2020 is probably an unpleasant year, starting with the unprecedented “black swan” COVID-19 pandemic and closing with a global cyber espionage campaign that has led to the networks of several organizations around the world becoming compromised after the attackers managed to breach the systems of Texas-based IT management and monitoring solutions provider SolarWinds.
Whereas details are still emerging as to the full scope and scale of such a massive cyberattack recently discovered in the United States, the “SolarWinds hack” has undoubtedly emerged as one of the biggest ever targeted against the U.S. government, its agencies and several other public and private corporations, including Fortune 500 companies – in fact, it is being seen as a likely global effort.
Yet, how was this global cyberattack carried out? Why it was so hard to detect? What kind of data has been compromised? Why have the U.S. government officials and politicians named Russia? Let’s read on to gain crystal-clear insights.
SolarWinds: The Company at The Core of the “Orion” Hack
Before delving into the specifics of the “SolarWinds hack”, it’s critical to first grasp some basic understandings of the company in question.
To put it simply, SolarWinds is a software company that primarily deals in systems management tools adopted by IT professionals, in which the most widely deployed SolarWinds product is “Orion” – Network Management System (NMS).
In fact, NMS turns out to be the prime targets for attackers for a variety of reasons. First, the Network Management Systems “boast” the capability to communicate with all devices being managed and monitored, thereby outbound ACLs (Access Control Lists) are ineffective, making it a prime location. Secondly, a plethora of NMSs are configured to both monitor for events and respond to them, which means that these Network Management Systems can make changes on behalf of its configuration. Any changes the NMS can make, the attacker can too. Even when NMS are “monitor only”, the credentials used still offer some level of access to the attacker. An attacker who compromised an NMS can usually reshape network traffic for MitM (Man-in-the-Middle) opportunities and can often use credentials for system monitoring to laterally move to target systems.
When it comes to the Orion, the NMS has broad capabilities for monitoring and managing systems, including servers, workstations, network devices, etc. Whereas not every organization is going to have SolarWinds configured identically, when they do have SolarWinds configured, it is definitely a great targeting point for attackers. One simple reason to explain this is that: so as to monitor systems, they have to do some type of system integration.
Another “compelling” reason why this “SolarWinds attack” has been such a massive one is that this Texas-based firm has become an industry dominant player that provides monitoring services to thousands of corporations and federal agencies around the world since its inception in 1999.
“They’re not a household name the same way that Microsoft is. That’s because their software sits in the back office,” stated Rob Oliver, a research analyst at Baird who has followed the company for years. “Workers could have spent their whole career without hearing about SolarWinds. But I guarantee your IT department will know about it.”
On an October earnings call, the company’s chief executive Kevin Thompson touted how far it had come since. “We don’t think anyone else in the market is really even close in terms of the breadth of coverage we have,” he said. “We manage everyone’s network gear.” Specifically, according to SEC documents, SolarWinds has around 33,000 customers that adopt Orion and up to 18,000 of its customers installed updates that left them vulnerable to hackers. That dominance, however, has become a liability.
The Massive SolarWinds Cyberattack: How It Happened & Why It’s Such A Big Deal
How the Massive Hack Came to Light
Technically, the news of this cyberattack first broke on December 8, when FireEye put out a blog sharing “details of recent cyberattack” within its systems. On the front lines defending companies and critical infrastructure globally from cyber threats, the firm helps with the security management of several big private companies and federal government agencies.
As written in that blog post, FireEye CEO Kevin Mandia stated that the company was “attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack.” Whilst the company did not explicitly mention Russia, Kevin Mandia stressed out, “…. this was the work of a highly sophisticated state-sponsored attacker utilizing novel techniques.” Additionally, it was reported that the attack was conducted by a nation “with top-tier offensive capabilities”, and “the attacker primarily sought information related to certain government customers.”
Then on December 13, FireEye’s research revealed that “highly evasive attacker leverages SolarWinds supply chain to compromise multiple global victims with SUNBURST Backdoor”. They have uncovered a widespread campaign, named UNC2452, which was not limited to the company but had targeted various “public and private organizations around the world”.
Besides, the campaign “may have begun as early as Spring 2020 and is currently ongoing”. Worse, the extent of data stolen or compromised is still unknown, given the scale of the attack is still being discovered – specifically, “post compromise activity following this supply chain compromise has included lateral movement and data theft.”
How Cyber Attackers Gained Access to SolarWinds’s Platform
They were reported to have obtained “access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software … The campaign is the work of a highly-skilled actor and the operation was conducted with significant operational security.”
Basically, a software update was exploited to install the “Sunburst’” malware into Orion, which was then installed by around 18,000 SolarWind’s customers.
When it comes to the concern of why it took so long to detect such threats – which happened in March 2020, to be exact – the Milpitas-based cybersecurity company explains that the attackers relied on “multiple techniques” to avoid being detected and “obscure their activity”. In fact, the malware was capable of accessing the system files. What worked in the malware’s favor was it was able to “blend in with legitimate SolarWinds activity”, according to FireEye.
Once installed, the malware gave a backdoor entry to the hackers to the systems and networks of SolarWinds’ customers. More importantly, the malware was also able to thwart tools such as anti-virus that could notice it.
As regards SolarWinds’ explanations, they submitted the Form 8K filed with the U.S. Securities and Exchange Commission (SEC) on December 14.
“Based on its investigation to date, SolarWinds has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020 (the ‘Relevant Period’), was introduced as a result of a compromise of the Orion software build system and was not present in the source code repository of the Orion products. SolarWinds has taken steps to remediate the compromise of the Orion software build system and is investigating what additional steps, if any, should be taken. SolarWinds is not currently aware that this vulnerability exists in any of its other products,” the filing read.
The filing added that the vendor currently believes that “previously affected versions of the Orion products that were updated with a build released after the Relevant Period no longer contained the vulnerability; however, the server on which the affected Orion products ran may have been compromised during the period in which the vulnerability existed.”
Why the SolarWinds Cyberattack Emerges as A (Very) Big Deal
As previously mentioned, up to 18,000 of SolarWinds’s customers installed updates that left them vulnerable to hackers. Since SolarWinds has wide ranges of high-profile clients, including Fortune 500 companies and multiple agencies in the U.S. government, the breach could be more than massive.
In particular, the U.S. agencies, including parts of the Pentagon, the Department of Homeland Security, the State Department, the Department of Energy, the National Nuclear Security Administration, and the Treasury were attacked. So were private companies, especially Microsoft, Cisco, Intel, and Deloitte, together with various organizations like the California Department of State Hospitals, and Kent State University.
At the Treasury Department, hackers broke into dozens of email accounts and networks in the Departmental Offices of the Treasury, “home to the department’s highest-ranking officials,” Senator Ron Wyden stated. For the time being, the Internal Revenue Service (IRS) has not found any evidence of being compromised. Whereas the Treasury Secretary Steven Mnuchin said the hackers have only accessed unclassified information, the department is still investigating the extent of the breach.
According to the Politico, hackers also accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile.
Another victim of this hacking campaign – Microsoft – confirmed it has found evidence of the malware on their systems, although it added there was no evidence of “access to production services or customer data”, or that its “systems were used to attack others”. Yet, Microsoft president Brad Smith added that the company has begun to “notify more than 40 customers that the attackers targeted more precisely and compromised”.
Plus, what should be noted is that since this cyberattack was carried out so stealthily, and went undetected for months, security experts voiced their concerns saying that some of several victims may never know if they were hacked or not. As a result, the impact of the hack is not yet clear.
“We may not know the true impact for many months, if not more, if not ever,” stated Kim Peretti, who co-chairs Atlanta-based law firm Alston & Bird’s cybersecurity preparedness and response team.
Without naming any specific targets, FireEye has confirmed infections in North America, Europe, Asia and the Middle East, which ranges from the health care to the oil and gas industry, and has been informing affected customers around the world.
Why the Hacking Arm of Russia’s SVR Was Supposed to Be the Attackers
In an opinion piece written for The New York Times, Thomas P Bossert, who was the homeland security adviser to President Trump and deputy homeland security adviser to President George W. Bush, has named Russia for the attack. Highlighting the “SolarWinds hack” as a supply-chain attack, Bossert particularly stated that, “Supply-chain attacks require significant resources and sometimes years to execute. They are almost always the product of a nation-state.” He added “evidence in the SolarWinds attack points to the Russian intelligence agency known as the SVR, whose tradecraft is among the most advanced in the world.”
In addition to that, Thomas P Bossert raised the issue that, “The Russians have had access to a considerable number of important and sensitive networks for six to nine months. The Russian S.V.R. will surely have used its access to further exploit and gain administrative control over the networks it considered priority targets. For those targets, the hackers will have long ago moved past their entry point, covered their tracks, and gained what experts call “persistent access,” meaning the ability to infiltrate and control networks in a way that is hard to detect or remove.”
Additionally, in a blogpost, Microsoft does note that “this aspect of the attack created a supply chain vulnerability of nearly global importance, reaching many major national capitals outside Russia”. It goes on to add that such sophisticated attacks from Russia have become common.
The cybersecurity expert FireEye, nevertheless, has not yet named Russia as being responsible and said it is an ongoing investigation with the FBI, Microsoft, and other key unnamed partners.
In response to those accusations, Russian presidential spokesman Dmitry Peskov rejected all, according to the Tass news agency. “Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” he told Tass. “We have nothing to do with this.”
Besides, the Russian Embassy in London did not immediately respond to CNBC’s request for comment.
On December 16, the FBI stated it is still “investigating and gathering intelligence in order to attribute, pursue, and disrupt the responsible threat actors.”
The Responses from SolarWinds and the U.S. Government Over the Global Cyberattack
SolarWinds Amidst the “SolarWinds Hack”
Beyond any doubt, such a massive and severe breach has resulted in a crisis for SolarWinds. In fact, the compromised product accounts for nearly half the company’s annual revenue, which totaled $753.9m over the first nine months of 2020. Yet, since mid-December, its stock has plummeted up to 23%.
On December 16, Moody’s Investors Service stated that it was looking to downgrade its rating for the company, citing the “potential for reputational damage, material loss of customers, a slowdown in business performance and high remediation and legal costs”.
SolarWinds’ longtime CEO, Kevin Thompson, had months earlier indicated that he would be leaving at the end of the year as the company explored spinning off one of its divisions. And astonishingly, the SolarWinds board appointed his replacement just a day before FireEye first publicly revealed the hack. SolarWinds and its Board of Directors have named Sudhakar Ramakrishna as the company’s new President and CEO, which becomes effective on January 4, 2021.
“This is an unimaginable, unfortunate situation,” said Oliver, the research analyst. “SolarWinds products have always been reliable. Its value proposition has been around reliability.”
SolarWinds executives declined interviews through a spokesperson, who cited an ongoing investigation that now involves the FBI and other agencies.
In a statement issued to Reuters, the company said “we strive to implement and maintain appropriate administrative, physical, and technical safeguards, security processes, procedures, and standards designed to protect our customers.”
Actually, right now, SolarWinds is recommending that all customers immediately update the existing Orion platform, which has a patch for this malware. “If attacker activity is discovered in an environment, we recommend conducting a comprehensive investigation and designing and executing a remediation strategy driven by the investigative findings and details of the impacted environment.”
Those unable to update are told to isolate “SolarWinds servers” and it should “include blocking all Internet egress from SolarWinds servers”. The bare minimum suggestion is the “changing passwords for accounts that have access to SolarWinds servers/infrastructure”.
Courses of Action from Governmental Agencies & Officials
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive 21-01, requesting all “federal civilian agencies to review their networks” for indicators of compromise. It has asked them to “disconnect or power down SolarWinds Orion products immediately”.
In a joint statement, the FBI, the Cybersecurity and Infrastructure Security Agency, and the office of the director of National Intelligence described the hack as “significant and ongoing” and announced what is called the “Cyber Unified Coordination Group (UCG)” in order to coordinate government response to the crisis. Besides, they added in the statement that, “this is a developing situation, and while we continue to work to understand the full extent of this campaign, we know this compromise has affected networks within the federal government.”
On December 17, President Donald Trump, who has been silent about the hacking, threatened on Thursday to veto the National Defense Authorization Act, saying that he would reject the sweeping defense bill that authorizes a topline of $740 billion in spending and outlines Pentagon policy. This includes money to help prevent such cyberattacks.
At the same time, the U.S. President-candidate Joe Biden showed his commitment to make cybersecurity a key area of focus for his administration. He stated that the United States under his leadership would join with allies to impose “substantial costs” on adversaries who engage in cyberattacks like the massive breach of U.S. government agencies and corporations revealed earlier this month.
“A good defense isn’t enough; We need to disrupt and deter our adversaries from undertaking significant cyberattacks in the first place,” Biden said in a statement issued by his transition team.
“We will do that by, among other things, imposing substantial costs on those responsible for such malicious attacks, including in coordination with our allies and partners. Our adversaries should know that, as President, I will not stand idly by in the face of cyber assaults on our nation.”
The Bottom Line
Cyberattacks enter a new era of lethal impact when threat actors are sophisticated enough to compromise the software “signature” of SolarWinds’s Orion network monitoring software and distribute malware as a software update while also mimicking legitimate protocol traffic to avoid detection. Whilst it’s too early to define the impact of this “SolarWinds” cyber-attack, the suspected Russian hack is much worse than first feared, and as a result, the future prospect of once-heralded SolarWinds remains vague.