As we told you earlier, the National Security Council is responding to a “significant cyber incident” where suspected Russian hackers infiltrated multiple U.S. agencies and private companies by taking advantage of a security vulnerability with SolarWinds’ Orion IT product:
NSC invokes PPD-41 in response to SolarWinds hack https://t.co/ZkgF60Nenr
— Patrick Tucker (@DefTechPat) December 15, 2020
SolarWinds sent this warning out to all users of the Orion software:
If you’re a SolarWinds customer & use the below product, assume compromise and immediately activate your incident response team. Odds are you’re not affected, as this may be a resource intensive hack. Focus on your Crown Jewels. You can manage this. https://t.co/YvSGTv926a https://t.co/WFe89831Dj
— Chris Krebs (@C_C_Krebs) December 13, 2020
A screenshot flying around has linked Dominion Voting Systems to SolarWinds, but. . .
Dominion deleted the reference and link to "SolarWinds" from their website, but we have the archive still.
Now you see it… now you dont.https://t.co/oSdLXpWSJPhttps://t.co/JDWWFVfofr pic.twitter.com/NpuWdlS238
— Ron (@CodeMonkeyZ) December 15, 2020
. . .Dominion reportedly uses a different product that was not hacked:
To everyone who sent me screenshot of Dominion Voting Systems web site saying it's proof Dominion was using SolarWinds softwr and was hacked. Dominion was using an FTP software from SolarWinds, not Orion software that was compromised. Pls don't @ me until you read entire thread https://t.co/mI6AwTkVDD
— Kim Zetter (@KimZetter) December 15, 2020
This thread explains what’s going on:
So, I’ve seen folks pointing out that Dominion Voting Systems uses #SolarWinds.
DVS definitely uses the SolarWinds Serv-U product; however, according to @AlexaCorse, they do not use the Orion product line. (1/n)
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
Folks suggesting the Dominion Vosting Systems use #SolarWinds products are basing it on this public facing system that bares the SolarWinds logo; however, this system runs Serv-U, a secure file transfer utility SW acquired from RhinoSoft in 2012. (2/n) pic.twitter.com/EUJmCt7zwM
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
Since I first accessed the page around 6:30 EST 12/14, it appears to have been taken down. Regardless, the product is not part of the Orion suite. (3/n) pic.twitter.com/NpNOKQzxUT
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
Before posting this thread this morning, I checked again and the page was back with all references to SolarWinds in the footer removed. While conspiracy theorists might say they’re hiding something, I think they are trying to avoid more press. Let’s dig deeper on Serv-U. (4/n) pic.twitter.com/1IwRBpuPRB
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
The docs on SolarWinds site shows the product installing to “C:Program FilesRhinoSoft”, which, at the time of this tweet, is not a directory included in any of the IOCs associated with the SolarWinds attack. I verified the path by downloading and installing a trial. (5/n) pic.twitter.com/KePna9UJqj
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
I also checked for the infected DLL file, SolarWinds.Orion.Core.BusinessLayer.dll, in the install directory, and it was not present. (As expected since this tool is not part of the Orion suite). File hashes of all installed files included for comparison to non-trial version (6/n) pic.twitter.com/uioycBalLT
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
I noticed the Serv-U version I analyzed was released during the time of the known compromise, so I analyzed the binaries for strings unique to the malware included with the Orion suite, and found none. (Ex. avsvmcloud[.]com) (7/n) pic.twitter.com/LMTatRVJjP
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
2 possible ways to be completely sure the program was not infected.
1) Do binary diffs between the pre-breach 15.1.7 files and the mid-breach 15.2.1 files and rev. eng. the diffs.
2) Run the software in an isolated, domain-joined system and monitor closely for IOCs (8/n)— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
I don’t have access to the 15.1.7 binaries, nor the time to hunt them down, at the moment. If the files had been compromised, the diffs should be pretty obvious since SW hasn’t even bothered to change the install path of this piece of software they acquired it 8 years ago. (9/n)
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
Last, I don’t plan to monitor this software package for 12-14 days because their is no evidence in the any of the SolarWinds breach reports, IOCs, or known public information that suggests it was part of the attack, and everything I analyzed supports that assertion. (10/10)
— Jon Gorenflo ✹ ?☠️? (@flakpaket) December 15, 2020
Dominion also released a statement saying the company has never used the Orion software:
RUMOR CONTROL: “Dominion Voting Systems does not now nor has it ever used the SolarWinds Orion Platform, which was subject of the DHS emergency directive dated December 13, 2020," a Dominion spokeswoman says. via @AlexaCorse cc: @CISAgov @CISAKrebs
— Dustin Volz (@dnvolz) December 14, 2020
Coincidentally, Dems plan to call Chris Krebs, the fired head of the Director of the Cybersecurity and Infrastructure Security Agency at a hearing tomorrow in the Senate on election security. We’re pretty sure the SolarWinds hack might come up:
JUST IN: Chris Krebs will also be testifying at tomorrow's Senate Homeland Security Committee Hearing on "Examining Irregularities in the 2020 Election".
He was just added to the list of witnesses, which includes Ken Starr and three people involved in pro-Trump litigation.
— Frank Thorp V (@frankthorp) December 15, 2020
***
Join the conversation as a VIP Member