On December 13th, 2020, a news of a security breach in the unclassified networks of several government agencies swept through the media. As it soon turned out, it was one of the most perilous and sophisticated attacks the public opinion has heard of in recent years. The list of victims included many US Departments including the Department of Homeland Security (DHS) and the Cyber Security and Infrastructure Agency (CISA). At least several hundred private companies around the world were also compromised.

Błażej Sajduk

KBN Commentary no. 1 (73) / 2021

12 January 2021

On December 13th, 2020, a news of a security breach in the unclassified networks of several government agencies swept through the media. As it soon turned out, it was one of the most perilous and sophisticated attacks the public opinion has heard of in recent years. The list of victims included many US Departments including the Department of Homeland Security (DHS) and the Cyber Security and Infrastructure Agency (CISA). At least several hundred private companies around the world were also compromised.

There were several vectors of the attack. But they all add up to the most dangerous type of attack, the Advanced Persistent Threat (APT). The entire operation may have started as early as in mid-2018 (the date of the creation of the first domain included in the botnet's control network, command, and control, C2), although the attack itself began in March 2020 and continued until June of that year, when the malware was inserted into the source code of an update for the Orion network management software manufactured by SolarWinds, a US-based company. As a result, 18,000 entities downloaded and installed the update exposing their own systems to the attack.

Picture credit: Pixy.org