The SolarWinds of Change: What Happened, and What it Means

The SolarWinds of Change: What Happened, and What it Means

In the final stretch of an already challenging year, news of the attack on the SolarWinds Orion monitoring platform rattled businesses and the government alike. In the private sector, customers of SolarWinds included 425 of the US Fortune 500 companies, ten of the top US telecommunications companies, and five top US accounting firms. Government agencies, including the US Military, the Pentagon, and the State Department were impacted as well as universities and colleges.

The scale of the attack was massive and considered one of the largest ever. The hackers gained a foothold in computer networks around the globe. The attackers went to great lengths to avoid detection, leaving a very small footprint on the users’ systems.

What does this mean for cybersecurity in the future? How can businesses prepare for and protect themselves against future attacks?

The SolarWinds Orion Hack Explained

News of the SolarWinds attack first broke on December 8th, 2020—just as most people were preparing for the holidays and saying goodbye to a tumultuous year. It was an announcement that was stunning in its scale. Hackers used novel techniques and sophisticated tools to go undetected for months.

The sheer volume of companies impacted by the SolarWinds hack is still unknown, but experts believe the impact is global.

What Happened?

Hackers placed malware inside the SolarWinds Orion product. Companies that used Orion would apply routine, legitimate updates. As a result, the malware unknowingly made its way into their networks.

This happened over the course of several months. SolarWinds identified the impacted period as March through June of 2020. Companies that downloaded, implemented, or updated Orion during this period received the malware.

Who Initiated the Attack?

The State Department and security firms believe that a Russian intelligence agency is behind the sophisticated attack. The Russian embassy denied responsibility in a December 13th statement. 

The hack on the Orion platform is believed to be a nation-state hack. In other words, a private group acting on behalf of a government.

The intent of a nation-state attack is to disrupt target governments or organizations. The goal is to gain access to valuable data or intelligence.

How Was It Discovered?

The security firm FireEye first raised the alarm. FireEye disclosed that state-sponsored hackers had broken into their network. Investigation of the breach revealed that hackers had weaponized the SolarWinds Orion updates.

FireEye then alerted SolarWinds that Orion contained a vulnerability. From that point, there was an immediate outbreak of concern among top government agencies, large companies, and other private businesses.

The impact was far-reaching. SolarWinds issued a security advisory outlining the hack and associated defensive measures.

Who Was Impacted?

Around 18,000 SolarWinds customers had installed the two Orion updates that contained the malware. The scale of the attack continues to grow and has had a global impact. Major companies that downloaded the compromised update include Cisco, Intel, Deloitte, VMWare, among many others.

The hack is considered to be a supply chain attack. In other words, rather than attack a target directly, hackers attacked a third-party provider (in this case, Orion).

While supply chain attacks are not common, data breaches by third parties are. A survey found that 80% of companies had experienced breaches caused by third parties

What Happens Next?

Technology experts are still learning how to mitigate supply chain attacks. There is no easy solution since companies rely on software to run their businesses, and routine updates are not perceived as a threat. 

Companies may start needing to employ zero-trust networking principles. They may also need to assign role-based access controls to their applications and servers. However, this is a balance between the potential for attack and needing to run a business efficiently.

It is likely that there will be an increase in supply chain attacks in the future. Ransomware attacks have also been on the rise as cybercrime groups have adopted more sophisticated techniques.

How the Government and Businesses Reacted

The Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal civilian agencies to power down SolarWinds Orion products immediately. CISA’s guidance to organizations was that operational security remains at the forefront. Companies need to initiate incident response activities and implement remediation plans.

CISA determined that the exploit was of grave risk. The malware could monitor traffic on major federal network systems. There is also a high potential for compromise of government agency information systems. 

Impacted businesses needed to respond swiftly to the attack. Identifying whether or not they had received the malware was only the first step. IT security teams need to continue to hunt for threats and monitor their networks. 

They had to assume that the hackers were monitoring their response. It might be necessary to involve an outside forensics team or experts to help identify if the company was impacted. FireEye reports that the malware stops executing if it discovers that it is being analyzed. 

Businesses that were not impacted also needed to contact any vendors that have access to their data. This is to identify if that vendor was using the Orion platform and how the vendor is responding.

In some cases, entire networks may need to be rebuilt. Disaster recovery efforts may be the solution, assuming that critical data and environment information was captured prior to the installation of the Orion update.

Threats on Cybersecurity

In a way, the world was poised for an attack of Orion’s magnitude. Data breaches were on the rise in the months leading up to the SolarWinds attack. Hackers were taking advantage of the confusion caused by coronavirus

This is a result of more and more business happening online. Many companies had to make abrupt shifts from office work to employees working from home. This opened up an opportunity as IT staff may have used shortcuts or piecemealed security measures.

Cybercriminals always take advantage of confusion or uncertainty. Companies of all sizes are at risk for an attack. Losses from a cybersecurity incident can be costly for an organization.

The challenge of keeping a business safe and secure from attackers can seem daunting. Between bad actors looking to carry out smaller-scale cybercrimes and large-scale attacks like SolarWinds, it can feel like a constant threat. 

How Businesses Can Prepare for the Next Cybercrime

Since some of the largest companies fell victim to an attack, it may seem like efforts to implement security are futile. However, this is not the time for businesses to let down their guard in any way, as cybercriminals are waiting to exploit weaknesses.

There are many things that businesses can do to minimize the risk of potential attacks.

Secure Your Hardware

Your business needs to begin with the basics, and that includes securing all hardware with a complex password. Devices should lock after a period of inactivity and require entering a password again. Stolen equipment is a risk, and an increased risk with employees working from home. 

Ensure that you have policies in place to handle lost devices, stolen devices. This could include geolocation or remote destroy of information if a device falls into the wrong hands.

Encrypt and Back up data 

If data does fall into the wrong hands, you can render it useless by encrypting the data. This protects sensitive information, such as customer data, employee information, and business data. You should implement full-disk encryption as well as the encryption of your data stored in the cloud.

Hackers sometimes will lock companies out of their own data and demand a ransom for its release. You can protect yourself by backing up your data in a separate location so that you can access the data again easily. 

Focus on Security in the Workplace

Security isn’t only for IT administrators. Users need to be aware of threats and how to keep themselves and the company’s sensitive information safe. These measures can include:

  • Software to scan emails for potential threats
  • Strong password policies
  • Educate staff about accessing company information from an unsecured network
  • Teach staff to use personal devices in a way that minimizes risk
  • Have staff avoid unsecured websites
  • Restrict network administrator rights to a small number of users
  • Use robust anti-malware and firewall security software

Implement Cybersecurity Standards

If you work with outside vendors that have access to your data, include cybersecurity standards in your vendor contracts. Companies need to understand how these standards evolve over time. Contracts should also include language around what happens if the standards are not met.

Protecting Your Business in the Cloud

Despite threats of cybercrime, your business needs to be able to operate. The SolarWinds Orion attack is a reminder that companies need to remain vigilant and implement the best security measures possible. This includes proper threat detection and response, as well as robust preparation for disaster recovery.