Months after being discovered, the world is still abuzz with talk of the SolarWinds attack. In all likelihood, we’ll still be talking about it for years to come. SolarWinds was unprecedented in its target and scope. It also highlights a new and alarming trend in cyberattacks—the software supply chain attack.
We first wrote about the attack in Dec 2020, after the world first learned that a zero-day vulnerability in the SolarWinds software had been exploited, impacting over 18,000 of their customers. Since then, more information has come to light about the attack, including who was targeted and how it was executed.
How the attack was executed & how it went undetected
FireEye, a cybersecurity software firm and victim of the attack, was the first to publicly ring the alarm bell on December 8th, 2020 when they discovered their systems had been compromised. In fact, it wasn’t until after reviewing 50,000 individual lines of source code while probing its own hack that FireEye determined there was a backdoor in the SolarWinds® Orion® IT management software the organization was using. This meant that it wasn’t just FireEye that was vulnerable, but any SolarWinds customers that also downloaded the same version of the Orion software.
Exactly when SolarWinds was compromised is unknown, but there are indications that it was as early as October 2019, when the Russian SVR hacking group, Cozy Bear (who also played a role in the DNC hack and 2016 disinformation campaign), first introduced the malware. Using compromised credentials, the attackers inserted the malware known as SUNSPOT to create a SUNBURST backdoor into the build and release process of SolarWinds’ Orion software. After the corrupted software update was installed by 18,000 of their customers, the malware performed reconnaissance, received commands, and offloaded info to attacker-controlled servers.
The attackers were extremely strategic in their methods and timing. They took advantage of both the COVID-19 pandemic and the US presidential election as distractions. In addition, they engineered the attack to be undetected by using servers located in the US to execute the attack, taking advantage of the NSA’s prohibitions against domestic surveillance.
It also avoided discovery by the cyberattack detection system deployed across all government agencies, called Einstein. However, this is in large part due to the fact that Einstein is designed only to detect pieces of known malware being used in a new way, and is not designed to detect new or novel malware. Despite the billions of dollars spent on the system, Thomas Bossert, cybersecurity expert for the George W. Bush and Trump administrations, said “Einstein wasn’t designed properly,” and this lack of foresight was a “...management failure.”
Cut corners lead to major gaps in cybersecurity
It’s come to light, as a result of this attack, that the SolarWinds company had a total lack of focus on security. While cutting corners in the name of cost-savings is not unique to SolarWinds, the company didn’t actually tack on security measures until they were forced to in 2017 in order to remain compliant with a new European privacy law. In addition, they made egregious and common sense errors like making the update server password “solarwinds123”. Even days after the attack, SolarWinds had still not taken down the corrupted code from their website.
The unfortunate reality is that SolarWinds as a company is not alone in cybersecurity corner cutting. In fact, a number of alarming statistics have come to light in recent months, revealing that many organizations do not have the minimum level of cybersecurity necessary to combat well known and easy to do detect attacks, let alone an attack as sophisticated as the one suffered by SolarWinds.
An IDG survey found that 78% of respondents reported that they believed their organization lacked sufficient cybersecurity and were at risk to suffer a cyberattack. This lack of confidence stems from a new distributed IT landscape made necessary by the COVID-19 pandemic and subsequent work from home orders.
Even with basic security measures in place, organizations are still vulnerable to software supply chain attacks like SolarWinds.Organizations that are sure to have decent cybersecurity defenses like The Pentagon and Department of Homeland Security were impacted by the attack because software supply chain attacks are incredibly difficult to detect, and will often infect systems for extended period of time before finally being detected and removed.
Software Supply chain attacks are highly leveraged targets
18,000 of SolarWinds’ unsuspecting customers—which include federal government agencies, like the Pentagon, the Department of Homeland Security, and the State Department— downloaded the corrupted update of Orion. In this corrupted version, code injected by the attackers awaited instructions from the hacker group. Once those instructions were executed, Orion downloaded more malicious code. This attack method allowed Cozy Bear to circumvent the network and steal data.
SolarWinds is not the first attack of this nature. Supply chain attacks, sometimes called third-party or value-chain attacks, have been in the news for pretty much as long as cyberattacks themselves have been. Attacks that infect software include the Target data breach of 2013 and the 2017 Equifax hack. Meanwhile, devices considered part of the hardware supply chain are also vulnerable. The infamous 2009 Stuxnet attack is also considered a hardware supply chain attack. All of these incidents relied on the compromising of a third-party vendor with access to the end target organization’s systems and data.
Although not unique in its nature, SolarWinds is unique in its scope of impact—corrupting over 250 federal agencies and commercial businesses, it demonstrated that a third-party software supplier is an extremely juicy target. This will not be the last software supply attack of this scale that we see—if anything, it’s opened up Pandora's box.
Software supply-chain attacks are attractive attack vectors for government-backed hacker groups and cybercriminals alike due to their ability to jump right over traditional perimeter defense mechanisms like firewalls and intrusion detection systems. This is because software supply chain attacks are well-hidden within legitimately code-signed software updates from a trusted supplier.
The more commonly used that supplier is, the more potential targets the attacker can reach. With over 30,000 customers, it is no surprise that SolarWinds was targeted. In some ways, this made the attack simpler to execute. Rather than having to create different attacks targeting the Pentagon, the Department of Defense, Microsoft, Cisco, or any of the other major players impacted by SolarWinds, the attacker had to execute one attack against SolarWinds and then simply wait for each of their intended end targets to download the corrupted Orion software.
Software supply chain attacks are only going to become more common as enterprise organizations rely more and more on third-party vendors. In the next five years, the enterprise SaaS market is projected to grow to over 300 billion dollars. Any organization that uses a third-party software vendor would be vulnerable to a software supply chain attack.
This doesn’t mean that organizations should abandon their software vendors and move everything in-house. That would be a virtually impossible feat that would incur incredible expense and still leaves systems vulnerable. After all, software will always have bugs, no matter what.
Securing against software supply chain attacks requires a shift in mindset and a serious investment in cybersecurity
However, what it does mean is that organizations need to change their mindset around security. It can no longer be considered something that is optional or that can be cut to benefit the bottom line. Organizations need to seriously invest in their cybersecurity measures and adopt a defense-in-depth approach that provides layers of security, both at the system and organizational level.
In order to prevent the next SolarWinds, we need to limit the ways in which an attack can be executed. Long gone are the days of ridiculously simple passwords like “solarwinds123.” Can you really even call that a password? State-of-the-art attacks can only be combated with state-of-the-art security hygiene.
In addition, organizations can’t assume the third party software they employ can always be trusted or that securing their perimeter is enough. As SolarWinds has shown, a software supply chain attack easily slips past such defenses. Organizations need to secure every layer of their system with a defense-in-depth approach. This means securing your network-connected endpoints that attackers will attempt to compromise after gaining access to the network.
To learn more on exactly how to secure your downstream endpoints and limit the potential scope and damage from future software supply chain attacks, register for our upcoming webinar with Cadence Design Systems, Lessons Learned from SolarWinds, today.