How Did Hackers Succeed in the SolarWinds Attack?

by Feb 3, 2021Security

In December 2020 the business, government and cybersecurity communities were shaken by the news that a massive hack occurred at SolarWinds, a Texas-based IT software company. As investigations ensued, the cybersecurity event, now commonly referred to as “SUNBURST,” turned out to be a highly sophisticated supply-chain attack. SolarWinds services over 300,000 customers worldwide. Many believe espionage was the motive.

In a recent post, we provided a high-level overview of what happened in the hack. But given the magnitude of the event, it’s important to dissect exactly how hackers succeeded and what it means going forward.

The intrusion targeted Orion, SolarWinds’ flagship network management software. This exploitation opened up a massive vulnerability for at least 18,000 of its customers. Worse, not only did the intrusion affect Orion directly, but SolarWinds said back in December it potentially affected numerous products associated with the Orion software if the malware was present and activated.

SolarWinds was initially unaware of the intrusion, but once it was learned, the significance of this event quickly became apparent.

How was SolarWinds hacked?

What the hackers did was not only sneaky – it was unprecedented. Once they accessed SolarWinds’ flagship software, that’s when things took a turn unlike any hack before. How hackers gained access was by quietly inserting malicious code into Orion software updates – expected updates everyone who uses software would normally run, nothing out of the ordinary. The update appeared completely legitimate to users, but in reality, was designed to gain access to additional information.

The hackers were actually quite nefarious in how the attack was launched and how their plan was executed.

The unauthorized alteration in the software enabled the intruders to have a “hands-on-keyboard session” to infected networks, ZDNet had reported in December. Once the malicious code was planted, the groundwork for the intrusion was laid and hackers then created a backdoor to access the information technology systems of SolarWinds’ customers. During this timeframe, they conducted recon, hid their movement and ran commands. These actions enabled them to spy on various organizations and gain access to proprietary tools and confidential data, including emails.

How long was Orion compromised?

SolarWinds didn’t immediately detect any abnormalities. Experts initially believed the first intrusion occurred in March 2020, but now evidence has surfaced that the unauthorized access began back in September 2019 and the attack itself was deployed in February 2020.

Once that occurred, hackers began distributing a backdoor Trojan to thousands – or more – of SolarWinds’ unsuspecting customers. According to information shared by SolarWinds and published in media reports, the timeline appears to look like the following (and this timeline may change as more evidence is compiled and analyzed):

  • Sept. 4, 2019 – Threat actors first accessed SolarWinds’ systems.
  • Sept. 12, 2019 – Hackers injected test code and started trial runs of its impending attack.
  • October 2019 – Experts believe modifications were made by hackers to Orion to “test” their abilities to insert malicious code into SolarWinds’ builds.
  • Nov. 4, 2019 – Test code injections stopped.
  • Feb. 20, 2020 – Hackers insert malicious code into Orion updates.
  • June 4, 2020 – Threat actors appear to have removed malicious code from SolarWinds’ environment.
  • June 2020 – SolarWinds determined an incident occurred and began remediating issues, but at this time is still unaware of the exact vulnerability – this remediation continues to present.
  • Dec. 12, 2020 – FireEye, a security company, identifies a disturbing issue and contacts SolarWinds.
  • Jan. 11, 2020 – New malware, dubbed “SUNSPOT,” is linked to the SUNBURST incident by a company involved in the investigation, and experts believe it may have been utilized first.

Furthermore, AP News reported on Jan. 11, 2021, that security company Kaspersky, who is not involved in the investigation but is analyzing the malware, has linked SUNBURST to another backdoor trojan referred to as Kazuar. Similarities have been noted, but the exact connection between the two malware types isn’t clear as of the time of this writing.

It is without doubt, as forensic investigations continue, that much more is likely to be learned in the upcoming months about the sequence of how malware was used. It is possible investigators may discover additional malicious types of code were inserted to carry out the attack.

At the time of the initial report in December, when this news broke, it was believed the event was initiated by an international cyberespionage operation and widely suspected to originate in Russia. Subsequent media reports over the last several weeks seem to support this allegation. The presence of Kazuar, which came to light in 2017, was previously linked to a Russian-based group.

Moscow continues to deny involvement in any of these cyberattacks.

Why the disguise was successful

Many of SolarWinds’ affected customers are prominent businesses that collectively serve millions of organizations and individuals across the globe. At this time, it is known that 18,000 customers downloaded the afflicted software update. The hackers knew if they could get into Orion undetected, they could spy upon various agencies. It is not clear what the motive was, other than espionage, or if the threat actors had any other intentions.

This disguise was successful because of the way hackers slipped in behind the scenes and explored the development environment. Those thousands of customers were simply downloading updates, which under normal circumstances would improve and strengthen software, not compromise it.

After the hack was made public, numerous businesses have come forward to admit they’ve run internal investigations and found evidence they were affected by the massive intrusion. The list of victims includes several tech giants (including but not limited to Microsoft, Cisco, Intel and FireEye), education facilities, utility companies and numerous U.S. government departments, to name a few. The repercussions are significant, since the hackers had an “in” to not only SolarWinds but these other organizations – and potentially their customers – as well.

Could the SolarWinds attack have been avoided?

It’s hard to say whether the hack could have been avoided since this is such an unprecedented event. As forensic evidence continues to be identified and analyzed, more will be known. Currently, there are contrasting beliefs in the cybersecurity community as to whether this breach could have been prevented. Many experts maintain it’s difficult to detect every digital footprint, especially when designed as a legitimate update, as the SolarWinds attack was launched. Other experts suggest the Zero Trust Architecture model could have prevented the attack, because this build philosophy is designed to not trust anything inside or outside its perimeters. Proponents of Zero Trust maintain even if the hackers did breach, they would have been stopped before getting as deep into Orion’s infrastructure as they did.

SolarWinds’ stance on this appears to be one showing the value of collaboration. The company is reportedly working with authorities, cybersecurity experts and its customers in this incident.

“The SUNBURST attack appears to be one of the most complex and sophisticated cyberattacks in history,” said Sudhakar Ramakrishna, SolarWinds’ new CEO, in a recent blog post at CRN. “We recognize the software development and build process used by SolarWinds is common throughout the software industry, so we believe that sharing this information openly will help the industry guard against similar attacks in the future.”

How widespread is the alleged espionage?

Another breach, which recently targeted Mimecast Inc., an email security provider, has indications that the tools and techniques used to attack them are similar to the SolarWinds event. The disturbing part is, those impacted by the Mimecast hack are not necessarily SolarWinds’ customers, which means the attack could be broader than initially believed. According to a recent Wall Street Journal article, this discovery “underscores that Russia-linked hackers” appear to target victims along “multiple avenues of attack” in a massive cyber campaign against the U.S. government and corporate systems.

While there is a lot of uncertainty, one thing is clear: threat actors are not deterred and, if history is any indicator, nor will they be in the future.

What can organizations do going forward?

Historically, many organizations have developed their cybersecurity strategies to be reactive, rather than proactive. Even companies that are proactive in cybersecurity (such as SolarWinds) can fall victim, as we all now well know.

No attack can 100% be foreseen, but taking preventative measures, thinking outside the box and looking beyond “known” exploits and considering even the most impossible (or perhaps the remotest) of possibilities can significantly reduce organizational risk. Like any other risk assessment in other areas of business, when conducting continuity and disaster recovery planning, it’s important to focus on the “what ifs” and assess the threat level and what would be impacted. Then, rank assets in order of importance and put the most resources toward protecting those first.

In today’s business environment, the consequences associated with data breaches and other cybersecurity events can be harsh. Organizations today need to be proactive and take charge of their information technology’s security. They can no longer afford to leave cybersecurity as an afterthought after all other business processes are funded in budgets.

Take charge of your cybersecurity

Threat actors these days don’t only target the big corporations, they actively target small- and medium-sized businesses, because they assume these companies don’t have the resources to implement strong cybersecurity measures. Taking proactive steps goes a long way in mitigating any vulnerabilities, avoiding data loss, preventing network disruption and eliminating, or at least reducing, downtime.

To learn more about protecting your organization from cyberattacks and other threats with BC/DR solutions from Datto, request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.

New call-to-action

Tracy Rock is the Director of Marketing at Invenio IT. Tracy is responsible for all media-related initiatives as well as external communications—including, branding, public relations, promotions, advertising and social media. She is one busy lady and we are lucky to have her!