On December 8, 2020, corporate security management company FireEye reported on a serious issue in their blog. According to the publication, several of the company’s accounts had been “attacked by a highly sophisticated threat actor“, most likely a nation with well-developed capabilities and resources.
FireEye claimed that SolarWinds got hacked. All the newest techniques were used to target specific government customers. Later intelligence revealed that public and private entities throughout the world had also been the victims of the breach.
As of this date, the scale of the damage remains unknown, although it is clear that significant amounts of information were compromised. Preliminary investigation suggests that the source of the SolarWinds hack originated in its third-party supply chain structure, serving as a warning for global-facing organizations that vendor cybersecurity must be a top priority.
How Did Hackers Sneak Malware Into a Software Update?
Since the primary federal systems were well-protected internally, hackers sought out the most likely vulnerability points: the suppliers, and other vendors who contracted with these main entities. In this instance, Texas-based software company SolarWinds was targeted, specifically the SolarWinds Orion monitoring and management software it had developed and implemented to support its clients’ security needs.
In short, the breach occurred via a piece of malware called Sunburst that was inserted into updates of SolarWinds’ Orion Monitoring and management software. Subsequently, more than 17,000 of the company’s customers installed the updated software, instantaneously infecting their systems and compromising the data.
The key to the success of the malware seems to have lain in its ability to camouflage itself utilizing a variety of newly invented techniques. Once it had gained entry into customers’ cybersecurity infrastructure, it accessed system files and opened a back door that allowed criminals to breach systems and access data. All the while, this intrusive software was able to foil antivirus and antimalware tools.
In response, the US Cybersecurity and Infrastructure Security Agency (CISA) eventually issued an emergency directive “asking all federal civilian agencies to review their networks” for indicators of compromise and to power down or disconnect all Orion products. Addressing this widespread breach required a coordinated effort among the FBI, CISA, and the office of the Director of National Intelligence over the months and possibly years to come.
Why Is SolarWinds Hack So Critical?
In today’s global business milieu, the smooth and transparent operation of supply chains is crucial. Anything that disrupts them, whether it is a pandemic or a hack, can result in a lethal ripple effect that can quickly spiral out of control. In this case, the US government as well as numerous agencies and private companies were woefully unprepared to deal with the havoc unleashed by the SolarWinds hackers.
Equally disturbing, investigation suggests that the criminals were affiliated with the hacking arm of the Russian government’s foreign intelligence service known as the SVR.
Using the trojan malware, they gained access to data of 425 out of the US Fortune 500 top American accounting firms and telecommunications companies, branches of the US military, the State Department, the Pentagon, and hundreds of colleges and universities around the world.
Considering the sheer number and scope of the victims, the effects of the hack are all the more sobering. After a post-infection period of up to two weeks in which the malware lies dormant in the victim’s servers, it begins to run commands known as jobs that can transfer or execute files, gain intelligence profiles about the system, disable services and perform system reboots.
All the while, detection is avoided utilizing techniques such as a strategy of temporary file replacement with corrupted code, subsequent modification of utilities, execution, and eventual replacement back to the legitimate files. Because these evasion techniques had never before been seen, it took time for security teams to identify and analyze them so that effective defenses could be quickly developed to combat and eradicate them.
Private Companies and Governments Under Attack
The list of governmental, agency and private entities directly affected by the SolarWinds hack is veritable who’s who of top-tier organizations. They include but are not limited to the following:
• Governmental bodies including the Department of State, Department of Homeland Security, National Institutes of Health, Department of Energy, Department of the Treasury, Department of Commerce, and up to three state governments.
• Tech giants such as Intel, Microsoft, Cisco, nVidia, VMware, Belkin, and FireEye
• The New South Wales Ministry of Health in Australia
• Mount Sinai hospital and many other medical institutions.
In all likelihood, the full extent of the breach as well as the identities of all victims will never be disclosed to the public.
The SolarWinds incident should serve as a wake-up call and an educational moment for the U.S. government as well as any private company that stores, manages, or transmits sensitive data. Several disturbing facts merit thorough study:
• The breach went undiscovered for eight months
• When it was identified, it was a private company and not the government that did so
• The malware was embedded in a piece of software’s security update and was difficult to detect
• Flimsy password protection made the update vulnerable to attack
• No mandatory cybersecurity regulations exist for agencies and companies deemed critical to our infrastructure.
Only time will tell the extent and exact nature of the SolarWinds attack. However, one fact seems clear: a forever altered misconception of many entities that their cybersecurity postures were impervious to hacks.