{{item.title}}
{{item.text}}
{{item.title}}
{{item.text}}
SolarWinds provides endpoint management software to many global organisations and central governments. The SolarWinds “Orion” IT monitoring product has been identified as backdoored with previously undocumented malware known as SUNBURST, infected versions distributed to customers via SolarWinds' legitimate update mechanism, and used to compromise high-profile government and public sector organisations.
As per SolarWinds’ advisory, all software builds for versions 2019.4 to 2020.2.1, released between March 2020 and June 2020, were compromised. This means any system which received a SolarWinds Orion update to a build between these versions is at risk of compromise or has already been compromised.
SolarWinds estimate that up to 18,000 organisations received an affected update. However, it is important to note that just because an organisation has received an affected update does not mean they were compromised - it means they were vulnerable. The number of organisations compromised through the backdoored update is much smaller and focused on specific sectors. Reporting from FireEye suggests this is approximately 50.
In brief:
The first backdoored SolarWinds Orion version was released for download in March 2020. However, earlier activity linked to this attack has been identified:
Security researchers identified other unauthorised modifications to the SolarWinds Orion code going back as far as October 2019 - is it likely that these were "test runs" performed by the same attacker responsible for the backdoor, to validate their ability to release modified code.
The earliest domain registration date linked to this attack was in August 2019.
This attack is certainly sophisticated and has had far-reaching impacts, but characterising this as "the biggest" or "the worst" cyber attack is unlikely to stand up to scrutiny.
The "NotPetya" destructive malware attack in 2017 caused "more than $10 billion in total damages" according to a senior US Government cyber security adviser.
The "WannaCry" ransomware attack in 2017 (attributed by the US and UK government to North Korea) infected over 200,000 computers worldwide. In particular, this attack impacted the UK's National Health Service causing "thousands of appointments and operations" to be cancelled and multiple emergency care departments to redirect patients as they were unable to effectively operate.
Our front-line cyber teams are working with governments and clients around the world to help identify those organisations targeted in this attack, and ensure a rapid response. Relevant services include:
Our technical and strategic threat intelligence teams have an in-depth understanding of the technical capabilities displayed by this attacker, the operational techniques used, and the strategic context.
We can help customers prioritise defensive controls and understand the risk of exposure, and provide threat intelligence subscription services, and directed research.
Our privileged access management team provides a range of assurance, advisory and implementation services which help organisations to identify high-risk or high-value identities, and design and implement technical controls to mitigate the risk of compromise.
They have extensive experience working with a range of identity technologies including Microsoft's Active Directory, CyberArk, SailPoint, and more.
Our cyber incident response teams can help organisations respond to, remediate, and recover from sophisticated and targeted cyber attacks.
We are able to provide end-to-end support, including hands-on digital forensics and intrusion analysis, malware reverse engineering, incident management and coordination, and board-level crisis support.
Anthony Leung Shing
Country Senior Partner, Tax Leader, PwC Mauritius, PwC Mauritius
Tel: +230 404 5071
Vikas Sharma
Regional Consulting & Risk Services (C&RS) Leader, PwC Mauritius
Tel: +230 404 5015
Ariane Serret
Senior Manager, Clients and Markets Development, PwC Mauritius
Tel: +230 4045029