It’s being called the most devastating cyber attack on the U.S., and there’s still so much we don’t know about the SolarWinds supply chain hack, how attackers were able to compromise one of the software leaders in the IT space, what other tools could be compromised and just how much damage has been done to the cybersecurity community.
What we do know, however, is that cyber actors allegedly affiliated with the Russian state were able to compromise SolarWinds Orion, a widely used IT management program, by inserting malicious code that gave hackers a backdoor into nearly 18,000 organizations, including some of the most important U.S. agencies and other tech companies.
As victims are still being discovered and the true scope of the attack may not be known for weeks, the IT community needs to respond accordingly and take steps to mitigate these increasingly skilled attacks in the future.
“It’s rapidly evolving and it’s changing almost by the hour,” says MJ Shoer, a career IT security expert and now the senior vice president and executive director of the CompTIA Information Sharing and Analysis Organization.
The attackers used the IT profession’s penchant for urging timely updates and patches against us, Shoer says. A malicious DLL was put into a properly signed update that customers were quick to download to avoid any security vulnerabilities, but little did they know they were downloading one.
Who is impacted by the SolarWinds hack?
SolarWinds says nearly 18,000 out of its more than 300,000 customers were using the version of Orion that contained the malicious code that could give attackers access to their networks and files, but it seems that only high-value targets were breached further – though the list of victims continues to grow.
In a recent interview with CBS News, Kevin Mandia, CEO of cybersecurity firm FireEye – which disclosed on Dec. 8 that threat actors stole tools the company uses to test the security of its customers’ networks – said the list of victims with something to actually worry about is around 50.
In a separate report, Microsoft said it identified more than 40 of its own customers that were impacted further, and 44% of which are IT companies that provide software, hardware and other services.
According to public disclosures and media reports as of Tuesday morning, this is the list of known victims:
- U.S. Commerce Department
- U.S. Treasury Department
- U.S. State Department
- U.S. Energy Department
- U.S. Homeland Security Department
- California Department of State Hospitals
- Kent State University
Companies who have acknowledged using the compromised software:
- Cox Communications
What troubles Shoer and other security experts is not only that this intrusion went undiscovered for months and represents a blatant attempt to steal U.S. secrets, but the potential compromise of other tech companies – including some on that list — that could give attackers a much deeper foothold into our networks than we first thought.
Aside from FireEye, those tech companies have said they have not found evidence that their tools or products were used to further the attacks.
We aren’t publishing names that haven’t already been reported, but Shoer says there is a list circulating of domains that appear to have been breached further.
“There are some household names on that list,” he says. “There are some big players in the hardware and software space.”
If your organization was using the SolarWinds Orion platform from March to September, you need to take several actions outlined in this alert from the U.S. Cybersecurity and Infrastructure Agency and install a hotfix from SolarWinds.
What makes the SolarWinds hack so alarming?
After FireEye disclosed that it was hacked, the cybersecurity community soon realized the level of expertise and sophistication with which this attack was executed.
“This is a supply chain attack where the hackers were able to get into servers in SolarWinds and because they were able to compromise those servers, they were able to distribute malicious software and backdoors across the entire customer base and have them backed up by valid certifications,” says Vince Crisler, a former U.S. government cybersecurity expert and CEO of security software company Dark Cubed.
By doing this, attackers were undetected for months. There’s even evidence that they tested this attack method all the way back in October 2019 in yet an other undetected action.
“That’s why this is such a big deal, because they were able to get in and cover their tracks so well,” Crisler says.
For technical details on the lengths to which the group went to cover their tracks, here’s an excerpt from the CISA alert:
The adversary is making extensive use of obfuscation to hide their C2 communications. The adversary is using virtual private servers (VPSs), often with IP addresses in the home country of the victim, for most communications to hide their activity among legitimate user traffic. The attackers also frequently rotate their “last mile” IP addresses to different endpoints to obscure their activity and avoid detection.
FireEye has reported that the adversary is using steganography (Obfuscated Files or Information: Steganography [T1027.003]) to obscure C2 communications. This technique negates many common defensive capabilities in detecting the activity. Note: CISA has not yet been able to independently confirm the adversary’s use of this technique.
According to FireEye, the malware also checks for a list of hard-coded IPv4 and IPv6 addresses—including RFC-reserved IPv4 and IPv6 IP—in an attempt to detect if the malware is executed in an analysis environment (e.g., a malware analysis sandbox); if so, the malware will stop further execution. Additionally, FireEye analysis identified that the backdoor implemented time threshold checks to ensure that there are unpredictable delays between C2 communication attempts, further frustrating traditional network-based analysis.
While not a full anti-forensic technique, the adversary is heavily leveraging compromised or spoofed tokens for accounts for lateral movement. This will frustrate commonly used detection techniques in many environments. Since valid, but unauthorized, security tokens and accounts are utilized, detecting this activity will require the maturity to identify actions that are outside of a user’s normal duties. For example, it is unlikely that an account associated with the HR department would need to access the cyber threat intelligence database.
Taken together, these observed techniques indicate an adversary who is skilled, stealthy with operational security, and is willing to expend significant resources to maintain covert presence.
“It just goes to show how far we have to go in terms of thinking about supply chain attacks,” Crisler says.
Additional initial access vectors
Cybersecurity experts across the board are predicting that SolarWinds Orion is not the only supply chain compromise, given the sheer number of IT tools used to monitor and manage networks remotely.
“I think at this juncture, we have to assume that others are (compromised),” Shoer says.
That assumption is backed up by CISA, which said in an alert on Dec. 19 that it has evidence of additional initial access vectors other than the SolarWinds Orion platform.
“Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary’s behavior is present, yet where impacted SolarWinds instances have not been identified. CISA is working to confirm initial access vectors and identify any changes to the TTPs,” the alert says.
Many companies that have been publicly named are publicly traded, which means they have an obligation to their shareholders and customers to disclose if they were breached further.
As experts are still struggling to grasp the true scope of this attack, we’ll learn more each day, Shoer says.
“There’s going to be a lot more coming out,” he says. “There’s a ton of work going on behind the scenes.”
How IT and cybersecurity professionals should respond: accept the defensive posture & prompt information sharing
Cybersecurity experts like Shoer and Crisler are unanimous in saying that a supply chain attack of this magnitude has been something that IT professionals have been concerned with for a long time.
However, there was always an understanding that something like this could not have been prevented, since the cybersecurity industry is built on a defensive mindset. Cyber attacks will happen, and bad actors seem to always be one step ahead of the cybersecurity community.
“The mindset that continues to emerge here is resilience and recovery,” Crisler says. “When these things happen, how do we reduce the impact? How do we spread out?”
In cybersecurity, offense always wins and defense always loses.
“If you accept that, then your job is, ‘How do I make it hurt less when I do lose? How do I find out sooner rather than later that I lost?”
Part of accepting that cybersecurity will only go so far in protecting organizations against increasingly sophisticated attacks is immediately coming clean and sharing details of these attacks with the entire IT community, Shoer says.
“What we’ve got to do a better job of is sharing information when we see a potential risk,” Shoer says. “We can’t be holding our cards so close to the chest anymore whether it’s for public relations reasons or perceived competitive reasons.”
That’s the very nature of the internal group at CompTIA that Shoer helps lead.
“Because if we can do that at scale, we can make the actual further execution of the hack difficult enough that the hacker will probably back away because it’ll bring so much attention to it so quickly,” Shoer says. “But we’ve got to share that information.”