On December 12th, 2020, FireEye, a cybersecurity company, notified the SolarWinds that they discovered a vulnerability in SolarWinds’ Orion software. SolarWinds is a major IT firm that provides software for many entities, including Fortune 500 companies and the US government. FireEye had discovered the breach after monitoring SolarWinds’ two-factor authentication registrations and finding suspicious behavior. Around 18,000 SolarWind clients were targeted, including private companies like FireEye, Microsoft, and Cisco; different sectors of the US government such as the Department of Homeland Security, the Pentagon, the State Department, and the Justice Department; and other entities like the California Department of State Hospitals.
Through this attack, unclassified systems from the U.S. Treasury Department were impacted but not damaged, and dozens of email accounts were compromised. While the hack appears to be just “an intelligence gathering effort,” no data seemed to be lost or corrupted. Many companies were targeted, but the hackers did not gain entry into all of their systems.
Russian intelligence is believed to be behind the attack.
How did it happen?
The Cybersecurity & Infrastructure Security Agency (CISA) stated on January 6th that “incident response investigations have identified that initial access was obtained by password guessing, password spraying, and inappropriately secured administrative credentials accessible via external remote access services.” In fact, SolarWinds’ update server’s password was “solarwinds123.” The attackers exploited the weak cybersecurity practices. However, the malicious update files did have the company’s valid digital signatures, meaning that there is more to the breach than just poor passwords.
Hackers were able to gain access to a system that SolarWinds uses to put together updates for Orion, which then allowed them to inject malware (malicious software) into an update that the company then distributed to customers. This is known as a supply-chain attack since a supplier was targeted in order to infiltrate other networks. The name of the malware is called SUNSPOT. SUNSPOT scans for processes that are run by the Orion software and once it finds that process, it inserts a backdoor called SUNBURST, which then allows hackers to install more malware to help them spy on companies and organizations. In as early as March 2020, SolarWinds was sending out software updates to customers that included the hacked code, meaning that the perpetrators spent months inside the company’s software development labs without being detected.
How was the hack addressed?
Since the breach was discovered, SolarWinds has released their latest patches and fixes for the Orion attack and hired Chris Krebs, a former federal cybersecurity chief, and Alex Stamos, a former Facebook and Yahoo security chief, to assist in securing their company. Crowdstrike is also supporting SolarWinds in their investigation and analyzing the root cause of the malicious code. FireEye is releasing signatures to the public to detect the threat actor and supply chain attack.
Government agencies and private companies are still working to figure out if the network breach led to any loss of data, and there are still many unknowns on detecting and removing the hackers’ presence in their systems. If the attackers are not completely removed from host networks, they could switch from spying to more destructive actions. It is also expensive and difficult to secure systems, and could take years before networks are secure again.
Is the issue still being dealt with?
Absolutely. The most recent news is that the Senate Intelligence Committee will hold a hearing about the SolarWinds breach on February 23rd. CEO Sudhakar Ramakrishna is expected to testify. Other witnesses will include Microsoft President Brad Smith, FireEye CEO Kevin Mandia, and CrowdStrike President and CEO George Kurtz.
For a full timeline of the SolarWinds Hack, click here.
What should everyone take away from this hack?
Just because you haven’t been hacked doesn’t mean you can’t be. You may think that having the password “Password123” is fine, but please think again. Be sure to create unique, complex passwords, utilize two-factor authentication, and be careful when sharing sensitive information online.
To learn more about creating strong passwords, click here.