The SolarWinds hackers allegedly leveraged the Pulse Secure VPN to access the company’s Orion server, a recent report suggests.
The US Cybersecurity and Infrastructure Security Agency (CISA) released an analysis report this week, outlining that the SUPERNOVA malware was able to enter the SolarWinds Orion server via a Pulse Secure virtual private network (VPN).
In 2020, overseas hackers that are broadly thought to be Russian based, hacked into leading IT firm SolarWinds’ Orion server. SolarWinds services clients from across the Fortune 500 and US government. It is believed that the breach allowed the SUPERNOVA malware to infect SolarWinds’ client companies.
“[Advanced persistent threat] actors use SUPERNOVA to perform reconnaissance, conduct domain mapping, and steal sensitive information and credentials,” CISA reported this week.
“According to a SolarWinds advisory, SUPERNOVA is not embedded within the Orion platform as a supply chain attack; rather, an attacker places it directly on a system that hosts SolarWinds Orion, and it is designed to appear as part of the SolarWinds product.”
CISA described that the culprits entered onto the server via SolarWinds’ Pulse Secure VPN, and were able to log on appearing as employees.
“Note: these IP addresses belong to routers that are all similar models; based on this activity, CISA suspects that these routers were likely exploited by the threat actor,” CISA explained.