Updated: Mar 16, 2021

SolarWinds’ Orion network monitoring program was recently hacked, providing a critical entry into over 18,000 government and private networks. This hack has been referred to as the “Pearl Harbor of American IT”¹. The hack infiltrated the update server of the Orion program and allowed the perpetrators to appropriate user IDs, passwords, financial records, source codes, and anything else on these networks. The US Cybersecurity Infrastructure and Security Agency (CISA) said the hack posed a "grave risk"² to the US government at all levels.

This article is not to review the methods implemented to infiltrate SolarWinds Orion program and their clients but to provide a best practice for scrubbing the potentially compromised IT assets so they can be reallocated and reused without being discarded or destroyed.

Compromised Architecture

The infiltration caused multiple vulnerabilities in targeted networks. It is an unknown whether all IT assets the affected organizations are compromised or if there are backdoors placed throughout devices. The extent of the “Dark Halo Supply Chain Attack”⁴ is still being analyzed. It is safe to assume that all systems have been compromised and necessary steps must be taken to mitigate additional exposure and rebuild the victim’s network.

Reallocating IT Assets & Rebuilding Your Network

Compromised IT assets can include servers, SANs, workstations, and other IT assets. It is not known whether mobile devices are vulnerable to the attack. The reallocation of IT assets and the rebuild of the network is a monumental task. Our purpose is to provide steps to properly sanitize IT assets to be redeployed in a network.

Here are the best practices for processing the individual IT assets:

Server:

  1. Remove server from the Infiltrated Network
  2. Flash the BIOS with the latest BIOS version.
  3. Run WipeDrive on the Server, and ensure each drive is 'Successfully' erased.
  4. Run VeriDrive to ensure the erasure was successful.
  5. Connect Server to the New Network.

Workstations:

  1. Remove the workstation from the Infiltrated Network.
  2. Flash the BIOS with the latest BIOS version.
  3. Run WipeDrive on the Workstation and ensure each drive is ‘Successfully” erased.
  4. Run VeriDrive to ensure the erasure was successful.
  5. Connect Workstation to the New Network.

Mobile Devices:

  1. Disconnect Mobile Device from the Infiltrated Network
  2. Run WipeDrive Mobile on the Device from a ‘Clean’ (Workstation cleaned with the steps above) Windows Workstation.
  3. Ensure the mobile device is ‘Successfully” erased
  4. Run WipeDrive Mobile Verification to ensure the erasure was successful.
  5. Connect the Mobile Device to the New Network

Verification of IT Assets

The drive erasure on each device can be performed by a multitude of erasure products and OEM tools. We recommend WipeDrive Enterprise for data erasure because of the certifications with Dept of Homeland Security, HIPAA, ADISA, and Common Criteria. The erasure must be verified to ensure that the data in the HPA, DCO and TPM chip is securely erased. This will ensure the device is sanitized and ready to be reallocated to the newly rebuilt network. There are many verification tools on the market, we recommend VeriDrive for this process.

WipeDrive Implementation & Partnership

WipeDrive Enterprise will perform the erasure pattern required by your regulatory body, whether this is the DoD 3 Pass, NIST 800-88⁵, or other overwrite pattern. WipeDrive meets NIST Clear & Purge levels and implements the ATA SecureErase/SanitizeDisk commands. For more information or to request a trial contact our Sales Team at 801.224.8900.

Sources

  1. zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks
  2. arstechnica.com/information-technology/2020/12/feds-warn-that-solarwinds-hackers-likely-used-other-ways-to-breach-networks
  3. en.wikipedia.org/wiki/SolarWinds
  4. volexity.com/wp-content/uploads/2020/12/Volexity-Responding-to-the-SolarWinds-Breach.pdf
  5. nist.gov/publications/nist-special-publication-800-88-revision-1-guidelines-media-sanitization