The SolarWinds attack, one of the biggest hacks in history, has been discovered at the end of 2020. And it’s been keeping plenty of cybersecurity professionals up ever since.
If you’re not amongst them, you might think that the SolarWinds hack doesn’t affect you in any way. After all, the name does not sound familiar.
However, it might have impacted the services you use on the regular. Big tech corporations like Microsoft, Intel, or Cisco admitted they found malware in their systems, as did thousands of companies and government agencies around the world.
That’s because the SolarWinds security breach was a supply chain attack. This story is still developing, but let’s see what we know so far.
The hack: an intelligence-gathering effort
A supply chain attack, also called a value-chain or third-party attack, occurs when a hacker gains access to a system through an outside partner or provider with access to the system.
FireEye, a cybersecurity firm working with many essential state agencies and organizations, was the first to discover the SolarWinds attack. Apart from stating that the hacking campaign involved numerous companies, FireEye disclosed they were affected as well.
According to US federal agencies, hackers who compromised IT management software from SolarWinds started the entire operation in March 2020. However, the security hack was identified and became public in December 2020.
ICYMI: @FireEye CEO Kevin Mandia says the #SolarWindsHack origins show "earliest evidences of being designed in October 2019" when an innocuous code was changed in the Solar Winds Orion platform— Face The Nation (@FaceTheNation) December 20, 2020
"This is potentially the biggest intrusion in our history." pic.twitter.com/6E3EqvfNSF
On January 5th, 2021, the Federal Bureau of Investigation, the National Security Agency, the Cybersecurity and Infrastructure Security Agency, and the Office of the Director of National Intelligence made a joint statement declaring the SolarWinds hack was most likely from Russia.
The four agencies defined the hack as “an intelligence-gathering effort.” The attack was beyond an operation planning to destroy or cause trouble among US-based IT infrastructures. SolarWinds Inc. is an American company that develops software for businesses to help manage their networks, systems, and information technology infrastructure.
In this massive breach, Russian hackers introduced a malicious code into an update of Orion’s software. Companies use Orion to manage network performance, logging files, storage, configuration processes, among other operations.
Around 18,000 SolarWinds customers installed the Orion update. And this is the way they were infected with a version of the Sunburst backdoor trojan. As the hackers inserted the malware into a signed, trusted update software, it was challenging for security professionals to spot it.
Russian hackers’ master plan poses a double concern:
- First, they designed a very sophisticated attack. Instead of relying on phishing campaigns to trick users into downloading malicious software, now, they just wait for their targets to install an update.
- Second, the widespread effect and the scale of this data breach could be far beyond any cybersecurity specialist’s imagination.
Welcome to Microsoft’s source code
After an initial denial that they were not affected by the hack, Microsoft confirmed they were also impacted. Before bringing the news to light, Microsoft began quarantining Orion versions that included the malware to cut hackers off from customers’ networks.
In Microsoft’s case, attackers pretended to be one or more real users so they could access the organization’s cloud services and identity management provider, such as Microsoft 365 or Azure Active Directory – the backbone of Office 365.
NEW: CISA said this week that the threat actor behind the SolarWinds hack also used password guessing and password spraying to breach targets, not just trojanized Orion updateshttps://t.co/qHyEYMY4jA pic.twitter.com/LYUuzCsizC— Catalin Cimpanu (@campuscodi) January 8, 2021
Once inside the Azure Active Directory, hackers captured what security experts like to call “the keys to the kingdom”. Many companies use this software to create and manage network accounts, passwords, and privileges.
So, it became clear that SolarWinds heavily compromised Microsoft’s source code, which is the set of instructions revealing how a piece of software or operating system runs. However, it still isn’t clear how much or what parts of Microsoft’s source code the hackers could access.
Based on recent findings, Microsoft-authorized resellers were also hacked.
Microsoft has published a report today about the SolarWinds attacks. A must read for incident responders as it goes into detail about newly uncovered techniques, payloads, and connections.https://t.co/7yIwpUeU6s pic.twitter.com/2j5B3b3MLh— Catalin Cimpanu (@campuscodi) January 20, 2021
The US power grid was also impacted
The SolarWinds breach also affected several critical infrastructure companies in the electric, oil, and manufacturing industries that were also running Orion. The malicious update also spread to three connected original equipment manufacturers (OEMs).
OEMs have remote access to critical parts of customer networks. They also have the right to make changes to those networks, install new software, or even control critical operations. This means that hackers who breached the OEMs could potentially use their credentials to manipulate critical customer processes.
As US security agents have mentioned, if two OEMs get compromised, it could help hackers access hundreds of industrial control systems networks worldwide. And hacking power grids is nothing new for Russian attackers.
In 2015, Russia hacked several Ukrainian power distribution plants and cut out power for over 200,000 customers for several hours in the middle of winter.
They repeated the operation in 2016 when they cut out power for about an hour while also invading Ukraine’s national railway system.
Experts believed it was merely a test to see how they could optimize their techniques and put them into play in other countries, such as the US.
Plenty of companies were targetedBased on what we know so far, here are just some of the companies and organizations targeted in the SolarWinds hack:
- US Departments of Homeland Security
- US Departments of Homeland and Treasury
- US National Institutes of Health
- California Department of State Hospitals
- US Department of Energy
- US National Nuclear Security Administration
- US Justice Department
- Kent State University
- AT& T
- Procter & Gamble
This list keeps getting longer and longer as we learn more of the hack’s extent.
We knew the attackers used other vectors besides the SolarWinds software to breach some victims, but this percentage — 30% — significantly widens the potential scope and complicates forensic investigations that are just focused on finding SW compromises https://t.co/ZWmEeE81DL— Kim Zetter (@KimZetter) January 29, 2021
Do you think companies will enforce tighter security measures? In what way do you believe the SolarWinds hack will affect end users?
Let me know in the comments below, and thanks for being a Privacy Hub reader!