the Federal government as an employee of a State. At no time did any of those idiots ever do any of the technical work. They were there to puff out their chest and take home obscene pay, but the contractors were the ones doing the work.

Comments are closed.