The 2020 FireEye and SolarWinds Breach: What Can We Learn From It?

Since early December, media outlets have been busy covering details of one of the biggest cyberattacks in U.S. history. It all started early in March 2020 when Malware was injected into SolarWinds’ Orion software, which is used by many large government and enterprise organizations. The cyberattack was first detected by FireEye—a customer of SolarWinds, that noticed suspicious behavior in its own environment. Many organizations that have used malware-tainted Orion software may have been impacted.

If you are a TitanFile customer, please rest assured that our company was not impacted by the FireEye / SolarWinds breaches. Neither our company nor our suppliers use services or products provided by FireEye or SolarWinds.

More details about the breach and what we can learn from it below.

The SolarWinds / FireEye Breach

About FireEye

FireEye is a publicly-traded cybersecurity company headquartered in Milpitas, California. The company works with organizations to detect cyberattacks and prevent future attacks.

About SolarWinds

SolarWinds is a software company headquartered in Austin, Texas. The company develops software that helps organizations manage their networks, systems, and information technology infrastructures.

What happened?

On December 8th, 2020, FireEye admitted to falling victim to a cyberattack. The attackers gained access to the red team assessment tools that FireEye uses to test its customers’ security infrastructures. “This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye,” stated Kevin Mandia, CEO of FireEye.

On the same day, FireEye released over 300 countermeasures for its customers and the community to minimize the potential impact of the leakage of red team assessment tools.

After a deeper investigation, FireEye came out on December 13th, 2020 with more details on how the breach in their environment had occurred. Evidence pointed to a supply chain attack on the IT software provider—SolarWinds, that happened as early as Spring 2020. The attackers injected malware (now named SUNBURST) into SolarWind’s Orion IT monitoring and management software on app versions 2019.4 through 2020.2.1 that were released between March 2020, and June 2020.

FireEye states that the main motivation behind SUNBURST is likely to be espionage by exfiltrating data. More details about SUNBURST can be found here.

Organizations that installed the above versions of the Orion software may have been impacted. While SolarWinds currently has over 300,000 total customers, only 33,000 of its customers were using Orion software, and not all of them installed the malware-laced update. “SolarWinds currently believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000,” the company stated in a filing to the U.S. Securities and Exchange Commission. Victims include organizations in government, consulting, technology, healthcare, telecom, and oil and gas entities in North America, Europe, Asia, and the Middle East.

At this point in time, we do not know for certain how many organizations have been impacted or how much information was accessed or stolen.

What can we learn from the SolarWinds / FireEye Breach?

There are lessons to be learned with every breach. These lessons can help us strengthen the security foundations in our organizations. Here are some of our takeaways:

1. Any organization, no matter how secure, is still vulnerable

Your organization is most vulnerable when you think it’s invulnerable.

FireEye and SolarWinds are both trusted leaders in providing cybersecurity services and software, however, they still fell victim to a breach. This goes to show that no matter how secure you think your organization is, your cyber attack prevention measures will never be perfect.

In the SolarWinds and FireEye breaches, the attackers used a novel set of tools to compromise security. Hackers are only taking more sophisticated approaches over time and sometimes these attacks can go undetected for an extensive period of time.

2. Do not put all your faith in your security or tech suppliers

Following the point made above, you need to ask yourself “What will happen if one of our suppliers gets compromised? Do we have a failsafe?”

If you solely rely on your suppliers to maintain all aspects of security at your organization, then when your suppliers fail, your organization’s security may be compromised as well.

Steps you should take

1. Find out if your organization was impacted

Even if your organization does not directly use SolarWinds’ products, your organization may be working with other services or software suppliers that do. It is important that you request more information from those suppliers.

Here is a list of questions you can ask your suppliers:

  1. Do you have SolarWinds Orion versions (2019.4 HF 5 and 2020.2 with no hotfix installed or 2020.2 HF 1) in your environment?
  2. If yes, did you take the Orion software offline?
  3. What other steps have you taken to secure your environment?

Depending on the answers you receive, you can work with your suppliers on solutions to mitigate the impact on your organization.

2. Pay attention to updates

Every day, new details related to the breach are released. It’s important that you understand what is going to see how the breaches may impact your organization and also learn how to adapt your security infrastructure to avoid any potential breaches.

You can visit the SolarWinds security advisory and FireEye’s website for ongoing updates.