The SolarWinds attack, one of the biggest hacks in history, has been discovered at the end of 2020. And it’s been keeping plenty of cybersecurity professionals up ever since.
If you’re not amongst them, you might think that the SolarWinds hack doesn’t affect you in any way. After all, the name does not sound familiar.
However, it might have impacted the services you use on the regular. Big tech corporations like Microsoft, Intel, or Cisco admitted they found malware in their systems, as did thousands of companies and government agencies around the world.
That’s because the SolarWinds security breach was a supply chain attack. This story is still developing, but let’s see what we know so far.
The hack: an intelligence-gathering effort
A supply chain attack, also called a value-chain or third-party attack, occurs when a hacker gains access to a system through an outside partner or provider with access to the system.
FireEye, a cybersecurity firm working with many essential state agencies and organizations, was the first to discover the SolarWinds attack. Apart from stating that the hacking campaign involved numerous companies, FireEye disclosed they were affected as well.
According to US federal agencies, hackers who compromised IT management software from SolarWinds started the entire operation in March 2020. However, the security hack was identified and became public in December 2020.
pic.twitter.com/6E3EqvfNSF — Face The Nation (@FaceTheNation) December 20, 2020
On January 5th, 2021, the Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence made a joint statement declaring the SolarWinds hack was most likely from Russia.
The four agencies defined the hack as “an intelligence-gathering effort.” The attack was beyond an operation planning to destroy or cause trouble among US-based IT infrastructures. SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
In this massive breach, Russian hackers introduced a malicious code into an update of Orion’s software. Companies use Orion to manage network performance, logging files, storage, configuration processes, among other operations.
Around 18,000 SolarWinds customers installed the Orion update. And this is the way they were infected with a version of the Sunburst backdoor trojan. As the hackers inserted the malware into a signed, trusted update software, it was challenging for security professionals to spot it.
Russian hackers’ master plan poses a double concern:
- First, they designed a very sophisticated attack. Instead of relying on phishing campaigns to trick users into downloading malicious software, now, they just wait for their targets to install an update.
- Second, the widespread effect and the scale of this data breach could be far beyond any cybersecurity specialist’s imagination.
Welcome to Microsoft’s source code
After an initial denial that they were not affected by the hack, Microsoft confirmed they were also impacted. Before bringing the news to light, Microsoft began quarantining Orion versions that included the malware to cut hackers off from customers’ networks.
In Microsoft’s case, attackers pretended to be one or more real users so they could access the organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory – the backbone of Office 365.
NEW: CISA said this week that the threat actor behind the SolarWinds hack also used password guessing and password spraying to breach targets, not just trojanized Orion updateshttps://t.co/qHyEYMY4jA pic.twitter.com/LYUuzCsizC— Catalin Cimpanu (@campuscodi) January 8, 2021
Once inside the Azure Active Directory, hackers captured what security experts like to call “the keys to the kingdom”. Many companies use this software to create and manage network accounts, passwords, and privileges.
So, it became clear that SolarWinds heavily compromised Microsoft’s source code, which is the set of instructions revealing how a piece of software or operating system runs. However, it still isn’t clear how much or what parts of Microsoft’s source code the hackers could access.
Based on recent findings, Microsoft-authorized resellers were also hacked.
Microsoft has published a report today about the SolarWinds attacks. A must read for incident responders as it goes into detail about newly uncovered techniques, payloads, and connections.https://t.co/7yIwpUeU6s pic.twitter.com/2j5B3b3MLh— Catalin Cimpanu (@campuscodi) January 20, 2021
The discovered vulnerabilities
After months of investigation, cybersecurity experts found three significant vulnerabilities that led to the extensive supply-chain attack:
- Orion used Microsoft Message Queue, a tool that has been on the market for over 20 years but is no longer installed by default on Windows machines.
- Orion didn’t safely store database credentials. It seems certificates were kept in a file that unauthorized users could have accessed.
- The secure FTP (file transfer protocol) server software for Windows stored details for each account in separate files that any authenticated Windows user could create.
Mind-blowing details came from the former SolarWinds CEO. According to him, everything started when an intern set an essential password to ‘solarwinds123.’ While this was for a third-party site not connected to the breach, it’s still an important detail that reveals the company’s weak security policies.
With a cross-examination still unfolding, security experts agree on two things: the attackers had a lot of time to do damage, and the effects will continue to unravel. After all, cybercriminals managed to ramble around American computer networks for around nine months. With a unique technique, attackers slipped in unnoticed using a backdoor they created and proved extremely patient.
It’s still unclear if they were just reading emails and digging up information, setting up malware, or preparing something more harmful.
The early warning signs
Volexity and Palo Alto Networks are two companies that spotted some suspicious behavior months before the SolarWinds hack was made public.
Volexity is a US-based cybersecurity company. The company’s founder traced an abnormal activity to a client’s computers and thought it was a bad update with SolarWinds. After he and his team assured customers’ systems were safe, the company did not consider there was anything to report to SolarWinds or the US government.
The second one came from Palo Alto Networks, another cybersecurity company. Here, the staff found a malicious backdoor that seemed to connect to Orion software. In this case, the security teams from SolarWinds and Palo Alto worked together for months, trying to solve the problem.
Yet, no one could figure out an attack was behind it and discarded any additional analysis.
The US power grid was also impacted
The SolarWinds breach also affected several critical infrastructure companies in the electric, oil, and manufacturing industries that were also running Orion. The malicious update also spread to three connected original equipment manufacturers (OEMs).
OEMs have remote access to critical parts of customer networks. They also have the right to make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to manipulate critical customer processes.
As US security agents have mentioned, if two OEMs get compromised, it could help hackers access hundreds of industrial control systems networks worldwide. And hacking power grids is nothing new for Russian attackers.
In 2015, Russia hacked several Ukrainian power distribution plants and cut out power for over 200,000 customers for several hours in the middle of winter.
They repeated the operation in 2016 when they cut out power for about an hour while also invading Ukraine’s national railway system.
Experts believed it was merely a test to see how they could optimize their techniques and put them into play in other countries, such as the US.
Plenty of companies were targetedBased on what we know so far, here are just some of the companies and organizations targeted in the SolarWinds hack:
- US Departments of Homeland Security
- US Departments of Homeland and Treasury
- US National Institutes of Health
- California Department of State Hospitals
- US Department of Energy
- US National Nuclear Security Administration
- US Justice Department
- Kent State University
- AT& T
- Procter & Gamble
This list keeps getting longer and longer as we learn more of the hack’s extent.
We knew the attackers used other vectors besides the SolarWinds software to breach some victims, but this percentage — 30% — significantly widens the potential scope and complicates forensic investigations that are just focused on finding SW compromises https://t.co/ZWmEeE81DL— Kim Zetter (@KimZetter) January 29, 2021
US’s sanctions over SolarWinds attack
At the beginning of his term, President Biden condemned the attack and promised his administration would get to the bottom of the hack and punish those responsible for it. Four months later, that’s exactly what happened.
Have a look at the cybersecurity challenges the Biden administration faces
On April 15, the President passed an executive order with several economic sanctions against Russian financial institutions, technology companies, and individuals known to have been part of “harmful foreign activities,” including the SolarWinds hack.
Do you think companies will enforce tighter security measures? In what way do you believe the SolarWinds hack will affect end users?
Let me know in the comments below, and thanks for being a Privacy Hub reader!