The Fallout from the SolarWinds Hack

This post was originally published at

The infamous SolarWinds hack, now known as “SUNBURST”, is likely to go down in history as one of the most sophisticated and nefarious cyberattacks ever achieved. And in many ways, it's still not over.

To date, the scope of the attack is vast, and it is likely it will broaden even further as investigators and cybersecurity forensic analysts uncover more information. Just last week, researchers identified three new vulnerabilities in SolarWinds products, which the company quickly patched. Additionally, new developments point to China as a secondary culprit behind the attack.

At this time, the fallout from this cybersecurity event is still widening and, as the investigations continue, additional victims continue to be identified.

A refresher on what happened

SolarWinds, a prominent network management software company, learned its flagship software, Orion, had been infiltrated after hackers inserted trojan malware into Orion’s routine software updates. These updates were subsequently distributed to customers.

The exploiters deftly made their intrusion appear to be a part of a legitimate software update. Their presence went undetected for months as they subtly inserted code, spied and erased their tracks. It is largely believed SUNBURST is an espionage attack committed by government-sponsored hackers in Russia and China. Moscow and Beijing have both denied these allegations.

18,000+ organizations affected

At least 18,000 organizations have been identified as downloading the trojanized software update. The fallout from this hack, deemed as a highly sophisticated supply-chain attack, means not just the organizations targeted to be hacked are affected, but all of their customers (and perhaps even their customers) can also be impacted as well, because this attack was tied to the distribution of infected software patches. Essentially, just one point of intrusion can net tens of thousands of victims.

As of this time, additional attacks have been detected, which all appear to be connected to the SUNBURST (also referred to in industry circles as “Solorigate”) hack.

Effects on organizations

Since the beginning, cybersecurity experts have anticipated the fallout from the SolarWinds attack will get worse before it gets better – and a month after the hack was discovered and publicized, all indications appear this indeed will be the case. Some of the organizations affected include but are not limited to:

U.S. federal government

In the initial weeks after the discovery of SUNBURST, numerous U.S. federal agencies have been affected, including the Departments of Defense, Commerce, Energy, Homeland Security, Justice, State and Treasury, the National Institutes of Health and the Bureau of Labor Statistics. It’s believed, as investigations continue, that evidence may surface that additional federal agencies were affected.

The implications of espionage on these and other federal agencies can be devastating. In the aftermath of SUNBURST’s discovery, the government disconnected from affected services and is actively monitoring the situation as they investigate. Lawmakers are actively pushing the new U.S. administration to make sweeping changes to deter foreign nation-state attacks and cyber-espionage.

Organizations

Many industry giants were affected by this cybersecurity event. Hackers went after Microsoft’s source code, along with its Microsoft 365 email services and Microsoft Azure Cloud infrastructure. Other companies, such as Intel, Cisco, Belkin, various educational facilities and utility companies, along with local governments, were also compromised. Responses have varied as organizations from all sectors scramble to protect themselves and investigators actively work to determine which organizations have been impacted, uncover evidence and determine the sequence of events. Evidence of other potential breaches are being examined, but have not been yet confirmed since the names of these organizations are based on decoded internal names.

Cybersecurity firms

Even cybersecurity firms were affected by the breach of the Orion software. As of this writing, FireEye, Malwarebytes and CrowdStrike all found evidence during their internal investigations that they too had been affected by nation-state actors. FireEye was the company that initially discovered the hack and notified SolarWinds. Malwarebytes said it had “limited” exposure and determined its intrusion was committed by the same hackers, but that they took a different route. Reportedly, the intrusion to CrowdStrike was unsuccessful.

Furthermore, since the discovery of SUNBURST, other similar breaches have been discovered. Recently, Mimecast Inc., an email security provider, uncovered techniques similar to the SolarWinds attack. However, the affected hadn’t been using Orion software. Other related types of malware have also been uncovered in various investigations, including Sunspot, Teardrop and Raindrop. The latter two malware types were launched later in the attack and were used to escalate and widen their access inside the networks the hackers infiltrated.

The SUNBURST and similar related hacks are significant. After the hackers successfully infiltrate, regardless of their entry point, once they gain network privileges, they can do serious damage. By positioning their malware as legitimate software, they can create new accounts, give themselves high-level authentication privileges and “roam freely without raising red flags,” per a recent Wired report that delves into deep detail about this attack and reports of potential copycats.

Emergence of copycats?

Now that the SolarWinds hack has been widely publicized, the cybersecurity industry is bracing themselves for the emergence of copycats penetrating software supply chains. Additionally, some believe U.S. businesses and government agencies need to put a higher priority on supply-chain security and third-party risk management. In a Jan. 25, 2021 Bloomberg op-ed, the author emphasizes the wide scope of the SolarWinds attack, stating, “the scale of the attack is breathtaking,” and suggests “thousands of other software suppliers” could be next.

It is widely believed by Microsoft, SolarWinds and other organizations that more transparency is a part of the solution. The mindset is the more transparent everyone is, the better chances intruders will be detected sooner rather than later.

As WIRED reported:

“We think it’s critical that governments and the private sector are increasingly transparent about nation-state activity so we can all continue the global dialogue about protecting the internet,” Microsoft said in a December blog post that linked these techniques to the SolarWinds hackers. “We also hope publishing this information helps raise awareness among organizations and individuals about steps they can take to protect themselves.”

The SolarWinds hackers had months of free reign before they were detected. Copycats are likely to try to gain the same advantages. Organizations will have to step up their game if they want to circumvent similar attacks going forward. Several organizations have come forward encouraging future collaboration and thanking those who have shared information that has enabled them to identify their own internal issues.

Realities companies are forced to face

Since the SolarWinds hack was discovered, one thing is for certain: organizations have been forced to recognize the weaknesses in their incident response practices. For instance, many never check their logs, analyze traffic or examine the IP addresses present in their networks. In the future, to prevent being victimized, they’ll need to be more vigilant and reexamine their policies and protocols.

Per a DataCenter Knowledge report:

“Data centers too often put their full trust in their management software, allowing it full access to the enterprise and unfettered communications with the outside world,” said Jerry Bessette, head of Booz Allen’s Cyber Incidence Response Program.

Along with expanding and strengthening their monitoring procedures, many experts are also strongly advocating organizations employ zero-trust architecture philosophies and strategies to limit any intrusions that are successfully deployed.

There is a potential silver lining though. Organizations may now see the value in giving information security more priority, rather than budgeting security as an afterthought. This will give them the ability to better vet vendors and monitor their own internal systems. Granted, information security spends and doesn’t produce revenue, but giving it proper attention can go a very long way toward protecting the departments that do generate revenue and growth. It’s an area of business that cannot – and should not – be ignored.

Value of risk assessments and business impact analyses

Any hack or data breach can bring disastrous consequences to an organization. Aside from the upfront legal and regulatory costs associated with these events, being compromised can also taint brand image, ruin an organization’s reputation, lose the trust of customers and hurt future profits.

Not all cybersecurity events can 100% be prevented. However, proactive planning can reduce risk and counter the negative impact if one occurs. As a part of their disaster recovery planning, businesses should consider routinely conducting risk assessments and performing business impact analyses. These preventative measures can go a long way toward anticipating and mitigating problems. Every industry comes with some level of risk, but how much can you afford to absorb, and how much will be lost if security is compromised?

By assessing risk and identifying how a security event can negatively impact your organization, you can arm yourself with ways to protect it.

Arm your organization with stronger cybersecurity

Threat actors don’t just actively target large corporations or government agencies, they also frequently aim their attacks at small and medium-sized businesses. Hackers largely view SMBs as easy targets, because many don’t invest in strong cybersecurity measures or may not have the financial resources to do so. Taking preventative steps can go a long way toward identifying any potential vulnerabilities which can be addressed to circumvent an attack. An experienced partner can help provide strong security measures in a way that is cost-effective and will fit an SMB's security budget.