Adversaries understand that attacking high profile organizations directly is tricky and will typically be harder and yield slower and fewer results. Shifting "upstream" in the software supply chain increases the number of targets and the chances for successful infection and therefore adversaries often prefer this approach. A successful supply chain attack usually involves compromising software while maintaining its legitimate digital signature, implying that the attackers either modified source code on the victims' production environment or patched software on the build servers, abusing the validity of the signing process.
FireEye disclosed yesterday that unknown attackers, they track as UNC2452, were able to compromise the code signing process of an update of the widely-used network monitoring and management software Orion by SolarWinds.
According to FireEye CEO Kevin Mandia, the attackers “tailored their world-class capabilities specifically to target and attack FireEye. They are highly trained in operational security and executed with discipline and focus” and were searching for information related to some of the company's government customers.
According to Reuters, “The U.S. government has not publicly identified who might be behind the hacking, but three of the people familiar with the investigation said Russia is currently believed to be responsible for the attack.”
The details of the attack are yet unknown, however from a statement released yesterday, it is clear that SolarWinds experienced a highly sophisticated, manual supply chain attack on SolarWinds® Orion® Platform software builds for versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020.
This type of attack would suggest that SolarWinds did not adequately protect their code-signing process and maybe their code signing credentials. Had that been done, the adversaries who breached SolarWind's security defenses would not have been able to inject malicious code to the Orion update and remain its SolarWinds valid signature.
Venafi suggests the following best practices for securing the code signing process: