Organisations should therefore make every effort to improve visibility over the activities and transactions happening inside their networks, especially if they rely on the services of vendors or third-party suppliers. What are the key takeaways from this incident? First, it is likely that supply-chain attacks will continue to occur. This makes detecting the hackers’ presence and tracing their steps within the network extremely difficult. Their forging of authentication tokens allowed the hackers to roam the targeted network practically at will, as if they were one of the target organisation’s trusted employees.
More insidious and problematic than compromising the SolarWinds supply chain was the hackers’ abuse of authentication mechanisms, which are a trusted part of a victim’s internal network. Cybersecurity agencies and researchers are still watching for signs of further breaches in the affected tech firms, which could have an even greater impact than the SolarWinds attack. Such was the case in the SolarWinds breach. The compromise of a single, trusted supplier – or a popular and widely-used product – can result in multiple victims, some of which could be major vendors themselves with even larger customer bases. Organisations today often depend on external vendors such as tech firms and managed service providers. Supply chain attacks can generate wide “ripple effects”, due to the interdependencies that characterise the global economy. The SolarWinds breach is an example of a supply chain attack, in which the hacker’s intrusion into the victim’s network is facilitated by first compromising one of the victim’s trusted suppliers. WHAT MAKES THE SOLARWINDS BREACH SO SERIOUS, AND WHAT CAN WE LEARN FROM IT? The vast majority of this smaller group were US-based entities – US government agencies and tech companies, including the likes of Cisco, VMWare, and Microsoft. Of these, experts believe that the hackers targeted a much smaller number of organisations with follow-on activity.
The hackers could also plant more backdoors in other parts of the breached network.Īround 18,000 of SolarWinds’ public and private sector customers around the world downloaded – and were hence exposed to – the malicious software updates. These tokens, akin to a security pass belonging to someone in the target organisation with high-level clearance, could grant the hackers access to restricted sections of the target organisation’s network as well as its assets in the cloud, such as e-mails. They were observed to have forged trusted tokens. Once inside a victim’s network, the hackers blended in, and looked for opportunities to escalate privileges (or gain privileged access) and abuse authentication mechanisms. Analysis of their tactics, techniques and procedures showed that the hackers were patient, disciplined, and prioritised stealth to minimise exposure of their operations. The hackers’ approach and behaviour stood out in this incident. Any organisation that downloaded the tainted updates effectively gave the hackers a backdoor into its network.
Sometime in 2019, hackers managed to infiltrate SolarWinds’ production network to insert malicious code into Orion’s software updates. However, it was precisely this market dominance that led hackers to target the Texan firm. Used by numerous government agencies and Fortune 500 companies worldwide, it is the pre-eminent product in the network management space. In the world of network management software, one name stands head and shoulders above the competition: SolarWinds’ Orion platform. This issue of CyberSense takes a closer look at what happened, how global agencies and CSA responded to the incident, and a few observations and learning points we picked up. “One of the most high-profile cyberespionage campaigns in recent years.” “Among the most ambitious cyber operations ever disclosed.” “A moment of reckoning.” These are some of the descriptors applied to the SolarWinds breach, which the global cybersecurity community has been intently monitoring since it was first reported in mid-December 2020.
CSA provides periodic updates to these bulletins when there are new developments.
CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries.