SolarWinds Hack: Everything You Need to Know
The breadth of the incident remains to be seen. Here’s what we know so far.
What happened in the SolarWinds hack?
SolarWinds, a Texas-based IT software company, serves more than 300,000 customers across the globe. A large percentage of them are open to vulnerability due to a massive security incident. The hack, which affected Orion, SolarWinds’ flagship network management software, is purported to have been targeted by an international cyberespionage operation. Organizations of all sizes, including Fortune 500 companies and numerous U.S. government agencies, are potentially affected by this breach.
The scope of the organizations affected is not yet known, but about 33,000 of SolarWinds’ customers use Orion. To date, several have come forward with an admission they found evidence they were impacted.
The incident is actively under investigation. In a filing made to the U.S. Securities and Exchange Commission (SEC), SolarWinds indicates the espionage dates back to March and involved any software updates performed between March and June 2020. The unauthorized entry to their update system went undetected until December.
How the attack worked
The attack was launched by the hackers inserting malicious code into Orion software updates. ZDNet outlined how cybercriminals inserted malware to ping its creators and proceed to download a backdoor Trojan, essentially giving hackers a “hands-on-keyboard session” to infected networks.
After hackers launched the malicious code and gained access, they were able to create a backdoor to access SolarWinds’ customers’ information technology systems. This enabled the exploiters to do recon, hide their tracks and run commands, all of which enabled them to spy on organizations and, in numerous instances, even access internal emails.
This sophisticated attack, now known as SUNBURST, targeted Orion versions 2019.4 HF 5, 2020.2 with no hotfix installed, and 2020.2 HF 1. Once the Orion software was infected by the malicious code, it made other products vulnerable. According to SolarWinds, numerous products associated with the Orion software are potentially affected if the malware is present and activated.
Why the attack on SolarWinds is unique
SUNBURST is designated as a supply chain attack since it targeted software as it was under assembly, thus making it trustworthy to anyone using the program.
There was no need for hackers to trick their end targets into installing malware because the malicious code was embedded in legitimate software and distributed to the company’s thousands of customers, instantly making them victims. In this type of supply chain attack, the hackers were able to disguise themselves and go undetected for an extended period of time. Due to this discreet spread, many SolarWinds customers were spied upon for up to nine months.
Who was affected?
SolarWinds said in its report to the SEC that it believes fewer than 18,000 of SolarWinds’ customers received the malicious update. However, at this time, the extent of the hack is unknown.
To date, known victims include but are not limited to:
- Several federal U.S. agencies, including the Departments of Treasury, State, Homeland Security, Energy, Justice and Commerce (and numerous other U.S. agencies)
- Numerous local and state governments
- S. National Institutes of Health
- S. Centers of Disease Control and Prevention
- All branches of the U.S. Military
- California Department of State Hospitals
- Kent State University
- Iowa State University
- Oil and gas industries in North America
SolarWinds serves 425 Fortune 500 firms which also may have been impacted. Newsweek gives a broader list of SolarWinds customers that could be affected.
Wired reports it might “be months or longer” before the scope of the damage is uncovered. Currently, the list of victims is growing. BBC reports experts say it could take over a year for organizations to determine if they were affected.
Who’s behind the SolarWinds hack?
Industry experts feel a state-nation is behind the attack. While no official statement has been issued, officials and others allege government-backed Russian hackers instigated the massive exploit.
The Washington Post published a report citing sources that spoke on the condition of anonymity that linked the hack to APT29 or Cozy Bear, a segment of Russia’s foreign intelligence service. The Kremlin has denied responsibility for the SUNBURST attack.
What it means
At this time the full extent of the damage is unknown. Everyone, from cybersecurity experts to government officials, is highly concerned about the potential negative fallout from this attack.
Currently, organizations are scrambling to determine if they have the Trojan backdoor installed in their systems and, if so, what information has been accessed or stolen over the past six to nine months.
Experts and officials widely believe SUNBURST is a case of classic espionage, with targeted theft of information. Evidence hasn’t yet surfaced that indicates the attackers were planning to disrupt systems, but this doesn’t mean that evidence won’t be found during forensic investigations of the incident. The frightening aspect of this situation is that the hackers took what should have been a routine software update and turned it into a cyber weapon.
Supply chain attacks have been growing in numbers. One of the most prominent widely publicized attacks was the 2013 Target hack. This incident was linked to a weakness with an HVAC vendor that had been allowed broad access to Target’s internal systems, including payment information. Going forward, many experts feel attacks such as SUNBURST will become more commonplace, posing big challenges for cybersecurity experts.
How SolarWinds & others responded
SolarWinds publicly acknowledged the SUNBURST attack on December 14, several days after being alerted by cybersecurity company FireEye on December 9 after confirming its validity. The company has published on its website, “We want to assure you we’ve removed the software builds known to be affected by the SUNBURST vulnerability from our download sites.”
At this time, the company indicates they are also cooperating with authorities, stating the company is handing information over to security researchers, along with bringing in experts to help strengthen their systems. Responses by others include:
FireEye published a detailed report online on December 13 about its internal findings, what they were doing to track the incident to learn more about what happened and shared detection opportunities affected organizations can use in their analysis.
The Cybersecurity and Infrastructure Security Agency (CISA), a branch of the U.S. Department of Homeland Security, issued an emergency directive on December 13 to affected departments and agencies which outlined what steps to take, including an order to disconnect affected devices.
Microsoft almost immediately identified 40 customers affected and notified them. Then the tech giant reportedly took swift action which “undid” the work of the attackers with four courses of action. These actions neutralized the problem and then essentially killed the malware.
However, on Dec. 31, the Washington Post reported the tech giant said its source code had been viewed. Microsoft said it immediately remediated the accounts affected and that source code was viewed, but not changed.
Many other companies will likely be coming forward in the upcoming days, weeks and months, after their own internal investigations are completed.
What cybersecurity experts are saying about the SolarWinds hack
Many cybersecurity experts agree the incident is serious and, since the breadth is still unknown, could be the biggest attack ever launched.
“Most organizations still lack the basic visibility to even assess whether they were compromised or not,” Sergio Caltagirone, Vice President of cybersecurity company Dragos, told NBC News. “We know we are undercounting the victims here. We know that for a fact.”
Forbes spoke to Andy Smith, a Cybersecurity Evangelist and industry expert with Centrify, who indicated this exploit is “especially troubling,” noting, in the case of FireEye, that tools designed to provide cybersecurity are now “in the hands of threat actors to do nefarious activities with them.”
The fact that so many federal agencies are affected is also troubling, considering the sensitive information that routinely travels through these agencies in their communications and networks.
Where things stand now
As forensic investigators examine the dire situation, a big concern is the illicit sales occurring on underground internet forums. ZeroHedge reports at least two researchers separately discovered numerous criminals offering to sell access to SolarWinds’ computers on these forums.
Also alarming is a second exploit, dubbed SUPERNOVA, which is said to be unrelated to SUNBURST.
SolarWinds states on its website, “SUPERNOVA is not malicious code embedded within the builds of our Orion® Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer’s network and is designed to appear to be part of a SolarWinds product.” It’s reported the SUPERNOVA vulnerability has been resolved with a patch in SolarWinds’ latest update.
Previously, reports indicated that SolarWinds had poor security practices when it was discovered the company used the password “solarwinds123” for its update server. This poor password is not currently linked to the attack but many media reports have noted it; seemingly that factor does have many wondering what other cybersecurity practices might have been lacking.
Stronger protection for your organization
Bad actors consistently seek ways to exploit organizations, both large and small. To prevent your organization from being a victim, taking proactive steps can mitigate any vulnerabilities and avoid data loss, network disruption or costly downtime.
Learn more about protecting your organization from cyberattacks and other threats with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com.