170.txt

Operation Falling Eagle Uncovering the Most Impactful Supply Chain Attack in History  
On December 13, 2020 (U.S. time), foreign media reported that multiple critical U.S. government agencies were compromised by a nation-state APT group through vulnerabilities in SolarWinds' network management software. Following these reports, FireEye and Microsoft disclosed technical analyses of the supply chain attack against SolarWinds products, detailing the implanted backdoor components. SolarWinds officially confirmed that its Orion platform software versions 2019.4 to 2020.2.1 released between March and June 2020 had been subjected to a sophisticated supply chain attack, urging users to upgrade immediately. SolarWinds' client portfolio includes Fortune 500 companies, top U.S. telecom providers, all five branches of the U.S. military, the State Department, NSA, and the Office of the President, indicating potentially catastrophic breaches across America's critical infrastructure. 360 Threat Intelligence Center became the first domestic entity to accurately identify and warn about this attack. Leveraging 360 Security Brain's global telemetry capabilities, 360 Advanced Threat Research Center reconstructed the attack chain and designated it "Operation Falling Eagle". This report reveals technical details of the most impactful supply chain attack in history. The attackers implanted a malicious backdoor in the SolarWinds.Orion.Core.BusinessLayer.dll component within versions 2019.4-2020.2.1 of the Orion platform. This compromised DLL was distributed through official installation packages and updates, carrying valid digital signatures confirming the attackers had compromised SolarWinds' development pipeline at the source code level. All Orion platform installations/updates from any channel during this period contained the backdoor. 360's security telemetry traces the backdoor component's activity timeline: initial test code insertion occurred as early as October 2019 (environmental validation functions), followed by full RAT implementation in 2020. The third-phase post-exploitation operations demonstrated advanced countermeasures including security tool detection and IP geolocation filtering, making network traffic analysis insufficient for breach identification. The backdoor executes only when launched by solarwinds.businesslayerhost process, activates after 12-14 days, generates UserID (MAC+domain+MachineGuid XOR MD5), and performs comprehensive security product detection (EDR drivers listed: CyberArk's cybkerneltracker.sys, SentinelOne's sentinelmonitor.sys, etc.). It verifies network connectivity via api.solarwinds.com ping before initiating DGA-based C2 communication using domains like *.appsync-api.[region].avsvmcloud.com. Command control functions include system reconnaissance (CollectSystemDescription), file manipulation (WriteFile/DeleteFile), registry operations (SetRegistryValue), process management (RunTask/KillTask), and reboot capabilities. The backdoor implements multiple security bypass techniques including killing AV services and detecting analysis tools through hashed process names. FireEye-disclosed webshell components (app_web_logoimagehandler.ashx.b6031896.dll) demonstrate dynamic code execution via HTTP requests, suggesting later-stage post-exploitation tools. Operation Falling Eagle's scale and sophistication—spanning U.S. political, military, educational, and corporate entities since 2019—represent unprecedented APT impact. The attack highlights critical infrastructure vulnerabilities even in cyber-advanced nations and underscores the asymmetric nature of modern cyber warfare. 360's product suite (Security Brain, Intelligence Cloud, Sandbox Cloud) provides detection and protection against this supply chain attack. A dedicated SolarWinds backdoor removal tool is available via ata@360.cn. IOCs include MD5 hashes (846e27a652a5e1bfbd0ddd38a16dc865 etc.), C2 domains (.appsync-api.eu-west-1.avsvmcloud.com, deftsecurity[.]com, etc.), and certificate thumbprint 47D92D49E6F7F296260DA1AF355F941EB25360C4. The complete list of detected EDR drivers and analysis tools contains 24 entries including CyberArk, Symantec, and Dell Secureworks components.