Risk Alert: SolarWinds Orion Compromised by Nation State

Silhouette of man's head in front of computer monitor light at night

[vc_row][vc_column][vc_column_text]SolarWinds is an industry leading software tool used by many IT Managed Service Providers (MSPs) in the asset management industry. There are fresh reports of a compromise affecting the SolarWinds Orion platform. Orion is a widely-deployed IT management and monitoring platform used by IT organizations across many industries. The supply-chain nature of the attack is serious and represents a critical risk to organizations with Orion deployed within their environment.

If you have SolarWinds Orion deployed within your environment, you can check which version you have installed by following these instructions. To determine what hotfixes you have installed, follow these instructions.

The Department of Homeland Security has mandated all Federal Agencies immediately disconnect compromised Orion infrastructure from their network and perform forensic analysis to determine the scope of further persistent access. If you determine you do have a compromised version of Orion installed in your environment, please immediately report this to us and take one of the following actions:

  • Immediately disconnect the infrastructure from your environment
  • Upgrade to Orion Platform version 2020.2.1 HF 1
    • An additional hotfix release, 2020.2.1 HF 2 is anticipated to be made available Tuesday, December 15, 2020.
  • Determine through forensic analysis whether further persistent access was gained

While investigation is still ongoing, here’s what is known:

  • On or before March 2020, nation-state attackers were able to compromise SolarWinds and inject malicious code into the update CORE-2019.4.5220.20574-SolarWinds-Core-v2019.4.5220-Hotfix5.msp.
  • This update contains a trojanized DLL (SolarWinds.Orion.Core.BusinessLayer.dll) which creates a backdoor that communicates via HTTP with remote attackers.  After a dormant period, the trojan attempts to resolve a subdomain of avsvmcloud[.]com.
  • The DNS response returned points the compromised system to command and control infrastructure which is then used to further compromise the victim.
  • The currently known command and control infrastructure can be found here.


For more information related to this notice, please see the following:

If you need assistance in performing forensic investigation or if you have further questions, BW Cyber Services’ Digital Forensics and Incident Response team can help. For more information we can assist, please contact us at info@bwcyberservices.com.[/vc_column_text][/vc_column][/vc_row]