Reviewing the malware indicated that only one SolarWinds product, the Orion Platform, was targeted.
#TEAMCITY SOLARWINDS SOFTWARE#
Hence, the codebase remained clean, while the compiled code was signed with the valid SolarWinds software certificate and shipped with the SUNBURST backdoor.Ī related component of the investigation is the validation of the limited scope of the attack. At the conclusion of the software build process, SUNSPOT would clean up the temporary source code file to circumvent detection. At build time, SUNSPOT would insert a backdoor ( referred to as SUNBURST) contained in a temporary source code file used by the compiler. The SUNSPOT malware ran in the background on SolarWinds’ Orion Platform software build servers watching for a new build to take place. It was determined the malware was designed by the threat actor(s) to target within the SolarWinds environment only the SolarWinds’ Orion Platform. From a forensics standpoint, as detailed in SolarWinds’ blog post, KPMG discovered malware – referred to as SUNSPOT – that was deployed for the purpose of covertly inserting a backdoor into the SolarWinds Orion Platform during the software build process. Ultimately, we discovered the attacker(s) had targeted a machine that was compiling the code itself. A close look at the TeamCity server also revealed nothing out of the ordinary. Next, we examined how the Orion software is compiled, which happens within SolarWinds third party software orchestration system, TeamCity. Looking back over two years, we found the software code itself appeared not to have been maliciously modified by this attack. Our experience and knowledge of application development leading practices led us to ask the right questions around code security and quickly understand how SolarWinds works, their application-build processes, what systems are involved, and the most likely entry points for a breach.Ī contingent of core KPMG professionals with software development experience and an understanding of what's involved in building these components at a more granular level began with SolarWinds’ source code control system (SCCS), which is where attackers typically go to modify code. We immediately started working with the SolarWinds application teams. From an investigation perspective we dug into how the SolarWinds build environment was compromised and tampered with. When we started working with SolarWinds the attack had been broadly reported.
Mutual trust was a must and was established quickly. Over the course of this engagement it became clear that we not only understood SolarWinds’ business and technology but could provide differentiated application security development guidance and lead an extended investigation and eDiscovery program.
#TEAMCITY SOLARWINDS UPDATE#
This work focused on determining how bad actors were able to insert malicious code into SolarWinds’ flagship product, Orion, through a seemingly innocuous software update sent to thousands of customers. The first was purely investigative, while the second focused on eDiscovery. KPMG was initially retained for two primary purposes. Success in this ongoing exercise will help enable SolarWinds to maintain the trust of its various stakeholders-from customers and employees to regulators and activist investors-thus creating a foundation for responsible growth, confident decision-making, bold innovation and sustainable advances in performance and efficiency.
As a trusted advisor, our overarching objective is to help SolarWinds be as open and transparent as possible and help allay clients’ security concerns. Here, we describe some of the specific work KPMG has done, and continues to do, in collaboration with SolarWinds and DLA Piper to put it all in perspective so others can mitigate the threat of future attacks. Later, our colleagues Caleb Queern and Greg Mohler authored another blog that took a look at security monitoring in the build environment, focusing on some of the important questions to ask that can help uncover malicious behavior. Previously, KPMG wrote a blog that detailed the injection of the malware SUNBURST into SolarWinds’ Orion Platform and outlined the various other malware that were deployed indirectly via the SUNBURST backdoor.