SolarWinds Breach Incident Score: Analysis & Impact (SOL5303053112125)

In this Rankiteo incident briefing, we review the SolarWinds breach identified under incident ID SOL5303053112125.

The analysis begins with a detailed overview of SolarWinds's information like the linkedin page: https://www.linkedin.com/company/solarwinds, the number of followers: 277770, the industry type: Software Development and the number of employees: 2599 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 764 and after the incident was 704 with a difference of -60 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on SolarWinds and their customers.

On 13 December 2020, SolarWinds disclosed cyberespionage, supply-chain attack and APT (Advanced Persistent Threat) issues under the banner "SolarWinds Sunburst Cyberespionage Campaign (2020)".

The SolarWinds cyberespionage incident, attributed to Russian threat actors, involved a supply-chain attack via the SolarWinds Orion software.

The disruption is felt across the environment, affecting SolarWinds Orion software, federal agency networks (at least 9) and hundreds of private-sector companies, and exposing government agency data, corporate intellectual property and email communications.

In response, teams activated the incident response plan, moved swiftly to contain the threat with measures like isolation of compromised SolarWinds Orion instances, network segmentation and revocation of compromised credentials, and began remediation that includes software patches, forensic analysis and enhanced monitoring, while recovery efforts such as rebuilding trusted environments, customer notifications and regulatory reporting continue, and stakeholders are being briefed through public disclosures, customer advisories and coordination with federal agencies.

The case underscores how closed (SEC case dropped; forensic investigations concluded), teams are taking away lessons such as Supply-chain attacks require heightened third-party risk management, Transparency in breach disclosures is critical but must balance legal and operational risks and Collaboration with federal agencies is essential for large-scale incident response, and recommending next steps like Implement zero-trust architectures to limit lateral movement in supply-chain attacks, Enhance software integrity checks (e.g., code signing, build environment security) and Develop clearer guidelines for public-private collaboration during nation-state cyber incidents, with advisories going out to stakeholders covering Federal agencies (CISA, FBI), affected corporate customers and investors.

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Supply Chain Compromise: Compromise Software Supply Chain (T1195.002) with high confidence (100%), with evidence including compromised software update (SolarWinds Orion), and supply-chain compromise via trojanized SolarWinds Orion software updates. Under the Execution tactic, the analysis identified Command and Scripting Interpreter: Visual Basic (T1059.005) with moderate to high confidence (80%), supported by evidence indicating sunburst malware (trojanized Orion updates) (known to use VB scripts for execution) and Command and Scripting Interpreter: JavaScript (T1059.007) with moderate to high confidence (70%), supported by evidence indicating sunburst malware (reportedly used JavaScript in later-stage payloads). Under the Persistence tactic, the analysis identified Create or Modify System Process: Windows Service (T1543.003) with high confidence (90%), supported by evidence indicating sunburst malware (created persistent services disguised as legitimate Orion processes) and Event Triggered Execution: Windows Management Instrumentation Event Subscription (T1546.003) with moderate to high confidence (80%), supported by evidence indicating sunburst (used WMI for stealthy persistence mechanisms). Under the Privilege Escalation tactic, the analysis identified Exploitation for Privilege Escalation (T1068) with moderate to high confidence (85%), supported by evidence indicating compromised network integrity and long-term forensic investigations imply privilege escalation and Valid Accounts: Cloud Accounts (T1078.004) with moderate to high confidence (80%), supported by evidence indicating network access credentials compromised; used for lateral movement in cloud/hybrid environments. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with high confidence (95%), with evidence including sophisticated malware (Sunburst) evading traditional defenses, and trojanized Orion updates (malware was obfuscated within legitimate files), Indicator Removal: File Deletion (T1070.004) with moderate to high confidence (80%), supported by evidence indicating long-term undetected access suggests cleanup of forensic artifacts, Impair Defenses: Disable or Modify Tools (T1562.001) with moderate to high confidence (75%), supported by evidence indicating delayed detection due to sophisticated malware implies disabling security tools, and Masquerading: Rename System Utilities (T1036.003) with high confidence (90%), supported by evidence indicating sunburst malware masqueraded as legitimate Orion software components. Under the Credential Access tactic, the analysis identified OS Credential Dumping: LSASS Memory (T1003.001) with moderate to high confidence (85%), supported by evidence indicating network access credentials compromised; common APT29 TTP and Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate to high confidence (70%), supported by evidence indicating corporate emails and government communications access suggests credential theft from browsers. Under the Discovery tactic, the analysis identified System Information Discovery (T1082) with high confidence (90%), supported by evidence indicating reconnaissance period such as months to years implies extensive discovery and System Network Configuration Discovery (T1016) with moderate to high confidence (85%), supported by evidence indicating targeting of high-value agency networks (Treasury, State, Energy) suggests network mapping. Under the Lateral Movement tactic, the analysis identified Remote Services: Remote Desktop Protocol (T1021.001) with moderate to high confidence (80%), supported by evidence indicating compromised network integrity and APT29’s known use of RDP for lateral movement and Remote Services: SMB/Windows Admin Shares (T1021.002) with moderate to high confidence (75%), supported by evidence indicating common APT tactic for moving between federal agency networks. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (95%), with evidence including data exfiltration such as true, and government communications, corporate emails, intellectual property collected and Screen Capture (T1113) with moderate confidence (60%), supported by evidence indicating aPT29 has historically used screen capture; implied by espionage motivation. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with high confidence (95%), supported by evidence indicating sunburst malware used HTTP/C2 over legitimate domains (e.g., avsvmcloud.com), Encrypted Channel: Symmetric Cryptography (T1573.001) with high confidence (90%), supported by evidence indicating sophisticated malware (Sunburst used encrypted C2 channels), and Proxy: External Proxy (T1090.004) with moderate to high confidence (80%), supported by evidence indicating sunburst C2 traffic routed through proxies to evade detection. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (85%), with evidence including data exfiltration such as true, and sunburst exfiltrated data via DNS and HTTP to blend with normal traffic and Exfiltration Over C2 Channel (T1041) with high confidence (90%), supported by evidence indicating exfiltration of sensitive government and corporate data via Sunburst C2. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (0%), Resource Hijacking: Utilize GPU Resources (T1496.002) with lower confidence (0%), Data Destruction (T1485) with lower confidence (0%), and Endpoint Denial of Service: Application or System Exploitation (T1499.004) with lower confidence (0%). These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.