Tuesday, December 15th, 2020
SolarWinds Orion Hack: Key Details
The recent cybersecurity attack that targeted major branches of the U.S. government has led to Governments and major corporations worldwide scrambling to see if they too have fallen victim to the global cyberespionage campaign that penetrated multiple U.S. government agencies earlier this week which also involved a common software product used by thousands of organisations.
About the Hack:
Back from as early as March 2020, malicious code was inserted into updates of popular software that monitor the computer networks of governments and businesses. The system is used by hundreds of thousands of organisations worldwide, including most Fortune 500 companies and multiple U.S. federal agencies. The malicious code (malware) affected a product made by the U.S. company SolarWinds. This gave the hackers remote access into an organisation’s networks so that they could steal information. This went undiscovered until the cybersecurity company, FireEye determined it had been breached in December 2020. The hackers that infiltrated FireEye were seeking data on their government clients. The fact that the hackers have had access since March 2020, it has given them ample time to extract information from a lot of different targets.
While Russia have denied any involvement in the hack, they still remain the number one suspect. Cybersecurity experts who are investigating the hack have said that its impact spans far beyond the affected US agencies. Governments and major corporations worldwide are scrambling to see if they, too have fallen victim to the global cyberespionage campaign that penetrated multiple U.S. government agencies earlier this week which also involved a common software product used by thousands of organisations.
SolarWinds is a US network monitoring provider based in Austin, Texas. They offer technical services to hundreds of thousands of organisations around the world, including most Fortune 500 companies and government agencies. SolarWinds also provides services to the White House, Pentagon and US-based space company NASA.
Its compromised product in question from Solarwinds is called Orion and it accounts for almost half of SolarWinds annual revenue. SolarWinds Orion is an IT performance monitoring platform that manages and optimizes IT infrastructure. The company’s revenue totalled $753.9 million over the first nine months of this year. Its centralised monitoring looks for problems in an organisation’s computer networks, which means that breaking in gave the attackers a very clear ‘God’s eye’ view of each network. SolarWind has said that in a financial filing, it sent an advisory to approx. 33,000 of its Orion customers that might have been affected by the breach. However, it is estimated that a smaller number of customers, less than 18,000 had actually installed the compromised product update earlier this year.
It is believed that SolarWinds’ vast network of federal clients has caused concern among US intelligence officials and this could put other agencies at risk.
Has your organisation been affected?
Investigator or SolarWinds themselves have not released any information on which organisations were breached. It is worth noting that if a company uses SolarWinds as a vendor that doesn’t necessarily mean they were vulnerable to the hacking. The malware that opened remote-access backdoors was injected into SolarWinds’ Orion product updates released between March and June, but not every customer installed them.
The hackers may not have been interested in attacking certain organisations. Hacking is expensive for cybercriminals and disciplined attacks only choose targets with highly sensitive information, this is due to the fact that their risk of being detected increases every time the malware is activated.
Who is Responsible?
SolarWinds has said it was advised that an “outside nation state” infiltrated its systems with malware. But neither the U.S. government nor the affected companies have publicly said which nation state they think is responsible. A U.S. official, speaking on condition of anonymity because of an ongoing investigation, told The Associated Press on Monday that Russian hackers are suspected. Russia said Monday it had “nothing to do with” the hacking.
The so called supply-chain method used to distribute the malware in this case via SolarWinds’ software recalled a technique that Russian military hackers used back in 2016 to infect companies that did business in Ukraine with the hard drive-wiping NotPetya virus — the most damaging cyberattack to date.
What can be done to mitigate these attacks in the future?
Espionage does not violate international law and cyber defense can be extremely difficult. But retaliation against governments responsible for these types of hacks does happen. Diplomats can be expelled and sanctions can be imposed. The Obama administration expelled Russian diplomats in retaliation for the meddling of Kremlin military hackers in Donald Trump’s favour back in the 2016 election. Cybersecurity “has not been a presidential priority” during the Trump administration and the outgoing president has been unable or unwilling to hold Russia to account for aggressive action in cyberspace, said Chris Painter, who coordinated cyberpolicy in the State Department during the Obama administration. The incoming Biden national security team has indicated it will be less tolerant, and is expected to restore the position of the White House cybersecurity coordinator eliminated by Trump. The greater White House cybersecurity focus will be crucial to future attacks, industry experts have said.
If your organisation currently uses SolarWinds Orion and you have concerns about how this hack affecting you, please contact our security experts today and take the below precautions:
- Apply appropriate updates provided by SolarWinds to vulnerable systems, immediately.
- Run all software as a non-privilege user to diminish the effects of a successful attack.
- Remind all users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.