With many still reeling from the aftermath of the SolarWinds hack, enough dust has settled that we’ve started to ask the important questions: How did this happen? What can we do to prevent this in the future? And will it happen again?
The good news is that this attack is incredibly uncommon in terms of the sophistication, patience, and downright elegance it took to undertake. These were not your everyday script kiddies out to make a quick buck, and that is good news for the everyday IT administrator – chances are, your organization isn’t likely to be the target of advanced Russian intelligence operatives. Unfortunately, the attack puts a spotlight on a chink in the armor of organizational cybersecurity, and that’s the supply chain.
Will this happen again? Perhaps not on this scale, but NIST warns that organizations are increasingly at risk for cyber supply chain attacks – whether they know it or not.
So, what happens when you do everything right, but still get hacked?
Before we delve into managing the risks associated with this threat, let’s get into the nitty gritty of the attack itself.
Sometime in February 2020, the SolarWinds development server was compromised (we still don’t know how this initial compromise occurred), and the malware SUNSPOT was introduced to the system. This malware monitored running processes for any instances of Microsoft Visual Studio development tools, an application used by developers to write code and develop computer programs. In this case, the target computer program was the SolarWinds Orion platform, an enterprise scale network management and monitoring tool used by government agencies and Fortune 500 companies worldwide. When the SUNSPOT malware identified an instance of Microsoft Visual Studio running, it would determine if the Orion software was being written or modified, and if so, it would immediately try to inject the SUNBURST malware. SUNBURST was the trojan backdoor that eventually compromised approximately 18,000 organizations globally. This is the part where we begin to see just how sophisticated, and downright impressive, this attack was.
The SUNSPOT malware loop executed every second, effectively monitoring for, identifying, and attempting to inject the SUNBURST code into the SolarWinds Orion source code before it could even be compiled. The developers of SUNSPOT even included numerous safeguards, such as hash verification checks, to ensure that a successful injection of SUNBURST would not cause the Orion build to err or fail, which would have been indications that it might have been compromised. When SolarWinds developers successfully compiled the Orion build they were working on, it was already backdoored and contained the SUNBURST malware. This build was then digitally signed by SolarWinds, uploaded to the SolarWinds update server, and pushed to its customers between March and June 2020.
The end result was that later that year, thousands of customers worldwide downloaded a legitimate update, signed and delivered by one of the top IT monitoring and management companies worldwide, that also included the advanced trojan malware, SUNBURST. This malware lay dormant for two weeks, and then contacted a command and control server, allowing the malicious attackers advanced file and network access to the effected environment. The rest is (or will be) history.
It’s difficult to say what could have been done differently, and therein lies the scariest part of all this – these companies did nothing wrong. Utilizing effective network monitoring tools and ensuring that those systems are patched and up to date are two tenets of any effective cyber risk management program. They’re supposed to be the practices in place that prevent a breach or compromise. Being able to exploit “the things we’re supposed to do” is one of the main reasons this attack was so devastating. But don’t let my dire words fool you – there are steps to take, and lessons to learn from this attack that will benefit any organization moving forward.
It begins with a paradigm shift. Cyber compromises, breaches, and attacks are no longer a matter of ‘if’, but ‘when’. Instead of attempting to construct a network defense impervious to compromise (a fool’s errand, may I add), develop a comprehensive approach. “Defense in Depth” is the concept of layering security controls throughout the network, so if one fails, there are others implemented to succeed. Operating under the idea that your network will inevitably be attacked means you ultimately build a network more capable of withstanding a breach and limiting the damage that an attacker can do.
Take the SUNBURST malware, for example, which was reported to be detected when cybersecurity firm FireEye noticed unusual remote logins from unknown devices in unusual locations. Pulling at this thread allowed FireEye to discover the intrusion and identify SolarWinds as the source. The unfortunate reality is that due to its complex development, obfuscation, and exploitation vectors, no amount of cybersecurity tools or systems would have prevented the malware from being introduced in the first place. But having those behavior-based monitoring analytics in place meant that FireEye could identify that a login with X credentials from Y location was likely malicious and a cause for concern.
Another example of a layered control to identify advanced malware campaigns is effective file monitoring systems. Again, we are operating under the assumption that no network is impenetrable; we’re no longer exclusively focusing all of our resources and capital on stopping attacks, but instead on mitigating them. After the initial SolarWinds hack was identified, many reported cases of SolarWinds Orion service accounts performing unusual file system modifications. Being able to identify that an application is sharing network drives with an unknown external source was a red flag for many organizations that they had been breached.
So there we have it. Gone are the days when we could sleep well at night thinking our firewalls and anti-virus systems were enough to keep our data and systems safe. Facing such an unsettling reality, I think back to another – following the 1984 Brighton bombing, the IRA warned then-Prime Minister Margaret Thatcher, “… but remember we only have to be lucky once. You will have to be lucky always.” I believe the same grave warning applies and warrants a change in the way that we approach cybersecurity. As previously stated, it’s no longer a matter of ‘if’ but ‘when’ – is your network or organization built to withstand a breach?
FoxPointe Solutions is solely responsible only for the content of FoxPointe Solutions authored information and is subject to change at any time. Any forward-looking statements are not predictions. FoxPointe Solutions is not responsible for any errors or omissions, or for the results obtained from the use of this information. Questions regarding your legal or compliance position should be addressed through your legal counsel, security advisor and/or your relevant standard authority. Nothing contained herein should be used nor relied upon as advice nor constitute a consultant-client relationship.