Unless you have been living under a rock in these waning weeks of 2020, you have certainly heard about the massive cyberattack that affected US federal and local government agencies and thousands of businesses. Commonly known as the SolarWinds hack, this most recent cyberthreat was a little new and different in its scope and scale – and is perhaps a harbinger of things to come.
The cybersecurity industry is particularly interested in the SolarWinds hack, also referred to as SUNBURST, for a number of concerning reasons — many of which should worry you too, particularly if you depend on IT to run your business.
SolarWinds is a technology firm based in Austin, TX. The company develops software that helps businesses manage their networks, systems, and IT infrastructure. In short, they are mammoth supplier of IT network management tools and monitoring services. They boast an impressive client list of more than 300,000 businesses and US government entities including the Department of Homeland Security, the Department of Defense, the Department of Commerce, the State Department and the Treasury. Microsoft and many other major companies, including several Cybersecurity solution vendors, were also affected.
And because SolarWinds’ software quietly sits in their clients’ back office (rather than being front facing like most Microsoft products), not very many employees outside the organizations’ IT departments even know the software exists.
As with most software vendors, SolarWinds regularly provides its customers with software updates that, in theory, keep their systems bug-free and safe. But ironically it is within the processes of securing those systems, staying on top of vendor patches and installing updates that ultimately turned out to be SolarWinds’ Achilles’ heel.
Early in December of this year, one of SolarWinds’ customers detected malicious code in Orion, one of SolarWinds premier monitoring and management products. Upon further investigation this business determined there was an unauthorized backdoor in their SolarWinds network monitoring solution that was “phoning home” to servers outside the US.
The hackers, widely believed to be Russian operatives, had been able to compromise SolarWinds, the software company. Once inside the software vendor, they were able to insert a trojan into the company’s software code repository.
This was one step in a much larger, very sophisticated attack and ultimately with a very big prize: undetected access to the information of thousands of SolarWinds’ clients, including Fortune 500 businesses and, most importantly for the Russians, access into US government agencies.
Essentially, the hackers poisoned the well. And when diligent, best-practice customers of SolarWinds Orion software updated to the latest and greatest patch, the trojan code was installed within the networks of all those SolarWinds’ customers, who were indeed the intended target.
At this point, SolarWinds is reporting up to 18,000 clients might be affected by SUNBURST, though cybersecurity experts are betting that the number is much-much larger. And the total damage done to industry and government security is yet to be fully understood. It is without a doubt enormous and likely one of the most successful and damaging attacks to date.
The SolarWinds hack is noteworthy for a number of reasons. One of the biggest shockers is that SolarWinds was likely compromised way back in March 2020. This means the trojan worked its way through – and festered in – victims’ IT systems and networks undetected for upwards of nine months, supplying bad actors unfettered access for an excruciating amount of time. You might liken it to finding a family of malevolent strangers living in your attic for the better part of a year, having access to everything that goes on within your home.
Furthermore, with this much time, it should be expected that the Russian hackers “pivoted” within the network, meaning they found other systems to compromise within the victim organizations’ technology and infrastructure.
So likely for weeks, maybe months or even longer, the attackers remained (and in many cases, likely still remain) embedded and undetected as ghosts in the machine.
As noted above, the perpetrators of this attack, weren’t targeting SolarWinds per se. Rather, they leveraged weaknesses in this vendor’s security controls to gain access to its software code which they knew would be downloaded and installed over and over again, thousands of times, thereby giving the Russian hackers access to a vast market of victims through the supply chain.
Just like so many lessons from 2020, the SolarWinds hack underscores the fact we live in a dangerous world with no shortage of threats to our businesses, our livelihoods, and our lives.
But there is another important lesson to be learned from this very malicious backdoor supply chain attack, not to mention the global pandemic.
We, as individuals and as organizations, have a responsibility not just for our own safety, but for the wellbeing and security of those around us. As it relates to the spread of the COVID-19, we wear facial coverings to mitigate our own risk, while at the same time, protect others.
Similarly, the purpose and magnitude of the SolarWinds hack underscores the near desperate need for organizations to report what happens within their own environment to the broader community.
We aren’t far away from next-gen cybersecurity safeguards being a duty rather than a choice. It is no longer only about the health and safety of our own systems, but for the systems and data security of our customers and community.
Here’s to heading into 2021 a little bit wiser for all the wear.
Stig Ravdal is the President & Founder of Ravdal, Inc., a leading cybersecurity company. He is an expert in the fields of cybersecurity strategy and technology solutions, and is available for speaking engagements.