Microsoft and FireEye Customers Threatened By Supply Chain Cyberattacks

January 7, 2021

To cap off 2020, in early December FireEye, one of the largest cybersecurity firms in the US, discovered they were victim to cybersecurity attacks from around March to June 2020 via one of their vendor’s, SolarWinds, Orion software. They contacted SolarWinds CEO to notify him on Dec 12, 2020, and over the next month discovered a highly sophisticated cybercriminal operation experts are referring to as the SUNBURST SolarWinds Orion supply-chain attack.

From March to June of 2020, malicious malware was introduced to customer systems through Solarwind’s Orion software upgrade – Orion app versions 2019.4 – 2020.2.1.  More than 17,000 customers who installed Orion’s update, including FireEye, were affected.

FireEye is the firm that was selected to investigate the infamous 2017 Equifax breach and 2016 Russian DNC attack. FireEye’s own system boasts world-class security, built to be impenetrable, but that’s the thing about third party risk management – you’re only as strong as your weakest link. This attack is good reminder that cybersecurity is a dynamic, continuous, and collaborative activity. Even the most secure systems, like those of FireEye (or other cybersecurity firms like Symantec, Kaspersky and Trend Micro) are not immune to breaches just because it's their job to defend against them.  

In the case of the attack on FireEye, the hackers were able to steal a set of cybersecurity tools that specifically targeted client vulnerabilities through the infected Orion network management software. The infected software similarly enabled them to penetrate multiple parts of the US government, which is particularly concerning when corroborated with FireEye CEO Kevin Mandia’s comments, “"This attack is different from the tens of thousands of incidents we have responded to throughout the years. The attackers tailored their world-class capabilities specifically to target and attack FireEye." Cybercriminals are getting more organized and aiming for bigger targets – often multiple at once – which is why hacking a vendor like SolarWinds is the perfect way to sneak into impenetrable systems.

Microsoft was also affected by the SUNBURST attack and addressed the issue on Dec 17 a few days after the FireEye discovery. Microsoft confirmed that upon investigation, they have also found malicious software matching the SUNBURST attack introduced to their system via their SolarWind software. The next day, on Dec 18, they released a full analysis into the compromised SolarWinds Orion Platform DLL detailing the attack methods, malware strains, and mitigation strategies, plus a little surprise: “In an interesting turn of events, the investigation…led to the discovery of an additional malware that also affects the SolarWinds Orion product but has been determined to be likely unrelated to this compromise and used by a different threat actor.”

Microsoft was not alone in its discovery of another backdoor breach to the SolarWinds system while investigating SUNBURST. Palo Alto Unit 42 and Guidepoint Security also published reports confirming the second breach, named SUPERNOVA. All three, along with leading experts, believe that the additional malware is not associated with the SUNBURST trojan as part of the SolarWinds initial supply chain attack. That means two unique attacks by two independent actors on the same, massive system.

In response to the incidents, SolarWind has been updating their security advisory and has released patches that address both the SUNBURST and SUPERNOVA vulnerabilities. The investigations are still ongoing, and affected customers have to be identified one by one; so far more than 40 SolarWinds customers have been notified.

With clients like FireEye, the US government, and Microsoft, cybercrime attempts are to be expected, particularly with our growing and continuous reliance on technology. Data privacy and information security have become important considerations for every business, but vendor management doesn’t always seem to be part of the plan. Particularly in the realm of legal operations, your data is invaluable, so why leave it up to your vendors? Choosing a secure platform for vendor oversight is incredibly important - you need to know who has access to your system and how they will keep it safe. The deadline for cyber readiness has already passed.

The good news is we can help you keep a secure eye on your vendors with Counself Risk. Use Counself to send out secure Requests specifically designed for law firm and vendor compliance. Firms will respond thoroughly to client due diligence and information security questionnaires, requests, and audits, and legal departments can measure and manage third-party risk conveniently, with full audit histories available for regulators.

We pride ourselves on our own dedication to safeguarding our client’s data. Counself is under the scope of ISO/IEC 27001 certification, achieved by InfiniGlobe LLC for our secure cloud platform. Learn more about security here and talk to us here.

News; Cyberattack; Supply Chain TPRM

What Else Are You Interested In?

We love research and would be happy to share our finding with you