Industry leaders are acting quickly to determine the full extent of the SolarWinds security breach which was reported this week and compromised the U.S. Departments of Treasury, Commerce, Homeland Security, and State. Other breached entities include cybersecurity company FireEye, Microsoft, and of course, the IT company at the center of the incident, SolarWinds. Cybersecurity professionals everywhere are working around the clock to determine the extent of the breach, contain compromised systems, and fight back against threat actors. While they’re hard at work, here’s a summary of what is known on the hack so far.
The Scope of the Breach is Staggering
The final means of entry to targets selected by threat actors was a compromised update server at SolarWinds, which allowed threat actors to insert backdoor access into any system that fetched an update for the product Orion. Normally, updates are vitally important for maintaining security, as they frequently patch known vulnerabilities. In this case, however, updates were used to create a vulnerability instead.
The extent of potential damage is staggering. SolarWinds’ customers include all branches of the United States Military, a list of federal agencies and departments too long to include here, the majority of Fortune 500 companies, and all top 10 telecommunications companies in the United States. Until every single potentially compromised entity is thoroughly audited, the extent of the damage is not known. Meanwhile, threat actors are likely to be continuing their work, their reconnaissance and penetration objectives already accomplished. Systems that have been totally disconnected to prevent remote access and control will already have been searched for information to aid threat actors in their next objectives. Since the attackers’ primary objective appeared to be to gather information about their targets, the damage is already done. Response efforts, while necessary, cannot undo the damage.
Most concerning is the theft of the offensive security tools of the first known target of the breach, FireEye. This not only means that threat actors now have all the firepower of FireEye at their disposal to conduct attacks on other targets, it also means that the utility of these tools to researchers and white hat hackers is also diminished. Since FireEye’s red teaming tools has been stolen, the company now has to publish detection guides to teach others how to defend against their tools when they’re used for wrongdoing.
Some Amateur Mistakes Were Made
While these next details are not confirmed to be the cause of the SolarWinds security breach, they should underscore the severity of incompetence that still exists in critical systems today. Reuters reports that researchers previously alerted SolarWinds of embarrassing vulnerabilities, such as an update server (the kind compromised by this attack) being guarded by the password “solarwinds123.” The IT giant was also informed that threat actors had been selling backdoor access to its product Orion for some time. It is unclear if these darkweb dealings were involved in this incident.
FireEye first detected the breach, and upon discovering an intrusion into their systems was caused by SolarWinds Orion, notified them of the incident. SolarWinds has since determined that the attack on the update server was initially carried out much earlier this year, between March and June.
Unfortunately for SolarWinds, late detection of the breach isn’t the only arena where lethargy has caused embarrassment. Microsoft has beaten them to the punch in the response effort, publishing a detailed guide to diagnose possibly compromised systems, updating Windows 10 to automatically quarantine the attacker’s malware backdoor, and using legal action to disable threat actors’ remote command and control servers that make use of the backdoor. With others cleaning up the mess caused by the quiet invasion of SolarWinds, they are likely to lose public trust. The financial loss is obvious. Stock price on NYSE fell from 23.55 on Friday to 17.92 USD at the time of writing.
Who Are the Threat Actors?
While some sources currently report that a Russian state-sponsored group is behind the attack, some cybersecurity researchers say that conclusion is premature. Official announcements from CISA and other official agencies involved in the response have not identified a threat actor. Instead, reports that Cozy Bear executed the attack refer to reports given to journalists by independent cybersecurity researchers under the condition of anonymity. Without credentials and evidence available for inspection, it is not possible to determine at this time who orchestrated the invasion of the United States government or the many other SolarWinds customers.
How Will This Affect My Business?
If your organization used the Orion product as any part of your management strategy between March and the present day, you need to direct your IT or Cyber experts to immediately determine if your systems have been breached. Keep in mind that even if your systems were not attacked directly by Sunburst/Solorigate malware, you could still be compromised by others’ systems. You should look for announcements from your partners, vendors, and providers about the status of their response efforts, and make an inquiry if no public-facing status messages are available. A comprehensive security audit may be necessary, and depending on the size of your organization and the value that threat actors assign your assets, you may need to ask for help from experts outside your organization. Taking these initial steps to determine if your company was affected by the SolarWinds security breach is imperative so you and your team can quickly create a response plan and prevent any additional damage from occuring.
Do you want to learn more about cybersecurity? Please subscribe to our newsletter.