The SolarWinds Hack – Pearl Harbor without planes

As if 2020 wasn’t unpleasant enough, the SolarWinds hack added fuel to the fire right at the end of the year. A – presumably – state-sponsored hacker group managed to break into the product repositories of the software manufacturer SolarWinds during 2020 and introduce malware into their network management software Orion. As a result, thousands of customers automatically updated their software with the contaminated version and opened their network to the attackers. We are talking about almost 20,000 organizations who had received malware from Russia with love by the end of the year. An initial investigation has revealed at least 250 networks that were exploited and explored by the attackers. Among them are illustrious names such as several American research and defense institutions, Microsoft and the security provider FireEye, who first noticed the attack. It’s bad enough that the malware remained undiscovered in almost 20,000 organizations for months. But that several hundred companies failing to notice that hackers were active inside their networks is even more dramatic.

New findings continue to come to light. A lot more forensic research is needed before we will know the full story. It is already clear that FireEye became aware of suspicious activities on its network in early December. The analysts were able to verify an active intruder and reported a data leakage. FireEye fully disclosed all details of the attack, which was not without irony, ‘Imagine that – a security company got hacked...’ However, it soon became clear that FireEye was by no means the only victim, rather it was the only organization that discovered the attackers. Every company that enabled automatic updates to the software since the beginning of 2020 has let a Trojan into their network, which is capable of different activities depending on the interests of the hackers. The backdoor, known as SUNBURST, is part of the correctly digitally signed DLL SolarWinds.Orion.Core.BusinessLayer. After installing the backdoor, SUNBURST waited up to two weeks before establishing communication with the attackers, disguised as legitimate Orion activity via HTTP. SUNBURST then triggered file transfers and executed code, created profiles of infected systems, and was able to stop processes and restart infected systems. SUNBURST stores data from scans in config files so that increases in data volumes are not noticeable. SUNBURST also detects and bypasses active anti-malware programs. Unfortunately, the victims also helped it unwittingly on its way. A SolarWinds support document recommended that Orion’s directories should be excluded from antivirus software monitoring as this could cause problems.

Although many details are still unclear, an incident reported by a security analyst at the end of 2019 is worrying. He had found credentials for SolarWind’s FTP servers in a GitHub repository and informed the manufacturer. Although SolarWinds confirmed that the problem had been resolved, the data had probably already been publicly available in the repository for several weeks. Many of those affected are still evaluating the actual damage. With the coronavirus pandemic and the presidential election, most organizations already had enough on their plates. But one thing is already clear now for the road ahead: The SolarWinds hack throws the information security strategy of most companies out of the window. If code from trusted parties can be hacked, smuggled in and then exploited so easily without the organizations concerned realizing it, any efforts that have been made so far are rendered useless.

One commentator has already described the hack as the “Pearl Harbor of American IT”. If that sounds dramatic, it’s because it is. No one can check between dozens and hundreds of programs that automatically receive updates via the Internet. A staging environment for every application, with testing and network analysis before the official rollout, is an organizational nightmare. And virtually every malicious programmer builds a time delay into their malware so that it only becomes active after weeks or months. If such an attacker compromised Microsoft’s update system, tens of millions of IT systems would be in the hands of hackers every first Tuesday of the month. Something like this is not that far off. Microsoft is also one of the companies explicitly visited by the hackers. According to Microsoft, the attackers had access to Windows source code. Microsoft assures us that the hackers had read-only access and there is no indication that anything else has been changed. This time. But what if the next attack is more successful?

The SolarWinds hack may actually trigger a rethink. While most attacks are usually dismissed quickly and without a great deal of fuss, even if they result in severe penalties, this time businesses actually seem to be afraid. Sijoitusrahastot's Finnish investment analysts expect the SolarWinds hack to lead to a 20% increase in IT security budgets in 2021. These are massive figures, and the total value of cybersecurity spending is already more than USD 43 billion. In comparison, spending grew by just over 5 percent between 2019 and 2020. Organizations always balance between restrictive security measures and the highest possible productivity. This balancing act has become even more difficult. If attackers can abuse legitimate software, and obviously without great difficulty, the concepts of Assume Breach and Zero Trust must become mandatory. But implementing a concept that affects all areas of the company is another matter entirely to rolling out a new firewall into the rack. It requires the support and willingness of all stakeholders in the company, a sufficient budget and a sense of urgency of the situation.