There are many lessons learned from the SolarWinds hack which was a meticulously planned and insidious attack in cyberspace history that occurred over the months from March to December of 2020. The cybercriminals left such a faint malware footprint that, as of January 2021, even the experts aren’t sure how much damage they did.
The full impact of the crime; how it happened, what the hackers got, and how they intend to use it could take years to absorb.
It is no secret why the hackers targeted SolarWinds, an information technology management firm based in Austin, Texas. Its products, which are well regarded in a highly competitive industry, help businesses manage their systems, networks and infrastructures. Revenue topped $938 million in 2019. SolarWinds led in market share in 2017, 2018 and 2019. It is still leading as of now at 12.32 percent. At the time of the attack, the 21-year-old firm boasted around 300,000 customers.
SolarWinds develops network management system software, or NMS software, which monitors and analyzes operations. It’s popular with companies that want to see what’s happening across all their computer networks.
It turned out to be popular with the hackers too. There’s greater value in compromising that software than in targeting a single server, machine or individual. Who needs a phishing campaign when you can infiltrate entire networks? It’s a little like robbing a bank rather than mugging a handful of people on the street.
About 33,000 public and private entities used Orion, SolarWinds’ NMS software, during the months that the breach occurred. However, SolarWinds told the Securities and Exchange Commission that only around 18,000 users had downloaded the March update that was compromised by the hackers.
Of Fortune 500 companies, 425 used Orion. Microsoft, Cisco and Intel were among the private companies affected. Leading U.S. telecoms and elite accounting firms were clients. AT&T, McDonald’s, and Procter & Gamble are also SolarWinds customers, but it’s not yet known if they were infected. At least one university system, Kent State, and one hospital system were victimized.
Most disturbing of all, the hackers managed to breach the upper echelons of the U.S. government. At last count, the State Department, Energy Department, Treasury Department, Commerce Department, Department of Homeland Security, National Nuclear Security Administration, National Institutes of Health, and some systems within the Pentagon were hacked.
Given its scale, the attack calls into question the safety and integrity of the cyberinfrastructure.
How It Happened
First, the hackers somehow got into SolarWinds’ development operations while the software update was being assembled. This tactic is known as a supply chain attack.
The hackers inserted malicious code that created access to clients’ IT systems. Anybody who downloaded the patch, which was digitally signed by SolarWinds and highly trusted, also downloaded the malicious code. Once it’s downloaded, it sometimes installs even more malware.
In early December, a private security firm called FireEye announced that its servers had been compromised and that security testing tools had been stolen. FireEye had traced the breach to the SolarWinds update and let the company know that their software had been corrupted. It identified the trojan component as SUNBURST. FireEye explained that the malware had actually mimicked Orion activities and stored data inside legitimate SolarWinds files.
That’s how it was able to lurk undetected for months. Since the credentials appeared to check out, it could perform all the actions that one would expect only from an extremely privileged system administrator. It operated as SolarWinds software but had a mind of its own.
According to U.S. officials, all fingers point to organized hackers within Russia’s foreign intelligence service. The U.S. government calls the group Advanced Persistent Threat 29, or APT29. The hackers themselves prefer Cozy Bear. During the Obama administration, Cozy Bear was blamed for abusing email systems in the White House and State Department.
The Russian embassy in America coolly denied responsibility on Facebook in December: “Malicious activities in the information space contradict the principles of the Russian foreign policy … Russia does not conduct offensive operations in the cyber domain.”
The Purpose of the Hack and the Risks for Victims
The malware spied out sensitive data and reported its findings to third-party servers in a remote command center. To evade security analysts, it waited patiently for around two weeks before “phoning home.”
It now appears that the hack penetrated multiple networks. What were the hackers after? How will they use the sensitive information that was exposed?
Again, that remains to be seen. Spying appears to have been the chief objective. However, in some cases, the malware installed additional malware that keeps the backdoor propped open for long-term remote access. The hackers could potentially disable systems, modify configurations, alter or destroy data, steal data and demand a ransom, interfere with cloud-based resources, swipe credentials to impersonate real people, or go after victims’ business partners. Several U.S. security agencies view the attack as significant and ongoing.
There’s one silver lining. Not every SolarWinds customer was hacked. Only the 18,000 that downloaded the patch released in March seem to be affected. Not only that, but the hackers most likely started with the heavy hitters and worked their way down the list; smaller organizations of less value could come through unscathed.
Lessons Learned from the SolarWinds Hack that Companies can Use to Protect Themselves
Once hackers like Cozy Bear are exposed, they start covering their tracks and plotting new schemes. There is strong evidence that Cozy Bear left backdoors open for a future return.
Unfortunately, hackers get savvier all the time and system security breaches have become commonplace. That’s probably why nobody has accused SolarWinds of negligence.
SolarWinds’ customers and other companies should assume that they have been or eventually will be hacked and should implement layered security to compensate for the inevitable security gaps suggests Henry Bagdasarian, Founder and President of Identity Management Institute. There’s no time to waste.
Even companies that don’t see obvious indications of compromise should do all they can to limit their exposure. It might be prudent to decommission the SolarWinds software and complete a security scan and risk assessment of the most critical systems and infrastructure until the entire incident is sorted out suggests Mr. Bagdasarian.
Going forward, companies should ramp up cybersecurity training and awareness. They should regularly conduct emergency response drills. All the experts encourage collaboration between government and private entities. Suspicions, threats and unusual activity must be reported.
Improving Supply Chain Management to Prevent Future Attacks
Third-party vendors are the weakness in supply chains. The more there are, the more vulnerable the system is.
Companies can better manage their supply chains and fortify against attacks by following these lessons learned from the SolarWinds hack and best practices:
Tell what they know
Cybersecurity experts can’t mitigate potential threats without detailed information about hacks that have already happened. SolarWinds, FireEye and Microsoft have been very forthcoming about the recent hack and how vulnerabilities in their systems could have allowed it.
Embrace artificial intelligence
Companies have to know where classified data is stored and who has access to it all along the chain. Humans just aren’t up to the task of constant monitoring for threats. Companies can leverage AI to do it for them and flag odd behaviors in real time.
Ensure that Nth parties play by the rules
Even an organization with strict protocols in place is only as secure as the least secure link in its supply chain. That’s rather depressing, but it should motivate companies to insist on greater oversight all the way from first-tier vendors down to Nth parties.
Nth parties are third-party vendors’ third-party vendors. Everyone at every level should have the tightest security controls in place.
Stay current on best practices
The bad guys’ tactics and methods evolve right along with cybersecurity improvements, and staying a step ahead calls for expert advice. The National Institute of Standards and Technology publishes an up-to-date, detailed list of countermeasures to protect companies.
As we accumulate more lessons learned from the SolarWinds hack, there’s no magic bullet for preventing a repeat. Awareness, hypervigilance and ongoing education are the best weapons for now.