TAG Cyber Corps Cloud Security Briefing January 2021

Authors: Iassen Christov & Nicholas Wainwright

The Austin-based software company known as SolarWinds hasexperienced a massive breach this December. The attackers used a backdoor called Sunburst. There is a possibility that an experienced hacking group seized information from United States Government agencies. Email traffic is one of themost critical points hit. The type of attack conducted on SolarWinds is referred toas a supply-chain attack. A supply-chain attack is an attack that infects software as it is being built or updated.

The intelligence agency that compromised the SolarWinds software took binary code directly from the software that was updating. The original software was then altered with malicious code, streamlining the process typically used in an attack life cycle. This code was designed to look exactly like the current code and was digitally marked to “prove” that it was cleared to run. The breach itself has affected many areas of government as well as a plethora of private companies.

After the initial penetration attackers took control of the platform and later released a malicious update that was installed by many. Enterprises using Microsoft Office 365, SolarWinds, or Azure are at risk of exposure. It has been widely reported that adversaries are using steganography, privilege escalation, as well as increasing user trusts by compromising SAML signatures with escalated Active Directory privileges.

At this moment, all enterprises should be monitoring their Microsoft Office 365, Azure cloud assets, and any system within their networks using SolarWinds. This assessment is based on the alerts and recommendations that are being released here by CISA.


This newsletter is prepared as part of the TAG “Cyber Corps” program. This program employs college and university level students in an effort to give them accessible cyber security experience while providing affordable security information to small and micro businesses. This letter is a product created by senior level Cyber Corps students who pull research from the work their peers have done each month.