Recent cybersecurity attacks have security companies working at high speeds to intercept attacks that occur within hours and even zero-day attacks. In an unexpected turn, the current attack that has everyone’s attention, and prompted an emergency weekend meeting of the U.S. National Security Council, is one that took several months to complete.
The SolarWinds Attack was first disclosed on December 14, 2020, but it likely actually began in September 2019. Victims of the attack included government agencies and private companies. Among the government agencies attacked were parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury. Notable private companies, like Microsoft, Cisco, Intel, and Deloitte were also affected. Other organizations include the California Department of State Hospitals and Kent State University.
Notably, not every customer using the Orion platform installed the infected update. It’s estimated that 18,000 (six percent) of the company’s 33,000 Orion product customers installed the update that left networks vulnerable to hackers from March 2020 until mid-December. Furthermore, it’s estimated that the early stages of the investigation haven’t revealed the true extent of the attack.
Now, government agencies and a variety of other companies and organizations are striving to understand exactly what happened and how to avoid becoming a victim of a more advanced threat in the future. Learning from such an advanced attack begins with careful inspection of how the attack was carried out and why.
The SolarWinds hack is an advanced supply-chain attack carried out over a period of several months targeting U.S. government agencies and high profile private companies with extensive customer bases. The full extent and motive of the attack are unclear as the investigation has just begun. However, it’s widely suspected that the attack was carried out by Russia’s foreign intelligence service (SVR) often referred to as Cozy Bear.
In mid-December 2020, security company FireEye recognized and reported a data breach that included access to the company’s suite of Red Team hacking tools. As the company investigated further into the origin of the attack, the connection to SolarWind’s Orion IT platform was discovered. In a stealthy backdoor attack that spanned across several months, hackers infiltrated the software update platform for Orion products, gaining access to thousands of high profile customers of the company. Despite some similarities used in supply chain and lateral movement attacks, this hack was totally unique in nature and has prompted discussion about the need for stronger cybersecurity legislative action and penalties for attackers.
When cyberattacks are carried out quickly, as with recent ransomware attacks, a visible timeline of hacker behavior is tracked over a period of hours or days that results in discovery or contact when the attack is complete. The timeline for the SolarWinds attack is much different and includes long waiting periods where the hackers patiently watched a trojanized Orion IT update make its way to the intended victims.
On December 8, 2020, FireEye discovered and reported a system breach and the theft of security tools. After launching an investigation, the following timeline was revealed.
The SolarWinds attack wasn’t a random hack designed to affect every person using the service. It wasn’t even devised to impact the SolarWinds company or Orion products. The purpose was to use Orion as a vessel to target specific organizations through a software update set to occur between February and June 2020. Although roughly 18,000 customers applied the update, far fewer organizations were actually infiltrated using the malicious code included in the update.
Threat actors applied a malicious code, later named Sunburst, in Orion product updates before the updates were set to occur, then removed the code from the SolarWinds network to remain undetected. When the update was installed, hackers could then use the code within a variety of organizations to gain entry into these networks and move laterally through the systems. It’s estimated that malicious action was taken in approximately 200 organizations, including government agencies, universities, health care facilities, and high tech companies.
Microsoft identified more than 40 customers targeted by the attack. While about 80% of these customers were located in the U.S., seven additional countries were affected. This includes Canada, Mexico, Belgium, Spain, United Kingdom, Israel, and The United Arab Emirates. While government agencies were included in the attack, 44% of targeted organizations were IT companies that provide software and equipment to other customers.
Notable organizations and companies hit by the attack include:
From the massive high-profile victim list to the extremely covert nature of the attack, the SolarWinds hack reveals cybersecurity vulnerabilities that haven’t been thoroughly explored before.
SolarWinds is a large IT company with a massive customer base. The company’s advertising techniques likely made it a perfect target for hackers seeking a comprehensive list of high profile victims. In a page that has been removed from the website, SolarWinds listed customers to include most of America’s Fortune 500 companies, the top 10 U.S. telecommunications providers, the top 5 U.S. accounting firms, hundreds of colleges and universities, all five branches of the U.S. military, the State Department, the National Security Agency, and the Office of President of the United States. Attacking any of these organizations separately would have been a massive undertaking, but the use of one agency for a supply chain attack eliminated much of the legwork and potential for exposure. However, that’s not the only distinction when it comes to this attack. In fact, a series of well-planned actions led to a nearly invisible attack that could have serious implications for the future of national cybersecurity regulations.
Threat actors were able to perform a trial run and successfully inject malware into the SolarWinds network without being recognized due to a combination of techniques. Hackers began with a trial run to access the Orion product update platform. The attack was then modified to include malicious code that could be inserted into SolarWinds’ build servers. Since the code masqueraded as part of the program, it was able to remain undetected until the full-scale attack would be initialized. When the update went out to thousands of customers months later, a backdoor entry point was created within networks of organizations that installed the update.
Instead of taking action immediately, hackers allowed a dormancy period to exist in the new victim’s network before performing any activity within the system. Since the hacker’s activity within new networks masqueraded as normal activity from the Orion software, malicious activity could potentially go undetected until the objective was complete.
Rapid-fire attacks are difficult to identify and stop due to the speed at which the attack is introduced and carried out. This attack was planned with the ability to remain invisible for months at a time and included a dormant period when it was introduced to targeted victims. The ability for the code to remain undetected within the SolarWinds platform for months throughout routine security procedures opens up new fears to the potential that other threats could be occurring beneath the radar of vital organizations. Additionally, the fact that Sunburst was introduced to target networks only to lie dormant for weeks means deeper investigation was required to discover the origin of the threat.
IT companies that were unaware of the hack and continued to provide services and products to their own customers have added another layer of potential victims to the attack. While the main objective in the SolarWinds hack seems to be directed at high profile targets, the threat for third parties using compromised software still exists.
All too often, cybersecurity is aimed at avoiding direct threats by way of phishing or other similar methods. When the attack comes from trusted software, target organizations need a new method of protection. With the introduction of this attack, organizations realize they can’t assume vendors and core partners are performing necessary security protocols.
Cybersecurity company FireEye uncovered and revealed the source of the attack, but not before advanced hacking security tools were stolen. Even while the complete impact of the attack is being determined, hackers can utilize the FireEye tools for other types of covert attacks within networks that are unprepared for this new threat. While FireEye has been refreshingly transparent about the hack and related actions to prevent further damage, there’s no doubt these new tools will improve the ability of hackers attempting to access and corrupt victim networks.
As organizations struggle to recover from the attack and prepare for the future, many steps are being taken to prepare for possible actions hackers may take in the future. This sobering look at how easily accessible government agencies can be to hackers might finally lead to stricter legislation regarding cybersecurity regulations and the punishment for nation-state threat actors. Without certain restrictions and resulting actions in place, organizing effective international cybersecurity policies will be practically impossible.
Affected companies responded immediately with timely reports to customers and ongoing transparency regarding the attack. SolarWinds released a software fix within days of being notified of the breach. FireEye teamed up with Microsoft and GoDaddy to create a kill switch that causes the malware to terminate and prevent further execution. However, these actions don’t address the larger need for protection against new and growing threats.
An attack of this magnitude expands the ways hackers can carry out a variety of cyberattacks with differing objectives. While entry methods would have to be modified, such a wide-scale attack would conceivably offer up a massive payday for ransomware operators. The success of this hack makes it essential for companies, security agencies, and government organizations to prepare for the next threat on the horizon.
After the attack, incoming president Joe Biden promised to make cybersecurity a top priority for the administration. He went on to say the administration would elevate cybersecurity as an imperative across the government, strengthen partnerships with the private sector, and invest in the infrastructure and people needed to protect against cyberattacks. Promising the administration would not stand idly by in the face of cyberattacks against the nation, Biden said the administration will impose substantial costs on individuals responsible for malicious attacks to deter such activity.
During President Biden’s first week in office, he seems to be making good on that promise. Quickly filling key roles with world-class cybersecurity experts and including more than $10 billion in cybersecurity and IT funds in the upcoming COVID-19 relief proposal are among the actions taken during the president’s first week in office. Compared to recent U.S. efforts in cybersecurity, this seems like a monumental effort, but many experts agree it’s only the beginning steps in what needs to be done for adequate cybersecurity.
Perhaps the biggest question now is whether similar attacks could be occurring beneath the radar. Given what we’ve learned about the SolarWinds hack, it’s virtually impossible to know if similar attacks aren’t already in progress. While it’s alarming to learn government agencies and Fortune 500 companies have been compromised, individuals and businesses need to remember that cybersecurity efforts aren’t in vain. After all, even though the government earmarks billions of dollars for cybersecurity, a private security firm recognized the breach within its own system. FireEye went further to recognize the origin of the attack and alert a long list of victims. This might not seem like a big deal, but it means traditional and emerging cybersecurity techniques are working.
There’s no single solution to avoiding any type of cyber threat, but routine management and a strong defense are the best tools to prepare for potential breaches. For instance, companies affected by the SolarWinds hack that already utilized services like SIEM and logging techniques in place were better prepared to utilize defenses recommended against the attack.
SIEM monitors all suspicious activity within a network. While this code was covert enough to go undetected within multiple organizations, additional activity by the hackers likely triggered the alarm that alerted FireEye to the breach. SIEM often detects a breach and creates an alert immediately. Unfortunately, sometimes a breach successfully gets past a security system. However, additional actions by threat actors provide another opportunity for detection.
When the threat was detected, FireEye’s investigation quickly tracked back to SolarWinds. Without the right security measures in place, tracking these movements would likely be impossible. It’s true that a variety of steps need to be taken for effective cybersecurity for both private companies and government agencies, there will always be a need for individual security protections.
So, what does this mean companies and local governments should be doing to avoid future attacks? For organizations with systems running Solarwinds Orion, it’s essential to install the recommended updates and patches to avoid potential corruption. However, organizations using Orion aren’t the only ones affected by a breach of this complexity and magnitude. It should serve as a wake-up call that all agencies and companies must make cybersecurity, and the ability to identify and eliminate new threats as they arise, a priority. Automated security tactics combined with the efforts of cybersecurity experts provide the most comprehensive protection available against potential cyberattacks of the future.
Advanced cyberattacks can make maintaining a network seem impossible. It’s important to remember that as attackers take advantage of advanced technology to attempt to breach vital systems and access sensitive information, cybersecurity experts are learning new ways to halt this action in its tracks. BitLyft is an advanced cybersecurity company accustomed to the demands of organizations that must protect large amounts of sensitive customer information. Get in touch today to learn more about the most advanced ways you can protect your network.