Solarwinds hack explained.

2020-2021 Solarwinds hack explained in details by a software engineer.

According to The Hill, President Biden said Thursday, February 4, 2021, that his administration is launching an “urgent initiative” to improve the nation’s cybersecurity, pointing to concerns around malign efforts by Russia and China. On December 13, 2020, Reuters broke the story that the Treasury Department has been compromised by sophisticated hackers, and afterwords numerous organize confirm the story. Washington Post attributed hack to cozy bear (Russian SVR). To understand Solarwinds hack, first need to understand what Solarwinds does.

What Solarwinds does?

Solarwinds is a software company which has numerous software offering for systems managements. These software programs are primarily managed by IT professionals at large institutions.

What Solarwinds Oroin NMS does?

Orion NMS (Network Management Systems) is the most popular software of Solarwinds and has capabilities of managing and monitoring a wide variety of devices such as servers, desktop, laptop, network devices etc.

Who uses Solarwinds?

The Company has 300,000+ customers worldwide, including 425 of US Fortune 500 companies.

Solarwinds hack explained and companies which uses Solarwinds

How hacker compromises Solarwinds systems? And Why Solarwinds hack spread for so long without detection?

Since Solarwinds NMS has access to so many devices in an institution and so many institutions use Solarwinds NMS, it becomes a prime target of hackers.

NMS are run on two modes. First is monitoring and second is monitoring/managing. Many of the systems are configured to do both. So if NMS compromised, attacker can do what NMS can do.

According to SEC filling by Solarwinds, hackers infiltrated as early as March 2020, and It took almost 9 months to detect the first instance of hack, so why it took so long to figure out even tough 425 out of Fortunes 500 companies were using it.

Hacker compromise build server of Solarwinds and added malware(named sunburst) to existing software during build process and signed with Solarwinds digital signature. As once software signed by official signature, many of the anti-malware and anti-virus software accept that software behavior as normal, As anti-malware and anti-virus companies don’t know Solarwinds signature has been compromised. This is still evolving situation and some argue only build process was compromise. (But anyhow digital signature became useless).

Sophistication does not stop here. Malware was written in away, so it will stay dormant for first 15 days or so anti-malware and anti-virus can’t associate changes in network pattern to change in Solarwinds software version.

Not just that, Hackers make sure that sunburst maleware’s outgoing traffic look very similar to typical Solarwinds traffic. It seems like the hackers’ goal was to stay in the infected systems as long as possible.

The story gets even crazy, before executing sunburst malware, hacker will make sure it is not private IP or Microsoft IP ranges as it seems like hackers were aware that Microsoft has capabilities to capture this kind of activity, so hackers make sure malware does not connect to Microsoft IP. Kudos to Microsoft.

What can you do to protect your institute against Solarwinds hack?

The situation is still evolving so the current best solution is to work with Solarwinds help desk to resolve the threat. You can get the latest information through twitter hashtag:

  1. #SolarWinds
  2. #SolarWindsOrion
  3. #UNC2542
  4. #APT29
  5. #CozyBear
  6. #SunBurst

DHS Guidelines against Solarwinds hack

The Department of Homeland Security (DHS) has also issued guidelines. Here is a summary of what DHS guidelines

  1. Make image of memory and OS of all instance which are hosting Solarwinds Orion NMS
  2. Analyze unusual activity like new users, service/app account and privileges.
  3. Analyze unusual traffic like new external DNS and other indications of compromise.
  4. Disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Future communication from CISA will clarify which version to install and how to obtain securely.
  5. Block all traffic from and to hosts, external to enterprise where Solarwinds Orion was installed.
  6. Identify and remove all threat actor-controlled accounts
  7. After (and only after) all threat actor-controlled accounts and identified persistence mechanisms have been removed:
    1. Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.
    2. Rebuild hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
    3. Reset all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
    4. Take actions to remediate kerberoasting, including, as necessary or appropriate, engaging with a 3rd party with experience eradicating APTs from enterprise networks.

My 2cents

  1. Assume all Solarwinds Orion is compromise (even releases before March), so contentiously monitor till proven otherwise.
  2. Block Internet traffic to as many servers as you can.
  3. If you are paranoid, and you have the right to be paranoid even after applying Solarwinds patch. There is possibility that hackers could have created an additional backdoor, so the nuclear option is to rebuild your most critical servers from scratch using NIST-850 and CIS benchmark in a separate network.

What can you do to protect YOURSELF against Solarwinds hack?

This particular security issue is affecting more to the large institution than an individual, but see “General Security Recommendation” section of the articles.

General Security Recommendation.

  1. Don’t give any user or application more access than it needs.
  2. Always use SSL or tunnel even if you are inside secure VPN to avoid man in middle attack.
  3. Always use DNS over SSL to avoid man in middle attack.
  4. Know what is the most important data/intellectual properties (IP) you have. Have it in a separate network than the rest of the network
  5. Only install what you really need.
  6. Have outbound firewall as well inbound firewall especially for your critical data/intellectual properties (IP).
  7. Have additional layers of firewall for your important data/ intellectual properties (IP) which is not controlled by the same user or app.
  8. Don’t use same password again
  9. Have 2-factor authentication.
  10. Use CIS Benchmark
  11. Use NIST-850 or alike policy
  12. At some level CyberSecurity is a cat and mouse game, so subscribe to a security threat mailing list like CISA

This list no way complete, but just the beginning.

About Me

I am a Lead Software Engineer at University of Kansas Medical Center, you can read more bout at my homepage. [email-subscribers-form id="1"]


Further reading for Solarwinds hack

  • The Massive SolarWinds Hack Explained in Context

Disclosures: This article is my own opinion for entertainment and educational purposes only, and it could be inaccurate as any other human can have. This articles ideas are not represented by my current or past employers.

53 thoughts on “2020-2021 Solarwinds hack explained in details by a software engineer.

  1. Parshottambhai Baldevdas Patel

    Easy to understand and implement
    Great efforts.
    Focus on a very important issue.
    Hope your deep knowledge be used again and again on such important Issues

  2. Holly

    I’m not positive where you are getting your information, but great topic.

    I needs to spend a while finding out more or working
    out more. Thank you for great information I used to be in search of this info
    for my mission.

    Here is my page Learn Software Engineering

  3. Jeff

    Thank you for this very good posts. I was wanting to know whether you were planning of publishing similar posts to this.
    Keep up writing superb content articles!

    My weeb page – car donation tax

  4. Running

    Good blog! I really love how it is simple on my eyes and the data are well written. I’m wondering how I could be notified when a new post has been made. I have subscribed to your feed which must do the trick! Have a great day!

  5. Black Hairstyles

    Thank you, I have just been searching for info approximately this topic for a long time and yours is the best I have found out so far. But, what concerning the conclusion? Are you positive concerning the source?

  6. Yvonne

    I always spent my half an hour to read this
    weblog’s articles daily along with a cup of coffee.
    0mniartist asmr

  7. Henrietta

    Hello, after reading this amazing piece of writing i am
    also delighted to share my knowledge here with friends.
    0mniartist asmr

  8. Joann

    This is a topic that’s close to my heart… Take care!
    Exactly where are your contact details though? asmr 0mniartist

  9. Aleisha

    Have you ever considered writing an e-book or guest authoring on other
    sites? I have a blog centered on the same subjects you discuss and would love
    to have you share some stories/information. I know my viewers would value your work.
    If you are even remotely interested, feel free to
    send me an e-mail. asmr 0mniartist

  10. Bernadine

    You made some good points there. I looked on the internet for more info about the issue and found most
    individuals will go along with your views on this web site.

    my homepage: Berniece

  11. Vaughn

    Hello, its pleasant piece of writing on the topic of media print, we
    all understand media is a fantastic source of information.

    Feel free to surf to my blog … Kraig

  12. Ekonomia Portal

    I like how you manage to communicate your opinion effectively while keeping the content simple to understand for anyone regardless of his knowledge on the subject.

  13. Crave Freebies

    Well I truly enjoyed reading it. This article procured by you is very effective for proper planning.

  14. Freebies

    Does your site have a contact page? I’m having a tough time locating it but, I’d like to send you an email. I’ve got some recommendations for your blog you might be interested in hearing. Either way, great blog and I look forward to seeing it grow over time.

  15. Fashion Styles

    Everyone loves what you guys are usually up too. Such clever work and coverage! Keep up the amazing works guys I’ve added you guys to my own blogroll.

  16. Alana

    Nice post. I learn something new and challenging
    on websites I stumbleupon every day. It’s always helpful to
    read content from other authors and practice a little something from their web sites.

    Here is my webpage; CNC routing speaker sides

  17. Hairstyles Vip

    Of course, what a magnificent blog and informative posts, I definitely will bookmark your blog.All the Best!

  18. Crave Freebies

    Oh my goodness! an incredible article dude. Thanks Nonetheless I am experiencing subject with ur rss . Don抰 know why Unable to subscribe to it. Is there anybody getting identical rss problem? Anybody who is aware of kindly respond. Thnkx

  19. Crave Freebies

    It抯 really a cool and helpful piece of info. I am satisfied that you just shared this helpful info with us. Please keep us up to date like this. Thanks for sharing.

  20. Fashion Styles

    Wonderful work! That is the type of information that should be shared around the net. Disgrace on the search engines for not positioning this publish higher! Come on over and talk over with my site . Thanks =)

  21. Freebies

    It抯 really a cool and helpful piece of information. I am glad that you just shared this helpful info with us. Please keep us up to date like this. Thank you for sharing.

  22. I Fashion Styles

    You could certainly see your expertise in the work you write. The world hopes for more passionate writers like you who aren’t afraid to say how they believe. Always follow your heart.

  23. Hairstyles Vip

    Very well written post. It will be helpful to everyone who usess it, as well as myself. Keep up the good work – i will definitely read more posts.

  24. I Fashion Styles

    Great post. I was checking constantly this blog and I’m impressed! Very helpful information particularly the last part 🙂 I care for such info much. I was looking for this certain information for a very long time. Thank you and best of luck.


    Hey very cool blog!! Man .. Excellent .. Amazing .. I will bookmark your website and take the feeds also厈I am happy to find numerous useful information here in the post, we need work out more techniques in this regard, thanks for sharing. . . . . .

  26. Hairstyles

    Sweet blog! I found it while browsing on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Many thanks

  27. Fashion Trends

    Just want to say your article is as astonishing. The clearness for your publish is just great and i could assume you’re an expert on this subject. Well together with your permission allow me to grab your feed to stay updated with impending post. Thanks a million and please continue the enjoyable work.

  28. Dorathy Zorc

    Spot on with this write-up, I actually believe that this website needs far more attention. I’ll probably be back again to read more, thanks for the information!

  29. Fashion Styles

    Youre so cool! I dont suppose Ive learn anything like this before. So good to search out somebody with some authentic ideas on this subject. realy thank you for beginning this up. this website is something that is wanted on the web, somebody with slightly originality. helpful job for bringing one thing new to the internet!

  30. Shanna Poppert

    I seriously love your blog.. Excellent colors & theme. Did you make this website yourself? Please reply back as I’m wanting to create my very own blog and want to know where you got this from or exactly what the theme is called. Kudos!

  31. Jacqueline

    Incredible points. Great arguments. Keep up the good spirit.

    Also visit my web blog :: Ron

  32. Penney

    Howdy! This article couldn’t be written much better!
    Reading through this post reminds me of my previous roommate!
    He constantly kept preaching about this. I will send this article to him.
    Fairly certain he’ll have a good read. Thank you for sharing!

    my web-site: Cheryle

  33. Chung Lejeune

    It’s nearly impossible to find experienced people about this subject, but you seem like you know what you’re talking about! Thanks

  34. Fred

    Pretty portion of content. I just stumbled
    upon your blog and in accession capital to say that I get actually enjoyed account your weblog posts.
    Any way I will be subscribing in your augment and even I fulfillment
    you get right of entry to constantly fast.

    my web page; Dann

  35. William

    Do you mind if I quote a couple of your posts as long as I provide
    credit and sources back to your website? My blog is in the very same niche as yours
    and my visitors would really benefit from a lot of the information you
    provide here. Please let me know if this alright with you.

    Thanks a lot!

    Also visit my web blog; Marti


    Excellent items from you, man. I’ve consider your stuff previous to and you are just too fantastic. I actually like what you’ve got right here, really like what you’re saying and the way in which wherein you are saying it. You are making it enjoyable and you continue to take care of to stay it sensible. I can not wait to read far more from you. That is actually a wonderful web site.

  37. Tamara

    My partner and I stumbled over here by a different page and
    thought I may as well check things out. I like what I see so i am just following
    you. Look forward to exploring your web page yet again.

    Look at my website: google

  38. Holidays

    Excellent post. I used to be checking continuously this weblog and I am inspired! Very useful information specifically the ultimate phase 🙂 I take care of such info a lot. I used to be seeking this certain info for a long time. Thank you and best of luck.

  39. zovrelioptor

    I have recently started a web site, the info you offer on this web site has helped me greatly. Thank you for all of your time & work.

  40. Gretta Winzelberg

    Hi, I do believe this is an excellent website. I stumbledupon it 😉 I may revisit once again since i have saved as a favorite it. Money and freedom is the greatest way to change, may you be rich and continue to guide others.


    I feel that is one of the such a lot significant information for me. And i’m satisfied reading your article. But should statement on few basic things, The web site taste is wonderful, the articles is in reality great : D. Excellent activity, cheers


    Hi there! I simply would like to give a huge thumbs up for the nice information you will have right here on this post. I will likely be coming again to your blog for more soon.


    Just want to say your article is as amazing. The clearness in your post is simply excellent and i could assume you are an expert on this subject. Fine with your permission allow me to grab your feed to keep updated with forthcoming post. Thanks a million and please continue the rewarding work.


    Wow, awesome blog layout! How long have you been blogging for? you made blogging look easy. The overall look of your website is excellent, let alone the content!

Comments are closed.