This is a developing story on the SolarWinds hack. The information below has been reviewed for accuracy as of the original publication date. We will update this post as required if new information becomes available.
Over the past two weeks, a large scale cyberattack has been widely reported in the media. First, we heard about an attack on the security firm FireEye, followed several days later by reports of an attack on the network management software firm SolarWinds.
The SolarWinds hack has become the bigger story and has been widely reported in the media due to its customer base and the aftermath of the attack. The SolarWinds Orion product, a network management utility, is used by Federal agencies and many large enterprises, making it a lucrative target for Nation-States. These cybercriminals knew exactly what they were going after.
In this post, I’ve consolidated information from a wide number of reputable sources and attempted to explain the key points of the SolarWinds hack in non-technical terms. More technical articles are linked throughout for anyone interested. I’m also joined by ADNET’s Director, Security Services, to elaborate on why this attack should serve as a wakeup call for every organization, not just those directly compromised by the SolarWinds hack.
The SolarWinds attack: an abbreviated timeline
- On December 8, 2020, FireEye disclosed that a highly sophisticated group of attackers compromised their network and stole their proprietary Red Team penetration testing tools.
- On December 13, SolarWinds disclosed that its Orion software had also been compromised. This was discovered by FireEye during its investigation into its own breach.
- On December 13, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to all federal agencies “to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
- Between December 13-14, it was reported that the SolarWinds hack had affected the U.S. Treasury, Commerce and Department of Homeland Security (DHS).
- On December 14, SolarWinds filed a disclosure of the breach with the Securities and Exchange Commission (SEC).
How did the SolarWinds Orion attack work?
Prior to being discovered, the SolarWinds cyberattack, also being referred to as SUNBURST, had been going on for months. This phenomenon is known as “dwell time” in the cybersecurity industry. In March 2020, hackers gained access to the SolarWinds Orion product, created a new vulnerability – known as a backdoor – and then used two Orion software updates to deliver malware containing the same vulnerability to Orion customers. Organizations that downloaded these regular updates inadvertently brought the code with the backdoor capabilities into their system.
This type of attack is called a supply chain attack. It goes against the providers and uses them to deliver malicious software. This is an extremely advanced cyberattack, and only a few organizations – namely state sponsored – are believed to be capable of executing this type of attack.
“This highlights an unfortunate truth of cybersecurity – no system is completely invincible. If someone has enough time, money, computing power and talent, they will be able to get in.”
Tim Weber, Director, Security Services
Are you affected by the SolarWinds incident?
To anyone working in a regulated industry who received the CISA directive or similar communications, this situation is understandably concerning. In developing situations like this, it is not always possible to immediately determine the extent of the impact.
That said, as of the original posting of this article, only the SolarWinds Orion product has been confirmed to be a carrier of the malicious code. SolarWinds disclosed in its SEC filing that it believes “fewer than 18,000 customers were impacted,” referring to the 18,000 organizations that received and downloaded the SolarWinds software updates that carried the malicious code. However, the hackers were selective in their targets and chose to release a second malicious payload to a small percentage of those affected organizations.
Microsoft, following its own internal investigation, clarified which of the affected SolarWinds customers were specifically targeted by hackers. It notified “more than 40” organizations that they had been further compromised with the additional payload.
Explaining the decisive action Microsoft took to mitigate the damage
Microsoft swiftly blocked affected versions of the SolarWinds platform which had been released between March and June 2020.
On December 15, Microsoft, in a coordinated effort with FireEye, GoDaddy and CISA, utilized a sophisticated technique called “sinkholing” to remove control over the domain being used by cybercriminals for malicious purposes. The technique also helped identify systems compromised by the attack.
On December 16, Microsoft took further drastic action that is being referred to in the media as a “killswitch” or “the Death Star” due to the broad expanse of power Microsoft has demonstrated it holds and the intensity of the result. The process blocks the “known malicious SolarWinds binaries,” “(quarantining) the binary even if the process is running.”
Disputing initial reports to the contrary, Microsoft released a statement on December 17 indicating that there was no evidence that Microsoft systems were used to compromise any organizations affected by the attack. According to Microsoft, while they “isolated and removed” “malicious SolarWinds binaries” in their environment, they found “absolutely no indications that [Microsoft] systems were used to attack others.”
ADNET’s perspective on the SolarWinds hack
While ADNET Technologies is a cybersecurity company, we don’t comment on every reported cybersecurity event. Why then, are we talking about this one? We felt it necessary to express ADNET’s thoughts on the SolarWinds incident because it is a complex situation with national security implications. This was a well-coordinated attack and the capabilities of the Nation-State(s) behind it are daunting. Let me be clear – the magnitude of this event should not be understated.
We need a stronger response from the Federal Government
I’ve been advocating for years for stronger legislation and regulatory oversight on cybersecurity at a national level. It is the responsibility of the Federal Government to protect its citizens and I believe that a proper response from the Federal Government to this situation is warranted. How are we as a nation going to respond to this long-term, coordinated attack? As a society, I believe we are very reactive and are not yet overall taking responsibility for cybersecurity. To say that we need a better strategy is simple, but a transparent effort of meaningful regulatory safeguards is critical.
Yes, this includes the Service Provider industry, including ADNET. We all use critical tools in our arsenal to assist clients, but stringent “monitoring the monitors” is beyond important – it’s necessary. Should we be regulated? Honestly, yes. Even if this means that a nationally recognized certification standard is developed – it raises the bar. It becomes meaningful if it is independently reviewed. Think of it as the CMMC standard for IT Service providers. This is one of many reasons why ADNET is independently reviewed and audited for SOC II type 2 compliance.
Would regulation alone have stopped this event? Probably not (see Tim’s quote above), but it MAY have caught it sooner, and that would have been extremely helpful.
Implications of the SolarWinds hack on patching policies
If you outsource your patching process and policies, you may have questions about how those patches are deployed. How, for instance, do you know that the patches being deployed aren’t compromising your systems? It’s a great question, and one I can only address by describing ADNET’s standard process for patch deployment.
Before any patches are deployed for ADNET clients, they are rigorously tested, not just by ADNET but by third-party providers. They’re tested for effectiveness and for security. The mandate “Do No Harm” applies here. When you’re updating your computer, you’re trusting that the update improves the environment and does not cause harm to it. That’s why ADNET tests all patches before we allow them to be deployed. That extra step is critical – if ADNET does not manage your patching process, make sure your Managed Services Provider (MSP) is taking that precaution.
There may be a silver lining – it’s Microsoft
In an event of this magnitude, can there be a silver lining ? I believe there is, and it’s Microsoft. Microsoft, as an organization, not only investigated a problem that wasn’t necessarily theirs to solve, but took swift, decisive action in an attempt to mitigate the spread of the threat. Microsoft effectively killed the breach in progress. In my opinion, Microsoft did the right thing and I for one, sleep better at night knowing that they are a partner in our defense.
Cybersecurity CANNOT be treated as a nuisance or an afterthought
Read that heading again. It’s almost enough said, but let me elaborate anyway. Cybersecurity is an ESSENTIAL focus for EVERY organization.
Multiple clichés apply here – “it’s not a one-and-done,” “there is no silver bullet,” and “it’s not a matter of if, but when, you are affected by a security event.” You may be tired of hearing these things – and even we get tired of saying them – but they continue to be true. Cybersecurity can’t be regarded by business leaders as a nuisance, nor can it be dismissed as something that can be handled solely by cybersecurity insurance. In light of this, ADNET will continue to advocate and educate for stronger security postures for our clients at every possible opportunity.
Don’t hesitate to prioritize cybersecurity, and make active, ongoing investments. Trust me, I recognize that coming from a cybersecurity company, this advice seems rather self-serving. But if you follow our security blogs, and in particular listen to the words of our Director, Security Services, I think you’ll find ADNET to be consistent on this point: If our knowledge, experience, services and guidance can help prevent your organization from enduring the fallout of a cybersecurity attack, then our work is worthwhile.
“We can’t let the potential impact of a high-risk, extremely low probability event dictate our security posture. We have to take the steps to protect ourselves and our organizations from the more common attacks that are frequently used. Ultimately, having better security in place will help your organization more often than hurt it. It’s ironic that the organizations that were trying to do the right thing by installing these updates were made less secure. I know some might then say, ‘see, that’s why I don’t do updates,’ but that’s a flawed and dangerous perspective. In 99.9999% of cases the risks of NOT updating are much, much higher. Keep patching. Please.”
Tim Weber, Director, Security Services
ADNET is here to help
Every organization and municipality, from the Federal Government to State Governments, to large corporations and small businesses, can and will be a target of a cyberattack. Cybercrime is a lucrative business. You might not think your data is worth anything. However, I guarantee you, someone can figure out how to weaponize it.
As always, the ADNET team continues to monitor the latest threat intelligence and advise our clients accordingly. Our dedicated cybersecurity professionals are here to help. We can assess your current cybersecurity risk, deploy appropriate security solutions backed by support from our 24×7 Security Operations Center. We’re also available to train your organization on security awareness. If you need help assessing your cybersecurity posture, reach out to us.