After Thanksgiving, the working class, especially the IT workforce, CISOs and CIOs, would have loved to sit back and sip on hot chocolate during the holiday season. After all, the COVID-19 pandemic stretched their resources beyond imagination as they worked around the clock to secure remote workforce and support business continuity plans. But this was a distant dream! There was a ticking time bomb waiting to explode, and when it did, forget hot chocolate, the cybersecurity industry found itself in a hot mess with SolarWinds.
The SolarWinds attack was discovered in mid-December last year and has since been in the news showcasing the extent of damages it has caused. The gravity of the situation seemed low at the beginning, with tech companies like Microsoft and FireEye claiming they had devised a “Killswitch” for the hack. But soon, the can of worms was opened when the White House issued an official statement accepting that multiple Federal Agencies were targeted in the hack. The situation got messier when Microsoft and Malwarebytes issued statements of compromise on how their source code was accessed in the attack.
Questions were left unanswered. So, we decided to bring you definitive answers to your what, when, why, and how of the SolarWinds hack. In a fireside chat with Mihir Bagwe,Tech Writer at CISO MAG, Pushkar Tiwari, Director Development at Symantec Enterprise Division of Broadcom Inc., unfolds the entire episode. Tiwari has closely followed and analyzed the modus operandi of the hack.
He has been leading Data Loss Prevention (DLP) and Cloud Access Security Broker (CASB) solutions in his current role and has more than 15 years of experience in cybersecurity and enterprise software.
Edited excerpts from the interview follow:
1The Biggest Hack?
The hack has impacted more than 18,000 customers of SolarWinds across the globe. This includes a lot of Fortune 500 customers and U.S. federal agencies. It was a stunningly large and sophisticated operation that gave attackers access to a vast trove of the U.S. government emails. It can be considered as the biggest cyber raid against the U.S. government in years.
Another important characteristic of this attack was it stayed undetected for six to nine months. This gave an ample amount of time to attackers with privileged access to important and sensitive networks.
2The Cause and Difference
SolarWinds breach is a classic supply chain attack. Attackers used Sunspot malware to get access to the company’s software development pipeline and injected the Sunburst backdoor into the SolarWinds Orion Platform DLL. The backdoor comprised of around 4,000 lines of code that allowed the threat actor behind the attack to operate unfettered with elevated access in a highly-sensitive network.
The software update, which contained this backdoor, was made available to SolarWinds customers using their Orion platform. More than 18,000 customers downloaded this update from the authenticated source of SolarWinds. Once the software gets updated in the customer’s environment, the backdoor stays dormant for about 14 days and then starts communicating with the command-and-control server.
SolarWinds network management and security solutions are expected to run with elevated privilege in customers’ environments to provide the desired network management capabilities. This enabled the backdoor code as well to run with elevated privilege and provided unrestricted access to the network.
The backdoor was receiving the instructions on actions to be performed on the network from the command-and-control center and the backdoor was sending sensitive information to this server.
This attack is unlike other prior attacks like Equifax or the Sony data breach. In those hacks, attackers exploited the vulnerabilities in the software or got access to privileged credentials. This kind of attack only impacts very few customers.
3The Late Detection
This attack was conducted by highly sophisticated attackers. They managed to get access to the SolarWinds deployment pipeline in September 2019 and employed various techniques to stay undetected in their environment. The backdoor initialization had very few lines of code and was nicely blended with the existing code of the Orion platform. They made sure that these lines of code do not lead to build failure or introduce any error to their existing code path.
Backdoor code had specific checks to not trigger in SolarWinds test environment so that it does not get detected during their quality control process. It also ensured to remove any security products by meddling with registry keys, or it would not run if the security product were running.
Communication with the command-and-control server was also done in a very discrete way and leveraged DNS response like A Record and CNAME in a non-standard way and interpreted them to perform malware actions.
These different sets of strategies were meticulously executed and kept Sunburst undetected in SolarWinds and their customers’ environment for a longer time.
4The Vulnerability Exploited
A.It was a typical software supply chain attack. Threat actors deployed Sunspot malware, which monitors the processes involved in compiling and building Orion product code — and in modifying one of the source files to include initialization code for the Sunburst backdoor. It appears that a significant amount of investment was made to ensure that the code was properly inserted and that the presence of malware remained undetected in their build environment.
5The Worst Affected
The overall client list includes a lot of big names from the private sector as well as U.S. government federal agencies like the U.S. Military, the Department of Homeland Security, the Treasury Department, and the Department of Commerce. Its list of private sector customers is also huge and includes different business verticals like security, technology, telecommunications, and aviation.
This attack has impacted businesses of multiple sectors, and a lot of organizations are still evaluating the impact. Organizations will not reveal the true extent of damage done.
6The Attackers Involved
As per the U.S. government’s investigations, Russia was most likely behind this attack. The Federal Bureau of Investigation (FBI), the Cyber Security and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) released a joint statement stating that a task force has been created to investigate the extent of the attacks and concluded that an advanced persistent threat (APT) actor is likely Russian in origin.
As per Kaspersky’s research, there are some links between the SolarWinds attacks and the Russian Turla (aka Waterbug) espionage group. There are several similarities between the Sunburst backdoor and older malware known as Kazaur.
The clear motivations are yet to be known but based on state actors involved, the most likely motivations could be intelligence gathering.
There is some news that the website named SolarLeaks reported being selling data stolen in the SolarWinds attacks.
7Were You Hacked?
To know if your organization is affected by the hack, a detailed assessment needs to be done for the software inventory and needs to be ensured that SolarWinds code is not used in the environment directly or indirectly. If any machine is running the SolarWinds code, it needs to be immediately quarantined and carefully assessed to check if the machine is infected.
A thorough evaluation is needed to seek out any indication of a compromised network. If there are any signs of an attack, all instances of SolarWinds Orion must be disconnected from the network immediately. Also, all traffic to and from SolarWinds Orion needs to be blocked, and compromised accounts must be identified and removed.
After all, compromised accounts and prior instances of SolarWinds have been updated or removed, all credentials used by or stored in SolarWinds Orion must be reset.
8Prevention in Future
The SolarWinds attack is an eye-opener for all of us. It has demonstrated build systems are very critical production systems, and they should get their due attention. Build systems should have a similar or higher level of security requirements than production environments. Build systems need to have stricter security audits.
This attack exposes that no industry standard specifically covers the security of vendors’ software development process. As part of the vendor’s selection process, their software build and development process should also be reviewed.
About the Interviewer
Mihir Bagwe is a Tech Writer and part of the editorial team at CISO MAG. He writes news features, technical blogs, and conducts interviews on latest cybersecurity tech and trends.
Other Interviews from the Author:
- “Invalidation of the EU-U.S. Privacy Shield was a long time coming” – Robert Meyers
- “COVID-19 is a humanitarian crisis but also emerging as a data security challenge” – Nikhil Korgaonkar
- “Unified solutions could hold the key in enforcing endpoint security policies” – Karmesh Gupta
Other Posts from the Author:
- Biden Takes Up Cybersecurity on His First Day in Office
- Don’t Just be a Good CISO, Be a Successful CISO!
- OT-ISAC Virtual Summit Brings Together the Best Minds in APAC for OT/ICS Security
- Is the Co-existence of Security and User Experience in Media Industry Possible?
- COVID-19 Pandemic is a Silver Lining for Cybersecurity