APT Compromise of Orion Platforms

Solarwinds Orion Products
Advisory ID:
January 1, 2021


Reports revealed recent compromises of U.S. government agencies, critical infrastructure entities, and private sector organizations by an advanced persistent threat (APT) actor which began at least since March 2020. It is expected that removing this threat actor from compromised environments will be highly complex and challenging for organizations hence the need to take proactive actions in the protection of government critical national information infrastructures. The cyber-security firm that identified the large-scale hacking of US government agencies says it "genuinely impacted" around 50 organisations. The US Treasury and departments of homeland security, state and defence are known to have been targeted. Russian Intelligence has been accused by the US for the cyber intrusion. Several other organisations around the world are understood to have been targeted by hackers using the same network management software.

Description & Consequence

This vulnerability is known to affect SolarWinds Orion products (affected versions are 2019.4 through 2020.2.1 HF1) which are currently being exploited by malicious actors. This tactic permits an attacker to gain access to network traffic management systems and disconnecting affected devices. It started with a "dry run" in October 2019 when "innocuous code" was changed. Then sometime in March, the operators behind this attack did put malicious code into the supply chain, injected it in there and that is the backdoor that impacted everybody.

Successful exploitations and attacks will allow the attackers to:

  • Monitor traffic on major organization’s network systems;
  • Compromise organization’s information systems;
  • Gain access to network traffic management systems and
  • Disconnect affected devices.


The following actions are necessary depending on your level of expertise:

  1. Affected agencies should immediately disconnect or power down SolarWinds Orion products, versions 2019.4 through 2020.2.1 HF1, from their network. Additionally,

a. Block all traffic to and from hosts, external to the enterprise, where any version of SolarWinds Orion software has been installed.

b. Identify and remove all threat actor-controlled accounts and identified persistence mechanisms.

  1. Report all incident to ngCERT (at https://cert.gov.ng/incident-report/corporate ) for support and technical advice.



Related Articles