1

Obviously there is massive information about the SolarWinds Orion hack itself of the malicious DLL injected into the update: https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

But how did the SolarWinds company themselves get infiltrated? Are details of that available?

Also, was the update to the Orion software put live on their HTTP source by the hackers, or approved and put live by someone within the company?

How was the code injected into the DLL? In the source code or post-build?

I’m looking for technical details about the source of the compromise, not the chain reaction from it.

Ethan Allen
  • 121
  • 3
  • There are many information in the media already but as far I can see no details on what you are asking. You'll will find no unpublished information here, because either we don't have the information either or we cannot share these. – Steffen Ullrich Dec 18 '20 at 22:31
  • 1
    this article claims it was at the source code level and even talks about some of the techniques used to camo the changes: https://thehackernews.com/2020/12/new-evidence-suggests-solarwinds.html It even mentions a github page that listed FTP logins?! (The article doesn't seem all that reliable to me, but who knows?) – pcalkins Dec 18 '20 at 23:42
  • Until this information is made public after the investigation, this is unanswerable here. – Rory Alsop Dec 19 '20 at 15:35
  • if it's true that they leaked an FTP login on a public GitHub they could have overwritten a release or beta version with a trojan. QA would have run that code and been compromised... which would then give them access needed to modify source code directly. Once inside the source they get signed along with the real code... So all it would take is one tester not checking a hash one time... they wouldn't be able to detect it at all once they were into the source. – pcalkins Dec 19 '20 at 17:50
  • "Sunspot" was used to inject code during build process: https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/ It's much more sophisticated than I imagined and I see why they think this was a nation state-actor. – pcalkins Jan 12 '21 at 22:27

0 Answers0