The latest data breach to make headlines this year focused on the U.S. government. From as early as March 2020, cyberattackers have had free range to exploit U.S. government networks and private companies around the globe.
Cyberattackers attached malicious code to a software update to Orion, a popular software program from SolarWinds. Any customer that downloaded the update from SolarWinds, unknowingly infected their own system, creating a backdoor for unsanctioned monitoring and malicious activities. In a recent filing with the Securities and Exchange Commission, SolarWinds claims less than 18,000 organizations downloaded the compromised update. It’s unclear exactly how many of those organizations were breached.
Although the source of the attack has not yet been confirmed, experts believe these attacks stemmed from Russia’s foreign intelligence agency. Despite a public statement from the secretary of state citing belief that Russia was indeed behind these attacks, President Trump downplayed the severity of the attack and suggested China as a possible source. After the initial breach was detected, a second back door to the program was revealed, placed there by a believed secondary perpetrator. Due to the complexity of the attack and the belief that it was state-sponsored, the threat is believed to pose a “grave risk to the federal government” according to representatives from the Cybersecurity and Infrastructure Security Agency (CISA).
Approximately two weeks after infection, the code will retrieve and execute specific commands such as file transfers, file executions, reboots, disabling system services, and others. “The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results within legitimate plugin configuration files allowing it to blend in with legitimate SolarWinds activity,” according to a recent report.
The cyberattackers were careful to remain under the radar by limiting their use of the malware. Instead, they opted to use stolen credentials to gain remote access to the system after initial entry. Also, the attackers ensured they did not reuse code, which helped them avoid detection.
Microsoft President Brad Smith has been quoted saying, “The attack, unfortunately, represents a broad and successful espionage-based assault on both the confidential information of the U.S. government and the tech tools used by firms to protect them. While governments have spied on each other for centuries, the recent attackers used a technique that has put at risk the technology supply chain for the broader economy.”
According to NPR, this attack affected several U.S. government agencies, including the Commerce Department, Department of Homeland Security, Pentagon, Treasury Department, U.S. Postal Service, Department of Energy, and the National Institutes of Health. Additionally, companies in consulting, technology, telecom, and others across North America, Europe, Asia, and the Middle East were also affected. Among these private companies, Microsoft experienced a breach due to this attack, which then filtered down to affect 40 client organizations as well. It’s likely the full impact of these attacks has yet to be felt across all organizations.
Although the media emphasis from this data breach has been justly focused on federal agencies and homeland security, the fact is, SolarWinds has approximately 300,000 customers, including a number of midsize enterprise organizations. The unfettered access to company information has posed a significant cybersecurity risk to not only SolarWinds customers but also those companies connected to the affected customers.
Unfortunately, even if your company follows strict cybersecurity measures, including regular updates and patches, to protect your business, you would have likely exposed yourself to this attack regardless. These attackers leveraged a software update to quietly push their malware out to targeted agencies and companies, knowing they could piggyback off the reputation of a legitimate company. Following safety protocols would have triggered the update for your company, leaving you exposed.
In a Security Advisory issued by SolarWinds, the company assured customers that the software builds affected by the cyberattack have been removed. Further, SolarWinds recommends that customers who currently run one of the known affected products upgrade to the latest Orion software release for greater security. If, however, a customer is unable to upgrade immediately, SolarWinds recommends that the customer ensure Orion is installed behind firewalls, disabling Internet access for the platform, and limiting the ports and connections to only what is required to operate the platform.
Although the SolarWinds cyberattack has gained significant media attention, there are many other cybercriminals out there, looking for weaknesses in your network. Remaining diligent with cybersecurity policies and procedures is critical, as is a proactive monitoring and penetration testing to identify potential areas of risk so you can avoid costly data breaches in the future.
As with any cybersecurity risk or data breach, it’s important to look closely at not only the threat itself but any opportunities to tighten down cybersecurity practices. It poses a critical question for cybersecurity professionals -- what can we learn from this attack to better secure company data and protect against these increasingly sophisticated and complex attacks in the future?