Possibly the worst security breach ever has left organisations reeling, but consensus on the best ways to respond is still far out of reach.
What was described by Microsoft President Brad Smith as the “largest and most sophisticated attack the world has ever seen” should have been enough to make the world sit up and pay attention. But when the story broke in December 2020, there were many other global events that meant the SolarWinds Orion Hack didn’t get the attention it deserved. The US government is now facing a possible 18 months to recovery, according to the acting head of CISA, Brandon Wales.
SolarWinds is the name of the software company that provides network management services to thousands of government and private organisations worldwide through a platform called Orion. The attackers installed malware by rewriting 4,032 lines of code in a software update that opened up a backdoor to 18,000 organisations around the world. When the update went live, all of these were infected with the malware, with the unwitting approval of SolarWinds.
SolarWinds cyber espionage
The attack was less a conventional cyber attack than a complex form of espionage. It was first discovered in November 2020 by cybersecurity firm, FireEye, who reported the hack on 13 December. It was only revealed when a FireEye employee noticed two phones registered for the multi-factor authentication of another employee. The hackers had apparently found their way into the system by impersonating employees and investigating the company, but there is still no definitive evidence of this.
Although the malware campaign first came to light in December, the intrusion went undetected for months. The SUNBURST malware was deployed for the update in February 2020 and it became available for customers in the following month.
Brad Smith reckoned that the attack had been the work of “at least 1,000 very skilled, very capable engineers.”
At first, the FBI, NSA, and CISA have attributed the attack to Russian Intelligence, and later confirmed that they found evidence linking the attack on both SolarWinds and Colonial Pipeline to cyber criminals likely based in Russia, though not directly tied to the Russian government. In April, the Biden Administration imposed sanctions on Russia in retaliation for the attacks, and further pressed their concern over Russia harbouring criminal activity. President Biden said after the Geneva summit with president Putin that the US will not allow such attacks to go on without consequence. In addition to the sanctions, Biden said, “I pointed out to him we have significant cyber capability, and he knows it, he doesn’t know exactly what it is, but it’s significant “ and “if they violate these basic norms, we will respond.”
We now know that at least nine federal agencies were compromised, including the Department of Justice and the Nuclear Weapons Agency, as well as 100 private firms. The attack on the government is limited to unclassified systems but its scope has been enormous. The full extent of the attack is still unknown, but it is thought that the hackers were able to leave additional backdoors and that the malware spread to other systems.
A Senate Intelligence Committee hearing in February 2021 saw that it was not only Orion users that were infected with the malware. Almost a third of the breaches were not caused by Orion software. Some organisations still don’t know if they were hacked or not, and it could be years before government networks are completely secure.
Initial reactions to the SolarWinds Orion hack
There is no doubt that the magnitude and capabilities of this new variety of this attack are alarming. In the case of SolarWinds, attackers have revealed the kinds of devastating breaches they have the capacity to unleash, though the damage here has so far been kept to a minimum. Still, the breach escaped the notice of numerous IT departments, tech giants like Microsoft, and the U.S. Government—which doesn’t bode well for the future. Business leaders now face the possibility of indiscriminate attacks that are apparently out of their control.
There has been a mixed response from those affected, which is not just the organisations using Orion software, but a wider web of unsuspecting victims. A sophisticated attack of this scale has shown its potential in deceiving some of the most advanced security systems on the planet, and is continuing to evade them. As a full recovery for the US government could take well over a year, many executives will see a breach of this size as a resounding wake-up call.
But corporations have been anything but unified in their response to the SolarWinds Orion breach. Microsoft claims that all of the attacks they could identify were against systems on-premises. President Brad Smith said at the committee hearing that “cloud security is essential to improving security maturity across many organizations”. He also said that the levels of detection within the cloud are more advanced than those of an on-site environment. Microsoft has suggested in their blog that a blended or hybrid approach to data storage leaves an additional seam to be secured, and a focal point for attacks on cloud services.
But this view is not shared by all. Senior Vice President of Hybrid Cloud Services at Hewlett Packard, Keith White, said that many customers believe internal storage to be safer and they prefer to know where their data is located. Hewlett Packard customers have not been found to be affected by the SolarWinds breach.
Senior Vice President of Cloud Business at Dell, Deepak Patil, also brings Microsoft’s criticisms of hybrid cloud into question. He says that “for a majority of customers, their workloads run on-premises”, so a complete migration to the cloud is not even practical.
Red Hat is the company providing hybrid cloud services that IBM acquired in 2019. Its chief executive, Paul Cormier, told the Wall Street Journal that “Any software could get broken into. The cloud providers could get broken into as well”.
This lack of consensus on the security of cloud approaches leaves many businesses in a state of uncertainty over how to restructure their services in the post-SolarWinds era.
Corporate interests come before IT security
It is easy to see from the disagreement in cloud approaches that the leading providers are putting their own interests first, rather than the security of their customers.
As one of the largest cloud providers in the world, it is no surprise that Microsoft has pushed for an increased use of cloud as the best security option. In the last decade, Microsoft and Amazon have been market leaders in popularizing pay-as-you-go remote software services as a business model. Amazon has so far been able to steer clear of the SolarWinds issue, though its data centres were used in launching part of the attack, so it was suggested they should have given evidence at the recent Senate committee hearing.
Although Microsoft also provides security for on-premises deployments, the company suggests that this is the more challenging option in terms of security as their primary interests are in cloud migration. On the other hand, companies that provide hybrid cloud options recommend an approach that combines the cloud with on-site deployments. Advocates of both of these contrasting approaches give security as the main reason for adoption but few opinions put forward are without bias.
For enterprises that are looking for a robust response to the unsettling future that the SolarWinds hack presents, it would be wise to look beyond the distracting issue of warring cloud providers. While the security of your cloud strategy should not be downplayed, it is not the only concern in preparing for sophisticated and large-scale advanced persistent threats.
It is recommended that organisations review their incident response plans and develop or revoke them as needed. This must be informed by new facts uncovered, as well as by input from external sources, and it needs to be coordinated across the organisation. An in-depth investigation is required for all software that has been compromised.
For federal agencies, an emergency directive was issued by CISA that enumerates ways to identify the data that was compromised by the malware from Orion, and measures to reduce risk for this breach. Businesses should also review their agreements with third-party vendors and see which of these have been using Orion. They should also consider how they will communicate the issue towards their partners, customers, and employees within their community.
A powerful connective tissue
But in the larger picture, all businesses could benefit by introducing a new form of security that makes all of the important connections in an organization before cyber criminals are able to. Vulnerabilities are found in the places where the solutions of an organisation are disjointed, so what is needed is a connective tissue that can bring together key elements at every operational level.
In the case of the SolarWinds Orion hack, enterprises and government bodies have been compromised by a third-party supplier and while their cloud strategies may have been able to mitigate the damage, they probably would not have prevented the breach. A powerful connective tissue has the potential to reduce the disorder created by the use of multiple independent tools, and puts organisations in a better position to combat attacks from every angle.
There are still many unknowns surrounding the attack, and we have yet to find a silver bullet that can faultlessly safeguard against this level of sophistication. But that is not to say we cannot deploy sophisticated solutions with the ability to detect threats and reduce risk.
Security solutions offered by NewPush provide ways for dealing with the approaches used by the SolarWinds attackers. Bob Besharat, Executive Director of R&D and Security Portfolio at NewPush, makes the following points concerning the breach and the capabilities of NewPush products:
- The SolarWinds Attackers used elevating credentials to steal certificates
Through its regular reviews, TrACE Identity would pick up on this activity. Access Audit is a comprehensive tool with the ability to detect unusual behaviour in identity management, so the espionage against SolarWinds employees would have been noticed.
- The attackers used vulnerabilities to execute malware remotely
With TrACE Shield, organisations are able to identify the vulnerabilities that allow remote execution. TrACE Shield also notices unusual activity through the use of Intrusion Prevention/Detection System (IPS/IDS) or Endpoint Detection and Response(EDR).
- The attackers used known vulnerabilities (CVE-2020-14005 and CVE-2020-13169) to exfiltrate data from the victim's environment
These vulnerabilities are identified using our TrACE Platform, so provided the severity reaches the right level, the situation is addressed.
- The attackers used known malware (Kazuar) to penetrate
The discovery of this malware by any anti-malware (AM) program immediately triggers alarm due to AM integration into TrACE Shield.
A vast, sophisticated attack like SolarWinds is able to compromise government agencies and IT corporations because this level of connectedness is not in common deployment. What organisations are in need of now more than ever, is an intelligent connective platform that leaves no room for malicious intruders or, at the very least, reduces risk to an absolute minimum.
The Connective Platform™ integrates a host of cybersecurity tools into one system faster than any of our competitors, but that alone wouldn't give our partners the edge over cybercriminals. Simply gathering all the data from a number of connected elements would still require an army of experts to make sense of it; it's analogous to how gathering stock prices from markets all around the world doesn't tell you where to invest your money next. Our platform goes on to analyse that massive amount of data to give our partners the information they need: where the weak points of their cyber defence are, and how to address them.