Blog
Forensics
SolarWinds Data Breach and SecurityMetrics Response

SolarWinds Data Breach and SecurityMetrics Response

The SolarWinds breach affects SolarWinds’ Orion products and is rapidly evolving. SecurityMetrics does NOT use SolarWinds Orion’s Network Management System tools (NMS) products.

Heff
Updated
December 14, 2022
Posted
December 17, 2020
Data Breaches
Cybersecurity
News
SolarWinds Data Breach and SecurityMetrics Response

As you may be aware, Austin-based software company SolarWinds recently experienced the largest security compromise in U.S. history. This breach affects SolarWinds’ Orion products and is rapidly evolving. SecurityMetrics does NOT use SolarWinds Orion’s Network Management System tools (NMS) products.

We want to brief you on the SolarWinds situation and notify you of the steps we are taking to protect your business. We have several partners we utilize for threat intelligence, including but not limited to, the Cybersecurity and Infrastructure Security Agency (CISA), the United States Department of Homeland Security, Utah Statewide Information and Analysis Center (SIAC), and our local Fusion Center, among others.

SolarWinds Compromise Background

  • On December 13th, Chris Bing at Reuters broke the news that a sophisticated threat adversary compromised the U.S. Treasury Department.
  • Ellen Nakashima and Craig Timberg at the Washington Post followed with more details, including that hackers specifically targeted Orion products and the threat group was believed to be APT29 (Cozy Bear / Russian SVR).
  • SolarWinds offers a wide range of tools for IT management and monitoring, including their very popular and widely used Network Management Systems (NMS) Tools.
  • These tools monitor and manage servers, networks, workstations, and devices. They communicate with multiple devices and if compromised, give threat actors opportunities to monitor and respond to events on the network, access network’s assets, and allow man in the middle (MitM) attacks.

How was SolarWinds Breached?

  • Sources continue to provide details, including what kinds of information was accessed, as the situation evolves.
  • Our threat sources indicate malware was deployed as an update for Orion from SolarWinds’ own server–digitally signed by a valid digital certificate.
  • The malicious Orion update was downloaded automatically to over 18,000 SolarWinds customers in March 2020.
  • This is not the only time we have seen state-backed, advanced persistent threats (APT) targeting software vendors or masquerading as an update.

What is SecurityMetrics doing? What should you do?

  • SecurityMetrics does NOT use SolarWinds Orion’s Network Management System tools (NMS) in our environment. SecurityMetrics network integrity has not been compromised.
  • The SecurityMetrics Threat Intelligence Center has partnered with several internal and external threat intelligence sources to maintain situational awareness of this dynamic situation.
  • Threat actors involved in this breach have changed their indicators of compromise (IoC) and are retooling, so the SecurityMetrics Threat Intelligence Center will stay informed of the behavior, tactics, techniques and procedures.
  • SecurityMetrics utilizes a variety of threat intelligence sources, including but not limited to, CISA, DHS, Utah SIAC, and the Fusion Center.
  • SecurityMetrics has partnerships with several threat intelligence sources who are providing even more intelligence on the situation and evolving indicators of compromise (IoC).
  • On Friday, December 18th, 2020, the SecurityMetrics Security Operations Center will release an episode of SecurityMetrics News, explaining the details of the hack along with a deeper explanation of mitigations and remediations.
According to FireEye, If you use SolarWinds Orion Platform, you should assume compromise. Consider blocking or limiting Orion NMS access to the net (zero trust). This should include checking your logs as far back as March 2020. Please realize NMS East/West netflow will be of limited value in your research and monitoring of network activity.
  • If you use other SolarWinds products, map your attack surface and keep a close eye on any malicious activity.
  • Use multi-factor authentication (MFA) and change your passwords regularly.
  • Perform extra diligence and please reach out to SecurityMetrics for any questions.

SolarWinds Breach Advisories and Mitigations

  1. CISA Current Activity Alert “Active Exploitation of SolarWinds Software
  2. CISA Emergency Directive 21-01, “Mitigate SolarWinds Orion Code Compromise
  3. SolarWinds Security Advisory
  4. FireEye Advisory: “Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
  5. FireEye GitHub page: “Sunburst Countermeasures”

Join Thousands of Security Professionals.

Subscribe Now

Get the Guide To PCI Compliance

Download

Get a Quote for Incident Response

Request a Quote
Stay up to date
Subscribe to our blog.
Subscribe Now
Data Security
Vulnerability ScanningPenetration TestingSecurity TrainingPANscan®SecurityMetrics VisionSecurityMetrics MobileCIS Controls AssessmentConsultingResellerForensic/Incident ResponseData and Network SecurityData Security AcademyWebpage Integrity Monitoring (WIM)Shopping Cart Inspect (PCI Req. 11.6.1)Shopping Cart Monitor (PCI Req. 11.6.1)SecurityMetrics Pulse
Compliance
GDPR CompliancePCI CompliancePCI DSS AuditPCI Level 4 ProgramPA-DSS/SSF AuditP2PE AuditPIN Security AssessmentPCI PoliciesPCI TrainingHIPAA ComplianceHIPAA PoliciesHIPAA TrainingHealth Network ProgramHITRUST
Company Info
About UsBlogGlossaryMedia RelationsCareersTerms of UsePrivacyAbuseDo Not Sell My Information
Contact
Contact UsReport a Vulnerability
SecurityMetrics podcast logoLinkedIn logoFacebook logo
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy PolicyTerms and Conditions
Your IP Address is:
YouTube logoSecurityMetrics podcast logoLinkedIn logoFacebook logo
Subscribe to our blog
Subscribe Now
© 2025 SecurityMetrics, Inc. All rights reserved.
Privacy Policy
|
Terms and Conditions
|
Your IP Address is:
000.000.000.000