Cybersecurity experts have been warning individuals, businesses, and organizations of the potential dangers of a sophisticated, widespread supply-chain cyberattack for over a decade. Yet, the SolarWinds hack took everyone by surprise. Touted as the largest and most sophisticated attack the world has ever seen, Microsoft president, Brad Smith, suggested that the attack required over 1,000 engineers to create. While the attack was so discreet it’s impossible to determine exactly how many engineers were involved, it is clear that thousands of businesses, organizations, and government agencies were affected. Now, as we struggle to regain a sense of security, the question becomes how to avoid the dangers of the next attack.
What is the SolarWinds Attack?
The SolarWinds cyberattack was a sophisticated supply-chain attack carried out over several months that successfully targeted high-profile companies and government agencies. The breach was first noticed by the security company FireEye in early December 2020, but after some investigation, it was revealed the attack likely began in September 2019.
In the only known attack of its kind, hackers infiltrated SolarWinds network to inject a test code. In early November, the trial was apparently deemed a success, and hackers quietly exited the system without detection. The hackers updated their code (dubbed Sunburst after detection) and deployed it into an Orion update in early 2020. After the tainted update was made available to customers, the attackers removed the Sunburst code from the SolarWinds network.
In order to be effective, the update must be downloaded and deployed on a device connected to the internet. After the investigation of the attack, it was estimated that 18,000 Orion customers downloaded the malicious code. While far fewer than that were impacted by the attack, hackers managed to access high profile companies like Microsoft, Intel, and Cisco. An estimated 12 government agencies were also breached, including the treasury, the Department of Justice, the Department of Energy, the Pentagon, and the Cybersecurity and Infrastructure Security Agency (CISA).
Essentially, hackers entered a network without detection, tested their prototype, made improvements, then patiently carried out the attack. The code changes in Orion’s update were perfectly timed to eliminate detection, and the update appeared completely innocent when it reached thousands of customers. Hackers then had access to the network of any customer who properly deployed the update and was connected to the internet. Once the attack was complete, attackers carefully cleaned up the crime scene to prevent detection.
Upon detection of the breach, swift action was taken to remediate the potential damage to government data and alert all companies that may have been victims of the attack. Upon investigation, a task force known as the Cyber Unified Coordination Group (UCG) (composed of the FBI, CISA, and ODNI with support from NSA) theorized that the attackers were of Russian origin and the motivation was to gain intelligence from government agencies.
According to Microsoft, 44% of targeted companies were in the IT sector, and many countries were affected. While the attack revealed dangerous vulnerabilities, the overall damage was, and continues to be, minimal in comparison to a malicious attack targeted at critical infrastructure or government agencies that defend our nation. However, for financial institutions, healthcare facilities, and IT companies, the threat of hackers seeking sensitive information is ever present.
Why Supply Chain Attacks Are Effective
A supply-chain attack works in several different ways to give hackers a larger attack surface to exploit. At it’s most basic level, a supply-chain attack provides multiple endpoints that could allow attackers to access major organizations through a weak link. In a more sophisticated attack like this one, attackers deployed malicious code on many victims simultaneously. By using Orion as a vessel, attackers could reach valuable targets. The discreet nature of the attack and careful cleanup made it difficult for second level victims to see where the breach originated. After attackers removed their code from the SolarWinds network, it appeared as if no breach had occurred, and the Orion update was written as intended.
The nature of a supply-chain attack relies on the trust built between business partnerships and between organizations and customers. When threat actors can pose as a trusted supplier, they’re practically invited into the system of the user. When you receive a notice to update a platform you know and trust, you don’t have to ask whether the update will be safe. Yet, SolarWinds unknowingly provided a way for hackers to target thousands of valuable customers with essential sensitive data. Affected companies that supply software to their own customers unknowingly provided hackers with a back door into additional networks, effectively creating a potential third wave of attacks.
What Does This Mean for Me and My Firm?
Even as the full effects of the SolarWinds hack are still evolving, all eyes are on the horizon for potential attacks in the future.
Supply-chain attacks provide threat actors with these advantages:
- Multiple endpoints to mine for potential vulnerabilities;
- The ability to access a variety of high-profile targets at once;
- Easier access without detection by posing as a trusted source;
- The ability to create catastrophic levels of damage rapidly.
What are you doing to protect your firm against such vulnerabilities? Investing in the services of a Managed Services provider (MSP) to manage your network, patch systems, and/or detect security incidents can both be an assist and a vulnerability in itself. Given that Supply Chain attacks are a ripe attack vector, it is critical you ask your MSP specific questions, such as:
- How are you protecting against this specific type of attack vector?
- What additional controls have you put in place since the Solar Winds attack?
- What type of 3rd party security testing are you performing, and by what firm(s)?