SolarWinds Detected Six Months Earlier
New reporting from Wired reveals that the Department of Justice detected the SolarWinds attack six months before Mandiant detected it in December 2020, but didn’t realize what it detected—and so ignored it.
WIRED can now confirm that the operation was actually discovered by the DOJ six months earlier, in late May 2020—but the scale and significance of the breach wasn’t immediately apparent. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. The software, used by system administrators to manage and configure networks, was communicating externally with an unfamiliar system on the internet. The DOJ asked the security firm Mandiant to help determine whether the server had been hacked. It also engaged Microsoft, though it’s not clear why the software maker was also brought onto the investigation.
[…]
Investigators suspected the hackers had breached the DOJ server directly, possibly by exploiting a vulnerability in the Orion software. They reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In July 2020, with the mystery still unresolved, communication between investigators and SolarWinds stopped. A month later, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite, the sources say.
EDITED TO ADD (5/4): More details about the SolarWinds attack from Wired.com.
iAPX • May 3, 2023 6:37 AM
“Unusual traffic” is suspect traffic, that’s why traffic is monitored and everything “unusual” is logged to be audited if not immediately launching an alarm!
If they couldn’t have a good network hygiene when evaluating a new solution, there are few chances they do it for production systems where it’s more complex with a lot more traffic.
There is something really weird on this story.
Including “the company’s engineers were unable to find a vulnerability in their code”, naturally they won’t, you didn’t ask people that created code with a security hole to find it: with external help to identify it and reproduce it, they could fix it.
You don’t do QA by code developers, but by QA people, you don’t search a flaw by code developers, you use a hacker for that matter.