The SolarWinds Hack – A massive cyber attack in the United States using a novel set of tools. A valuable lesson for Cybersecurity.
In 2020, the United States witnessed the biggest ever ‘Cyber’ intrusion known to-date. The nature and number of affected US Government agencies, particularly the notable US Energy Department, controls the National Nuclear Security Administration; Federal Government networks are unprecedented. Russian agents are the suspects in the ‘Orion breach.’ The commerce departments and the treasury were both affected; amongst others, many have been breached. The cybersecurity attack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the US due to the sensitivity and high profile of the targets and long duration (approx nine months) to which the hackers had access. Within days of its discovery, at least two hundred organizations around the Globe had been reported to be affected by the attack, and most of them have suffered data breaches.
How did the Cyber Security Attack Happen?
SolarWinds is a major IT firm that provides software for organizations ranging from Fortune 500 companies to the US Government. In early March last year, the hack began when a malicious code was sneaked into the updates of a popular software called Orion, made by SolarWinds, which monitors Governments and businesses’ computer networks for outages. The hackers gained entry into the networks by getting more than eighteen thousand Government and Private users to download a tainted software update. Once inside, they were able to monitor internal emails at some of the US’s top agencies.
The breach wasn’t discovered until the prominent cybersecurity company ‘FireEye,’ which also uses SolarWinds, determined it had experienced a breach by the software, a highly sophisticated threat actor, calling it a state-sponsored attack, not mentioning the name of Russia. It said a nation attacked with top-tier offensive capabilities who sought information related to specific Government customers. It also said the methods used by the attackers were Novel. However, the worse part is that the extent of data stolen or compromised is still unknown, given the scale of the attack, which is being discovered.
How did so many United States Government and organizations get attacked?
This attack is being called a ‘Supply Chain’ attack. Instead of directly attacking the Federal Government or the Private network of organizations, the hackers targetted the third-party vendor who supplies software to them. In this case, the target IT management software called Orion provided by the Texas-based organizations – Solar-Winds. Orion has been a dominant software from SolarWinds with clients, which include over 33,000 companies. SolarWinds says 18000 of its clients have been impacted. Incidentally, the organization has deleted the list of clients from its official websites.
Microsoft also confirmed it had found evidence of the malware on their systems, although there was no evidence of access to production services or customer data. Or that its systems used to attack others. According to FireEye, the hackers gained “access to victims via trojanized updates to SolarWinds’ Orion IT monitoring and management software”. Basically, a software update was exploited to install the ‘Sunburst’ malware into Orion, which more than 17,000 customers then installed.
FireEye says the attackers relied on “multiple techniques” to avoid being detected and “obscure their activity”. The malware was capable of accessing the system files. According to FireEye, what worked in the malware’s favour was that it could “blend in with legitimate SolarWinds activity.” Once installed, the malware gave a backdoor entry to the hackers to the networks and systems of the ‘SolarWinds’ customers. More importantly, the malware was also able to thwart tools such as Anti Virus to detect it. Microsoft mentions that – “This aspect of the attack created a supply -chain vulnerability of nearly global importance, reaching many major national capitals outside Russia.”
What is the mitigation action to overcome the most significant Cyber Security breach?
SolarWinds recommended that all customers immediately update the existing Orion platform, a patch for this malware. “If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigating findings and details of the impacted environments. Those who weren’t able to isolate from the SolarWind servers should include blocking all internet egress from the SolarWind servers. The basic suggestion is the “changing of the account passwords that have access to the SolarWinds’ Infrastructure or the Servers. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive 21-01, asking all “federal civilian agencies to review their networks” for compromise indicators. It has asked them to “disconnect or power down SolarWinds Orion products immediately”.The FBI, CISA and the office of the Director of National Intelligence issued a joint statement and announced what is called the ‘Cyber Unified Coordination Group (UCG)” to coordinate government response to the crisis. The statement calls this a “significant and ongoing cybersecurity campaign.” The company said total revenue from affected products was about $343m, or roughly 45% of the firm’s total revenue. SolarWinds’ stock price has fallen 25% since news of the breach first broke. This intangible effect would contribute to destabilization by creating chaos and mistrust while reducing the likelihood of any retaliatory action by the world’s leading cyber power. As sowing chaos and distrust is a crucial tactic below the war threshold, it may not be too far-fetched to consider this as a possible motive.
To Summarise, SolarWinds is a valuable lesson for everyone involved. The far-reaching nature of this kind of impact also shows just how important it is for Government agencies to work in partnership with the private sector to achieve robust and effective Cybersecurity. While it will not be the last of its kind, focusing on what SolarWinds could not help ensure to take preventive measures is implemented. Given the limited number of response options are available, the importance of Cybersecurity as the first line of defence cannot be understood. The integrity and security of supply-chains and greater public-private cooperation in identifying and sharing cyber threats information is critical. The focus is on this is long overdue, and after the SolarWinds, there can be no more excuses. Besides, the organizations will have to consider implementing advanced cybersecurity technologies such as, ‘Cyber Security Mesh‘ to protect any such and many other breaches in the future as we are being studied continuously by the Internet of Behaviour (IoB) technology which opens our devices easily accessible to the cybercriminals.
