At the end of 2020, Russia pulled off what Wired called “the biggest espionage hack on record.” At its most basic level, it was a supply chain compromise that led to what many in the industry call a “man-in-the-middle” attack. Except that SolarWinds was inadvertently the man in the middle.
Companies rely on SolarWinds – a third-party (man-in-the-middle) vendor – to provide network monitoring and other services. And at some point in 2020 hackers were able to compromise the software patches distributed by SolarWinds. The company says it has about 300,000 customers, including government agencies in the U.S. and Europe, as well as every branch of the military and most of the Fortune 500.
The problem and the scope of that popularity was evident when SolarWinds said that as many as 18,000 customers could be affected. It also raises basic questions about popular software products and who you allow to sit in the middle of your networks.
It’s easy to say it can’t happen to you. But time and again it raises the efficiency of supply chain attacks where hackers break in and exploit flaws in commonly used products.
How did it happen and what do you do now?
It’s easy to try to dismiss the hack as something that happened to someone else and not to your company. But in reality – and this is harder to admit and challenging to face – this is an issue for which almost every company is at risk. It is imperative that everyone protects themselves, now and in the future.
As The Washington Post reported, “compromised software patches distributed by a Texas-based company, SolarWinds, were central to Russian efforts to gain access to U.S. government computer systems.” A later alert from the Cybersecurity and Infrastructure Security Agency (CISA) at the Department of Homeland Security alleged that evidence suggested there was other malware used to initiate what the alert described as “a grave risk to the Federal Government and state, local, tribal, and territorial governments as well as critical infrastructure entities and other private sector organizations.”
Russian hackers were able to gain access to massive and multiple government and corporate systems worldwide. The State Department, Treasury, Commerce, and Homeland Security departments, as well as the National Institutes of Health, were compromised – and even the Department of Energy and the National Nuclear Security Administration (which manages the country’s nuclear weapons stockpile) were breached.
According to Wired, Russia’s hack began as early as March 2020. It was discovered “when the perpetrators used that access to break into the cybersecurity firm FireEye, which first disclosed a breach on December 9.” The Wall Street Journal published details about what happened inside FireEye as it learned about and responded to its own compromise. The clue? “An employee received an alert that someone had logged into the company’s VPN using their credentials from a new device,” Wired reported. “Over 100 FireEye employees engaged in the response, which included combing through 50,000 lines of code to suss out any abnormalities.”
The US has invested billions of dollars in Einstein, which is a system designed to detect digital intrusions. The SolarWinds hack, however, was a supply chain attack. This means that Russian hackers “compromised a trusted tool” rather than using known malware to break in. As a result, “Einstein failed spectacularly.” There had been warnings about just this possibility. A 2018 report from the Government Accountability Office recommended that agencies and federal defense systems “take the supply chain threat more seriously.”
What can we learn from this enormous hack about how to better protect ourselves moving forward?
In addition to recommending that all federal agencies “immediately disconnect or power down SolarWinds Orion products,” CISA made additional recommendations that included rebuilding the Windows operating system and reinstalling the SolarWinds software package. And Microsoft suggested the following (as reported in NetworkWorld):
Supply chain attacks are nothing new though they are becoming increasingly more sophisticated and perhaps more damaging. “Supply chain compromises can expose an organization's internal networks and data, and prevention, detection, and mitigation require mature, cross-functional security capabilities,” said Matt Ashburn, Head of Strategic Initiatives for security vendor Authentic8 in a statement. “Mitigation and detection of supply chain threats require concerted coordination among traditionally disparate teams, including procurement, logistics, compliance, and security teams.”
Analysts with KuppingerCole suggested a strategic action plan for overall supply chain security. John Tolbert, lead analyst and managing director of KuppingerCole said customers should start focusing on supply chain security.
In a word, Yes. And we’ve got training on several issues that were exploited in the SolarWinds attack including:
If you have the unfortunate incident and you do get hacked, we even have forensics training that will help you analyze your system and understand at a deep level what went wrong and how to protect yourself against future attacks.
It’s all here. You just have to use the tools. If you think training is expensive or time consuming, consider the alternative. Contact us now – and you might be part of the group that says – we missed that one. We’re fortunate that our training was up-to-date, that our staff and systems were ready. Situation normal, we’re open for business.
Don’t let it happen to you. Contact us.