Originally posted on December 17, 2020. Reposted here without edits.
There have already been several fairly readable articles on the SolarWinds hack published in the mainstream press1 – and even better ones in InfoSec-specific resources such as the Krebs on Security blog2. Nevertheless, it would do well to provide a rough summary of the sequence of events, insofar as can be established at present.
- SolarWinds provides organisations of all shapes and sizes with a variety of software tools to manage and monitor their computer networks – traffic monitoring, patch management, that sort of thing. Naturally, these applications require periodic updates to iron out various bugs.
- Several months ago, the update server for SolarWinds products was compromised. At least some reports3 suggest that this was because the server’s password was…”solarwinds123″. There are no words.
- Once the update server was compromised, the attackers were able to append a piece of malware to legitimate application updates that, upon activation, provided them with backdoor access to the infected network. Interestingly enough, according to FireEye malware activation in each case was set to between 12 and 14 days after the initial infection, with communications between the infected system and the attackers further masked to avoid detection.
- It is suspected that something like 18 thousand organisations were infected in this manner, although it is unlikely that the backdoor was actually used with all of them. Krebs on Security, or rather one of its sources, suggests that the attackers ranked the compromised organisations based on the value of their data and the likelihood of getting caught by internal security before compiling an actual target list from the set of infected networks.
- The hack was revealed after it was caught by FireEye – apparently, the attackers decided to use an employee’s credentials to register a new device on the network, presumably for remote access using this person’s network privileges, and this tripped some internal flags. Unfortunately, per Krebs on Security the attackers nevertheless managed to exfiltrate approximately 300 proprietary cybersecurity tools from the firm before being cut off4.
Insofar as the damage, much of the mainstream press coverage is focussed on the fact that the attackers had been reading the emails of several US government agencies, most notably that of the Treasury and Commerce departments, for a number of months. Personally, however, I suspect that far more significant is the theft of private corporate data – of FireEye’s cybersecurity software, for example. Regardless, we probably won’t know all the details…ever, as it is unlikely that all of the hack’s targets will disclose this fact to the public, or even themselves will be aware that anything has gone amiss.
In any event, there are at least several InfoSec implications that can be drawn from this – some of them more obvious than others, but no less worth reiterating.
- Complex passwords matter. Password management has ever been a tug of war between usability and security. Enforcing a strict password policy clearly inconveniences users, but the flip side of this is that a sizeable portion of non-fishing non-insider attacks rely on breaking through too simple or unchanged factory default passwords5.
- Attack surface matters. The moment that SolarWinds made its software updates accessible via the Internet6 – specifics are a bit scant, but at least a few sources mention a GitHub repository – it dramatically increased the possibility of an eventual breach, even if a much stronger password were used. Imagine the reverse case, where the update server is situated within an organisation’s network, accessible only by insiders. Similarly, by outsourcing their network solutions to a private vendor rather than building some equivalent within the US government IT domain, various US agencies significantly raised their exposure – having to rely on both themselves and on SolarWinds for security – with fairly obvious security implications7.
- Internal monitoring matters. Even FireEye was less than perfect here, but at least their IDS8 eventually caught some of the attackers’ activity and prompted a response from its internal security team. Apparently none of the other – dozens? hundreds? – organisations where the hack was actually exploited managed to detect any illicit activity, or if they had, trace it to a SolarWinds update. Maybe the attackers really were that sophisticated, or maybe – more than likely, if you ask me – they just tended to go after the most lackadaisical of targets knowing they are unlikely to get found out9.
Finally, let us briefly consider the issue of the attackers’ identity. Mainstream press, of course, has immediately been going off about “suspected Russian hackers” based on vague statements from anonymous sources. In truth, of course it could be an intel op by some government or another – whither the clean-shaven Chinese, the moustachioed North Koreans, the bearded Iranians – but until more information comes to light, it could also be the work of a criminal gang or syndicate, perhaps based over in Europe, for strictly financial purposes. What we have at the moment are basically the following two possibilities:
- Foreign intel op. Foreign intelligence agents – suppose it really were the Russians – infect a highly popular network software product, hoping that among the many thousands of organisations who download and install it some will prove to either be actual US government agencies or important government contractors, for example FireEye.
- Criminal gang. Several savvy gangsters hire some techies to infect a highly popular network software product, hoping that among the many thousands of organisations who download and install it there will be a metric megaton of private corporate data to steal and sell on the black market.
Only one of these two, in my view, is actually highly probable, unless, of course, Russian intelligence agencies have no other way of getting to read the Commerce Department’s email traffic – for inconceivably nefarious purposes, no doubt – than to employ such a scattershot approach. Not that this matters from a purely political standpoint, of course, especially if the attackers in this case are never actually caught, as seems fairly likely.
- See for example Paul, K., “What you need to know about the biggest hack of the US government in years”, The Guardian, December 15, 2020; and Bertrand, M., Desiderio, A., “How suspected Russian hackers outed their massive cyberattack”, Politico, December 16, 2020; both stories retrieved December 17, 2020.[↩]
- FireEye also has a fairly detailed write-up on the malware at https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html[↩]
- See the Guardian story, which itself cites Reuters.[↩]
- It is unclear at the moment whether they did so using this employee’s “new” device, or if they had done so already and wanted to escalate their network privileges even further.[↩]
- Fishing attacks are generally designed to get the user to give up their password voluntarily, while insiders already have network access by definition.[↩]
- With write access, to be specific.[↩]
- To be completely clear, unlike, say, a 50-person firm without its own IT department, the US government certainly could have constructed its own standalone IT services infrastructure with an eye to increasing systems security – but this would, of course, require a strong internal IT operation and cost actual money, not to mention leave private vendors like SolarWinds with fewer profit opportunities.[↩]
- Intrusion Detection System.[↩]
- I can’t prove this, of course, but I suspect they used FireEye as a sort of “swan song” – we’ve hit all the easy targets, so let’s see what we can get out of this high-value one.[↩]