It was recently reported by SolarWinds CEO that UNC2452, the Russia-linked advanced persistent threat (APT) group behind SolarWinds cyberattacks, has possibly accessed SolarWinds’ systems through a zero-day vulnerability in Microsoft Office 365 and a compromise of user credentials.
The current investigation is looking into how the actors accessed its environment and what they did. The investigation is set to analyze data from multiple systems and logs, including Microsoft Office 365, SolarWinds’ Security Event Manager, and build environment platforms.
We still don’t know when the initial compromise happened or which specific vulnerability was used to access its Office 365 environment.
However, it was reported that a SolarWinds email account was compromised and used to programmatically access other targeted employees and then to compromise further credentials. This allowed the group to infiltrate and exploit the Orion development environment to implement its malicious code.
The group would have also attempted to cover their tracks by disabling audit logs, deleting files and programs, using servers outside the jurisdiction of US intelligence agencies, among other sophisticated tactics.