The SolarWinds Hack - A Layman's Summary & Implications for Society

We wrote the article below as a service for our end-users (we have had many users ask us what really happened with SolarWinds and what the implications are). Share, re-use, grab content and modify as you see fit.

//////

Most of us have heard about the SolarWinds hack, a security incident that has been called "stunning", "massive", "nightmare scenario", "significant and ongoing", and will require "years of cleanup". There's so much to unpack in the incident that it's hard for most people to understand what happened and what the risk is. We've taken a shot below with a summary organized as frequently asked questions. For the more technical and interested among you, the bottom of the article has links to suggested reading. Let's get started!

Who is SolarWinds and why is this such a big deal to start with?

SolarWinds is a software company that creates software used to manage and monitor computer networks. While you may not have heard of them, their software is excellent and used by almost every organization in the world. Think of their software as the equivalent of Microsoft Office, but for network administrators. Since their software is installed worldwide, any security vulnerability in their software impacts thousands of companies.

OK. I get it. So, what exactly happened in this hack?

Hackers broke into SolarWinds' network (we don't yet know how). Over time, they quietly infiltrated the software development and release processes. Starting in March 2020, they were able to embed malicious code into a software release for customers. Customers who downloaded and installed this release were now infected.

But security incidents occur all the time. Why is THIS such a problem?

SolarWinds software has privileged access to, and knowledge of the entire corporate network it manages. An attacker who has compromised SolarWinds now has full access to the entire network. It's sort of like if you were a bank robber and instead of having to go through armed guards, tellers, and safes, you are dropped into the vault and given the password.

Who were the attackers?

While no-one has taken responsibility for the attack, it is widely believed that hackers associated with the Russian government perpetrated the attack.

What was so cunning and harmful about this attack?

There were a few things that the attackers did to make this attack devastating:

1. Although they had compromised thousands of companies, they only exploited a few hundred of the most sensitive ones - among them, the US Departments of Energy, Treasury, Commerce, Homeland Security; and the Pentagon, Microsoft, and FireEye.
2. Once in those networks, they covered their tracks and had 9 months to steal data, create back-doors in systems, and move across these highly sensitive systems. They therefore had 9 months of access to the most sensitive data in the US government. And the worst of it? They could still be there.
3. The efforts that they made to gain administrative access, hide their tracks, and create additional points of entry are nowhere near being understood. It will take months to years to understand and eradicate them, by which time the attackers currently on these networks could have created new back-doors.

Think of this as having a flea infestation in your house. You can find each flea and kill it and hope you find them all (it's a big house!). Or you could use a flea bomb. But here's the constraint - you're not allowed to leave your home. What would you do? That's what network administrators are faced with today - do they break and rebuild the network? Or do they search diligently through a hacked network and hope they can find all the signs of an attack that's designed to be stealthy?

What is the impact of the attack on an ordinary citizen (whether in the US or elsewhere?) AKA, should I worry?

At a micro-level, there are no risks to you. There is scant evidence that specific citizens were targeted, for example. Your computer was not targeted and you don't need to take additional steps beyond what you already do to be secure.

At a macro-level, there are societal risks to all of us. Attackers know about the inner workings of at least the US government, perhaps others. They could use it to spread Fake News, manipulate financial markets, and influence policy decisions. All of these have a trickle down impact on us.

What's the connection with FireEye?

FireEye is a US firm that specializes in helping companies respond to security attacks. They themselves were compromised in this attack. They were also the ones to first detect it and warn the rest of the world. You'll hear the words FireEye, Sunburst, SolarWinds, and Solorigate used interchangeably in the context of this incident.

I hear some of Microsoft's source code was stolen. Is this worrisome?

Yes. Do not believe Microsoft when they say "we do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code." That's balderdash. It's quite one thing to say "My bank is secure and I assume that people have knowledge of our inner processes" and another to hand over all your operating process books to a criminal. There will absolutely be security ramifications to the exposure of this source code over the next several months.

Things like command-and-control, global SAML, supply-chain attack, and second-stage payload excite me. Where can I read more about the technical details?

At the bottom of this articles, I've posted both news articles that go into some level of detail on the attack and deep technical discussions. Have at it!

But as a teaser, a supply-chain attack seeks to damage an organization by targeting less-secure elements in the supply network, for example, third party software (as this was) or an attack through a trusted vendor's resources.

For Further Reading

(c) indicates a collection of articles

(r) indicates a strongly recommended article

(s) indicates a summary article.

(t) indicates a technical article

• (s)(r) The New York Times: As understanding of Russian hacking grows, so does alarm
• (c)(r)(s)(t) Cybersecurity & infrastructure security agency (CISA): Resource page on the attack
• (c) Wired: A compendium of articles on the attack. (r) for the New York Times Op-Ed by Tom Bossert in the list.
• (s)(t) CSO Online: SolarWinds attack explained
• (s) Microsoft investigation update
• (s) FireEye blog post on the attack
• (s) Wikipedia article on the attack
• (s)(r) Bruce Schneier: The SolarWinds hack is stunning. Here's what should be done
• (t) Microsoft: Analyzing Solorigate, the DLL that started it all
• (t) FireEye: Sunburst technical details, similar to the Microsoft article above.

///

Aurobindo Sundaram is a security executive with 20+ years of experience in the information security space. He has written code that went into Windows NT, met Bill Gates, visited all 50 US states, and he really, really enjoys Sichuan cuisine. The opinions presented above are his personal views and are not those of any organization with which he is affiliated. All his LinkedIn Short Articles are available here.