Pretty simple hack in concept – alleged Russian actors hacked an update package for Solarwinds Orion software (a sophisticated software for enterprise and institutional managing network resources).
This is an extremely crafty hack. An update package from Solarwinds Orion is uploaded onto the Solarwinds site. It’s even digitally signed.
According to Fireeye’s excellent writeup:
The trojanized update file is a standard Windows Installer Patch file that includes compressed resources associated with the update, including the trojanized SolarWinds.Orion.Core.BusinessLayer.dll component. Once the update is installed, the malicious DLL will be loaded by the legitimate SolarWinds.BusinessLayerHost.exe or SolarWinds.BusinessLayerHostx64.exe (depending on system configuration). After a dormant period of up to two weeks, the malware will attempt to resolve a subdomain of avsvmcloud[.]com. The DNS response will return a CNAME record that points to a Command and Control (C2) domain. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications. The list of known malicious infrastructure is available on FireEye’s GitHub page.
And now, it looks like the US Government may have been seriously compromised.
This is kind of a big deal…
Malwarebytes also has some good coverage as well, as does Prevasio