The SolarWinds hack, which is reportedly being link to Russia, is shaping up to be the biggest cyber-attack this year.
The attack targeted the US government, its agencies and several other private companies. It was first discovered by cybersecurity firm FireEye, and since then more developments are being reported each day.
The hack began as early as March, when a malicious code was inserted into a software update for Orion, made by the company SolarWinds. The malware gave hackers the capabilities to remotely access to an organisation’s networks so they could steal information.
Key US government agencies including the Treasury Department, an arm of the Commerce Department and Energy Department were targeted. It has also impacted tech giant Microsoft and 40 of its customers within and outside the US.
The sheer scale of the cyber-attack remains unknown as investigations are still ongoing. However, it is possible that thousands of organisations may have been affected as SolarWinds Orion is being used by over 18,000 customers across North America, Europe, Asia and the Middle East.
We reached out to regional industry experts to get their insights on the cyber-attack.
Sam Curry, chief security officer, Cybereason
News of a breach with the potential size of the one carried out on the US Treasury and Commerce Departments is eye opening and of big concern. In addition, the directive from the Cybersecurity and Infrastructure Security Agency (CISA) urging all public and private sector companies to assess their exposure to the massive hack and plea to disconnect or power down SolarWinds products is exceedingly infrequent. Quite frankly, I am shocked. People need to pay attention to this directive and respond. Not later today or tomorrow, but now.
The good news is that the infrequency of these types of directives will catch everyone’s eye and reinforce the seriousness of this latest breach. In other words, this warning should not go unnoticed. Since SolarWinds has tens of thousands of customers and more than 400 out of the world’s Fortune 500, a bold action like this was needed and required across the public and private sector.
SEE ALSO: US government agencies hit by major hack
Amazingly, this directive is the first of this scale that we have seen in 2020. Now we all want to know what the private sector companies protected in part by SolarWinds will do. We should all be listening carefully to SolarWinds as well. As defenders, their first job is protecting their clients, but they hold vital pieces of information as well. Their transparency and openness is extremely important. Playing the victim card in these instances is unacceptable. In the short term for any customers of SolarWinds it is time to create a task force or war room to hunt adversaries and deal with the specific TTPs, vulnerabilities and exploits in question.
Let us all remember the fog of cyber way makes things in the moment very hard to tell and difficult to assess, but over time, whether its days, weeks or months it will become clear. Today, this is a security drill that no one wants as 2020 gets in its parting shots. As public and private sector companies share common tools, practices and managed services, it is important to remember that homogeneity can make us vulnerable and these threats can spread like wildfire if not dealt with immediately.
With the US government looking to transition between administrations, cyber activity that leads to lockdowns and freezes has the potential to slow or damage government transition work. With the inauguration in January, it is important that first we do not allow any damage, but also after that the government can proceed in its normal transition of administrations.
Morgan Wright, chief security advisor, SentinelOne
One caveat – this is very early in the damage assessment. As with any network compromise, it might take months to uncover the information needed to provide proper attribution and develop countermeasures.
This attack targeted more than the federal government, so the damage will be far reaching. Based on the available information, the attackers (Russia SVR based on other reporting) initially compromised SolarWinds, a network management software application used by many in the government, defense industrial base, and private sector (400 or 500 F500 companies).
SEE ALSO: Microsoft customers exposed to SolarWinds hack
Instead of attacking hundreds of targets, the technique was to attack one target that serviced hundreds of customers. By piggybacking their malware on the updates from SolarWinds, this made the malware appear to be trusted because SolarWinds and their updates were trusted.
This is very similar to the type of attack Russia carried out against Ukraine and their energy grid back on December 23, 2015. The BlackEnergy malware also had a first-of-a-kind tradecraft – operation specific malicious firmware updates that targeted the serial-to-ethernet adaptors used to open/close breakers at the energy plants. This is very consistent with the current tradecraft.
This attack reinforces the need to upgrade legacy protection schemes and techniques to modern, behaviour-based types of approaches. A single solution will never solve all problems. Rather, modernisation of the IT infrastructure and AI-based defence will at least level the playing field. The attackers always have the advantage, but we can change that by detecting and responding at machine speeds.
Ammar Enaya, regional director – METNA, Vectra
This is a significant example of a well-executed supply chain attack compromising a popular IT administration tool as a penetration mechanism. The subsequent exploitation of authentication controls enabled the threat actor to pivot to the cloud and operate undetected for an extended time in Microsoft 365, which allowed them to gather intelligence. The US Government’s Cybersecurity and Infrastructure Security Agency (CISA) has issued an Emergency Directive calling on “all US federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately.”
As organisations increasingly become hybrid cloud environments, we’ve seen attackers focus on privileged access and the use of legitimate tools for malicious actions. For example, in a recent study of 4 million Microsoft 365 accounts, we identified that 96% of organisations exhibited lateral movement behaviours including multifactor authentication (MFA), and embedded security controls that are being bypassed. A threat actor can then, with a few clicks, reconfigure email rules, compromise SharePoint and OneDrive file stores, and set up persistent reconnaissance and exfiltration capabilities using built-in M365 tools such as eDiscovery and Power Automate.
Opportunities for these kind of attacks are vast and growing. It highlights the need for security teams to be able to tie together all host and account interactions, as they move between cloud and on-premise environments, in a consolidated view. Security teams also need to drastically reduce the overall risk of a breach by gaining instant visibility and understanding of who and what is accessing data or changing configurations, regardless of how they are doing it, and from where.
