Scroll Top

HACK AT SOLARWINDS_CAUSES AND CONSEQUENCES

hacker man typing on laptop, hacking computer system
0
By admin Critical Infrastructure Cyber Threats Security July 22, 2022
The American cybersecurity community discovered a widespread data breach of government and private-sector networks in late 2020. The SolarWinds breach has impacted several government agencies and companies worldwide with a sophisticated attack exploiting vulnerabilities in the Orion software. The victims of this attack are still collecting the pieces and investigating the causes and consequences of the hack.
Whether your organization was directly impacted by the hack or not, your cybersecurity posture may shift due to the attack. Threat intelligence firm DomainTools released a report highlighting the ramification of the hack among different organizations. DomainTools reported, based on a survey of 200 global security executives and professionals, that 96% of respondents were highly or slightly concerned by the breach.
A thorough and complex technical investigation has been going on into the extent of the breach. At the same time, the intent behind the breach and implications for the cybersecurity policies has been raging. This article will examine the issues behind the SolarWinds hack, its consequences, and ways to improve security. Let’s get started.

What is SolarWinds?

SolarWinds is an American company developing software for businesses and helping them manage their systems, network, and IT infrastructure. This company is headquartered in Austin, Texas, with product development and sales offices in different locations in the US and several other countries.

A SolarWinds product Orion, used by almost 33,000 private and public sector customers, was the target of a large-scale hack disclosed in December 2022. The hack was undetected for a month, and the additional details regarding the depth and breadth of compromised systems continued to expand after the initial disclosure.

Orion has privileged access to IT infrastructure to get log and system performance data as an IT monitoring system. The privileged position and wide deployment of the software made SolarWinds an attractive and lucrative target to attackers.

How Did Hackers Carry Out SolarWinds Hack?

The SolarWinds hack is a software supply chain attack carried out against the US company SolarWinds. The hack was believed to be carried out by an outside nation-state that exploited SolarWinds’ Orion software updates. Various customers eventually installed the updates, including Fortune500 businesses and federal industries.

The SolarWinds hack is estimated to affect more than 250 companies and agencies. The hackers leveraged supply chain attacks to inject malicious code into the Orion software. This attack works by targeting the third party with access to the company’s system instead of trying to hack the network directly.

The third-party software then creates a backdoor through which attackers can access and imitate accounts and users of the target organization. Moreover, the malware could access system files and data and blend it with authorized SolarWinds activities without detection.

SolarWinds was a perfect target for a supply chain attack because several government agencies and multinational companies use the Orion software. The attackers had to install the malicious code into the new batch of software dispersed by SolarWinds as a patch or update.

Timeline of the SolarWinds Hack

Here is the timeline of the SolarWinds hack.

  • Hackers got unauthorized access to the SolarWinds network in September 2019.
  • They tested the initial code injection into SolarWinds’ Orion software in October 2019.
  • A malicious code known as Sunburst was inserted into Orion on Feb 20, 2020.
  • SolarWinds initiated sending out Orion updated unknowingly with the hacked code on March 26, 2020.

More than 18,000 customers installed malicious updates without detecting the malware spread. Hackers accessed the company’s customer information technology systems through this code, which they could use to install malware to spy on other organizations.

SolarWinds Hack Victims

SolarWinds informed the Securities and Exchange Commission (SEC) that around 18,000 of its customers had loaded fraudulent upgrades, making them exposed to attackers. SolarWinds has a number of high-profile clients, so the hack could be significant. According to Microsoft’s president, Brad Smith, more than 80% of the targets were non-government groups.

The Department of Homeland Security, parts of the Pentagon, the Department of Energy, the State Department, the Treasury, and the National Nuclear Security Administration were among the targets of the attack. According to the Wall Street Journal, private corporations such as Cisco, Microsoft, Intel, Deloitte, and other institutions such as Kent State University and the California Department of State Hospitals were hacked.

Since the breach was done secretly and went undetected for months, security professionals say that some targets may never know if they were attacked or not, reported by the Wall Street Journal. Hackers broke into several email accounts and networks in the department offices of the Treasury. Secretary Steven Mnuchin reported that the hackers have only accessed unclassified data, but the department is investigating the extent of the breach.

Insider Threat

In September 2020, a cybercriminal offered a Russian-speaking Tesla employee a million dollars to install malicious code to execute an attack against the company. How much would someone pay to inject malicious code into the SolarWinds’ Orion software? Even if the insider did not receive any payment directly, they could get system access to sell the company’s data or information regarding the vulnerability.

During the process, someone may have altered the code because some organizations are not careful with the development process and allow code alteration in QA environments. In addition to inserting malicious code, a hacker could provide access to outsiders for making the change. For example, an insider may set a weak password to compromise the system.

The supply chain hack, according to SolarWinds management, was caused by an intern who had a weak password on his machine. The password had been publicly accessible since June 2018 through a misconfigured GitHub repository, according to the initial probe. However, the problem was addressed in November 2019. However, those investigating the SolarWinds hack do not think that a weak password caused the breach, but a similar weak setting could let hackers access the system.

Malware Compromised Systems

Hackers may have compromised the source control systems,  developer machines, or development servers to insert the code into the system software. They may have used malware at several points along the way as code moves through SDLC.

 

  • If the code is inserted on a developer machine, the change would be noticed in a source code change review. However, SolarWinds might not have such stringent reviews.
  • If the code was modified in the source control, it might go unnoticed as it migrated through the system to production.
  • Automated operations may have inserted the code if hackers access the servers performing automation.
  • Hackers could modify the code as it moved through the network with a man-in-the-middle attack. However, it could be more complicated to execute.
  • The hacker may have accessed the servers hosting the updates and replaced a good software copy with a malicious copy.

 

Is the Attack still Going On?

According to the security experts, the campaign may have started in 2020 and is still going on. FireEye discovered various weaponized updates digitally signed between March and May 2020 and published to the SolarWinds updates page.

A contaminated version of SolarWinds Orion plugin impersonated the Orion Improvement Program (OIP) protocol. This protocol communicates through HTTP to C2 to get and execute malicious commands. The backdoor supports various features, such as executing files, file transferring, gathering system information, and disabling the system.

The hackers used VPN servers in the country as a victim to obscure the IP addresses and avoid detection. Moreover, Microsoft carried out a separate analysis and confirmed that attackers mounted a supply chain attack on SolarWinds. The professionals tracked the backdoor as Solorigate. SolarWinds posted a security advisory to reveal the supply chain attack.

The company reported the breach to authorities and is still investigating tha hack with the support of security firms and the FBI. The company released a security update on December 15 to implement security enhancements and replace compromised components.

How to Prevent Future Supply Chain Attacks?

Prior supply chain attacks should have gotten us ready for this. But that didn’t happen. So what can be done now? Secure coding practices may have allowed the malicious code to be detected quickly by SolarWinds. For SolarWinds customers, it’s now essential to implement patches and updates released by the company to get rid of the malware. However, patching can only prevent future damage. It does not fix malware that has already invaded the system. Here are some precautions to prevent supply-chain attacks in the future.

  • Choose vendors wisely. Examine who decides to hire a vendor, which criteria are used for selection, and whether vendor security is considered. Ascertain that an ongoing, three-stage formal review process is in place. Do your investigation of the vendor’s security posture. During this process, prospective clients should be advised to choose vendors who adhere to industry and government security laws. Early in the RFP process, when you have the most negotiating power, begin negotiating security guarantees with bidders.
  • Lawyers should ensure that vendor contracts contain appropriate security provisions. Re-evaluate and renegotiate your existing contracts, if possible. Through these attacks, we have also learned that just demanding the necessary safeguards at the contracting level is not enough; you must also VALIDATE their security posture through independent evaluation and audit. In vendor contracts, counsel should add requirements for audit rights and breach notification provisions.
  • Clients are responsible for removing their names from vendor databases, including websites. In this way, it would be more difficult for cybercriminals to identify which vendors an organization uses.
  • Consider diversifying your IT toolkit rather than looking for one solution to address all your IT needs. Having access to an all-in-one solution such as SolarWinds allows threat actors to gain control of an entire system from one point. The crucial point is that new tools need to be properly maintained.
  • There should be a limit to the demand for faster, more integrated technologies. Users normally want faster access to more data and features. In addition to adding complexity to already complex systems, such solutions make protection more difficult. In collaboration with IT, counsel should assess the potential risks associated with these tools and push comprehensive cyber security training for all employees on the influence of employee expectations on data security.
  • Determine if any user-related software has excessive user privileges, which means they have more control over the environment than it should have. Applications with administrator access can execute functions on behalf of users, systems, and applications automatically, just as when the SolarWinds attack was executed. Upgrade or choose new solutions with capabilities that allow you to employ least privilege practices if necessary. Lawyers should be supportive of and participate in routine evaluations of excess privilege.
  • Check that the company’s security procedures and resources enable it to respond rapidly to data breaches. Legal counsel should ensure that they have access to legal expertise about breach reporting, privacy rules, and incident response firms, but this is a more reactive approach.

Final Words

The SolarWinds attack is a global hack as hackers turned the Orion software into a weapon accessing several government agencies and private systems worldwide. Due to the nature of software and extension of the Sunburst malware accessing the entire network, many enterprises and government networks face the risks of significant data breaches. Organizations should implement robust security measures and take precautionary measures to prevent potential attacks.

admin / About Author
More posts by admin
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy