Splunk’s Response to the SolarWinds Cyberattacks

Since mid-December and throughout the holidays, I’ve been speaking with Splunk customers and our own team about the cyberattacks impacting the SolarWinds Orion software platform. Splunk was not directly affected by this event, but as a leader in security, we want to help the industry by providing tools, guidance and support. It is critical to our entire industry that we work as a community to counter cybersecurity threats and share information about events like these.

For background, here is a recap of what happened:

• Sophisticated attackers, who appear to have been working for a foreign government, hid malware in a SolarWinds Orion software update.
• This malware, associated with the threat campaign called Sunburst, gave the attacker a foothold with SolarWinds Orion customers, allowing them to access additional information and systems.
• Confirmed victims include cybersecurity firm FireEye and government agencies, including the U.S. Departments of Treasury, Commerce and Homeland Security.
• The attackers leveraged this foothold to steal internal tools that FireEye uses to uncover weaknesses in its customers’ networks.
• There is a new threat, called Supernova, associated with this attack campaign and the situation continues to develop. We will continue to monitor as such.

Splunk is doing everything we can to assist our customers who use SolarWinds Orion, and share relevant information with the larger community.

• We’ve created a web page where we have posted and will continue to update useful and relevant information about the attack.
• We published a blog post that shows customers how to use Splunk to detect the compromised SolarWinds software update in their environment.
• We published a message to customers confirming our ongoing support and how to contact us if they suspect they have been affected.
• We proactively reached out and/or responded to inquiries from customers looking to assess our exposure.

We’ve also taken action to better protect Splunk as a business:

• The Splunk Security team continually monitors and evaluates security risks reported in the industry and the news. We took immediate action to confirm the safety of our systems and code from the SolarWinds attack.
• Again, we have found no evidence that our internal Splunk systems have been affected in any way by the SolarWinds attack, because we are not SolarWinds Orion customers.
• We are continuously monitoring our environment for signs of Sunburst and other malware.
• We’ve taken the extra precaution of confirming that all possible patches and security protocols are in place to protect against the stolen FireEye hacking tools.

Repercussions from the SolarWinds attack will continue into 2021. All of us at Splunk remain vigilant and committed to identifying various avenues to assist our customers, partners and industry organizations in their response. Be sure to visit Splunk’s SolarWinds response site for the latest materials and information.

----------------------------------------------------
Thanks!
Yassir Abousselham