In late 2020, the world was hit with news of one of the most sophisticated cyber attacks ever discovered. Having gone undetected for almost nine months, the supply chain attack on US software company SolarWinds achieved unprecedented reach, hitting institutions as revered as the US federal government with insidious malware.
How did the attack fly under the radar for so long, and what are its implications going forward? Read on to find out.
What is a cyber supply chain attack?
A supply chain attack is a type of cyberattack that targets an organization by infiltrating one of its third-party vendors, such as a software provider. Small players in the supply chain are often targeted as gateways to larger organizations due to their less robust cybersecurity. Supply chain attacks are attractive to hackers because they can be highly targeted, grow quickly, and utilize the victims’ trusted partners, which makes them difficult to detect. These incidents are also referred to as third-party or value-chain attacks.
How did the SolarWinds breach work?
The SolarWinds breach was achieved through a compromised update to the company’s Orion software, a platform used by large networks to monitor and manage IT infrastructure. The attackers injected a backdoor into Orion’s code and Trojanized the platform’s update to infiltrate victims’ servers upon download through a DLL file.
The intrusion has been dubbed “Solarigate” by Microsoft, and “SUNBURST” by FireEye cybersecurity firm — you might see the incident referred to by either of these names.
How did the SolarWinds breach go undetected for so long?
The malware in the SolarWinds breach used highly sophisticated mechanisms to evade detection and to circumvent antivirus and sandboxing measures. A misguided focus on the prevention, rather than detection and remediation, of cyberattacks may have also led to a lack of vigilance among victims.
After laying dormant for around two weeks, the attackers attempted to identify and circumvent the antivirus and sandboxing software being used by the victim. If their preliminary probes failed, they aborted their mission, making the breach highly difficult to detect.
If successful, the attackers disguised themselves by mimicking the platform’s existing communication systems to retrieve and execute commands remotely. They then moved manually and laterally throughout their victims’ networks, leveraging the relevant user credentials for different tasks to avoid raising suspicion.
What are the implications of the SolarWinds supply chain attack?
Due to its apparent lack of financial motive, the SolarWinds cyberattack is thought to have been a cyberespionage campaign conducted by a nation state, with US intelligence agencies alleging links to the SVR (Russian Foreign Intelligence Service). The hack affected government and corporate networks worldwide across various industries. Many of these entities are now collaborating to mitigate the damage, but what is the takeaway and who else is at risk?
Expect more malicious attacks
The SolarWinds attack saw bad actors gain access to sophisticated hacking tools, including those developed by cybersecurity firm FireEye to test its own clients’ defense systems. This will inevitably lead to a greater number of enhanced attacks globally.
Who is at risk?
SolarWinds has stated up to 18,000 organizations may have been compromised. Known high profile victims include Microsoft, Intel, SAP, Cisco, VMWare, Mimecast, and FireEye. VISA, AT&T, and the US departments of Defense, Energy, Health, Commerce, and Homeland Security were also breached. If organizations with top-level cybersecurity can fall victim, then no one is safe from this type of attack.
Could this affect my organization?
The good news is, according to Microsoft, end user data was not targeted in the attack. However, if your organization uses SolarWinds’ Orion software and installed the compromised update released between March and June 2020, you may be at risk. You can check if you were exposed via the SolarWinds security advisory page or contact us at Zeta Sky to run an assessment if you are concerned — we have performed an internal scan and can confirm that our company was not affected by the breach. SolarWinds stated that the hackers most likely pursued organizations that hold highly sensitive information. In a broader sense, organizations of all sizes should take this as a cue to heighten their cybersecurity measures.
How can supply chain attacks be prevented?
To prevent a supply chain attack, you should operate on the assumption that breaches will happen. Deploy an endpoint protection platform (EPP) and endpoint detection and response (EDR) tools, such as Microsoft Defender for Endpoint, to constantly search for indicators of compromise in your servers. You should also implement change management controls to review your software updates, evaluate the supply chain cyber security risk of your third-party suppliers and reexamine who has access to sensitive data within your organization.
In our next article we will look in more detail at the steps you can take to protect your organization from supply chain attacks.
Even if your organization was not directly affected by the supply chain attack on SolarWinds, the breach should be taken as a wake up call to review your cybersecurity measures — particularly in relation to your third-party vendors.
If you do get hit by a cyber attack or data breach, Zeta Sky’s emergency response team can help. Better yet, we can help you build a security and incident response plan before that happens. Contact Zeta Sky today for a security assessment.