Fidelis Targeted By SolarWinds Hackers After Installing Orion

Fidelis Cybersecurity was a target of interest to the SolarWinds hackers after downloading an evaluation copy of trojanized SolarWinds Orion network monitoring software in May, the company disclosed Tuesday.

Fidelis Cybersecurity was a target of interest to the SolarWinds hackers after installing a trial copy of malicious SolarWinds Orion network monitoring software in May.

The company said it identified a four-day period in May where a machine on its network communicated with the malware’s infrastructure in the initial passive phase of the attack, said Chief Information Security Officer Chris Kubic. The malware then flagged the Fidelis machine for the second associated phase of the attack, indicating that the company was a target of interest to the SolarWinds hackers.

However, the Bethesda, Md.-based extended detection and response vendor has not been able to identify any follow-up transactions that would enable progression to the final phase of the attack where the malware on Fidelis’ system would have been communicating with the hacker’s command and control infrastructure, according to Kubic.

[Related: Mimecast Breach Linked To SolarWinds Hack, Allowed Cloud Services Access]

“Our current belief, subject to change given additional information, is that the test and evaluation machine where this software was installed was sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack,” Kubic wrote in a blog post Tuesday.

Fidelis does not use SolarWinds Orion software for management of its corporate systems, but Kubic said the nature of the company’s work requires Fidelis to test all kinds of software for compatibility with its products. Using Fidelis Endpoint, Kubic said the company determined it had installed an evaluation copy of the trojanized SolarWinds Orion software on one of its machines as part of a software evaluation.

The Orion software installation was traced to a machine configured as a test system, isolated from Fidelis’ core network, and infrequently powered on, according to Kubic. After news of the FireEye and SolarWinds hacks went public in December, Kubic said Fidelis used Netresec’s Sunburst Domain Decoder Tool to filter and decode passive DNS records associated with the initial phase of the attack.

“Following the FireEye/SolarWinds disclosure in December, we initiated an internal review of Fidelis networks under the assumption that we too could have been a target,” Kubic said. “To date we have not turned up any evidence that the SolarWinds compromise has impacted our networks, although our analysis continues.”

Using the passive DNS sources available at the time, Kubic said Fidelis did not identify the “hq.fidelis” domain in records associated with the SolarWinds attack. But on Friday, Kubic said Fidelis identified an additional source of passive DNS information and, using Netresec’s Sunburst Domain Decoder Tool, confirmed that hq.fidelis had been flagged by the attackers as a domain of interest and worth targeting.

“While we are not happy about being targeted by the attackers behind the SolarWinds, FireEye, Microsoft and Malwarebytes attacks, we think this is a good learning opportunity both for our own internal team (i.e., drink your own champagne and practice your incident response plan), as well as the security community on the best practices to apply to an advanced adversary attack,” Kubic said.

Kubic said Fidelis’ initial review of the SolarWinds attack also included analysis of Fidelis Network metadata and various system logs using threat indicators provided by the Fidelis Threat Research Team. Fidelis plans to publish best practices for identifying whether an enterprise may be under attack from an adversary like the one behind the SolarWinds attack as well as the company’s findings, Kubic said.

“Though we have not identified any evidence to date that the SolarWinds compromise has impacted our networks, we will continue to investigate potential impacts using our own tooling much like we recommend our customers do,” Kubic said.

Fidelis is the sixth pure-play cybersecurity vendor to publicly disclose an attack over the past seven and a half weeks, following attempted hacks of FireEye, CrowdStrike, Mimecast, Malwarebytes and SonicWall.