Understanding the SolarWinds “Sunburst” Hack
You could be forgiven if you rolled your eyes and clicked through to the next story when you first learned of the SolarWinds hack. Cybersecurity incidents have become commonplace events and if you weren’t running the SolarWinds Orion network monitoring platform, you were probably concerned with more direct security threats to your networks. But among the thousands of cybersecurity incidents reported each year, the SolarWinds “Sunburst” attack and its arc deserve your attention.
By the time that network security vendor FireEye publicly acknowledged that it had been victimized and some of its most sophisticated tools stolen, several critical United States federal agencies had also been victimized. This attack was (and is) big. Alone, the size of the attack suggested that it was the work of the highly skilled professionals of a sophisticated criminal organization or nation state. But there was more. As FireEye’s Kevin Mandia told NPR in a December 2020 interview, the attack on FireEye was perpetrated from IP addresses not previously known as malicious and were based in the United States. The attackers were therefore able to avoid additional scrutiny often given to traffic originating from outside the United States or from addresses previously used in attacks. These attackers knew how to stay hidden and were sufficiently well-resourced to maintain a sophisticated attack infrastructure. The most chilling aspect of the SolarWinds compromise, though, is how it came to be. The vulnerabilities that were compromised didn’t arise through sloppy coding or poor implementation – they were planted. The SolarWinds supply chain had been infiltrated by the attackers. After successfully dropping some harmless code into SolarWinds code as a test in the fall of 2019 and observing the (lack of) reaction, the attackers planted their malicious code in 2020 and began to exploit the code they had planted – with great success. The attackers now had hidden administrative access to any organization running versions of the SolarWinds Orion network monitoring platform that contained their inserted code. Because they had compromised network monitoring software, the attackers were also able to monitor vulnerable networks through their attack platform. The combination of administrative and monitoring capabilities brought by this approach has led the attackers to install the exploited Orion code on networks that they had breached through other means. By infiltrating the SolarWinds supply chain and planting code into a widely used network monitoring solution, these attackers created a sophisticated and covert attack vector that was widely distributed for them.
Cybersecurity risk assessment frameworks, including the NIST Cybersecurity Framework, contain sections that address the evaluation of supply chains for vulnerabilities. In our experience, cybersecurity evaluations of organizations’ supply chains are one of the most neglected aspects of their cybersecurity postures. Provisions addressing cybersecurity have become more common in contracts between organizations and vendors – especially regulated industries like healthcare where these provisions are required by law. Less common are the specific technical and monitoring requirements that support strong supply chain management. SolarWinds faces complex challenges to secure its supply chain against some of the most sophisticated and well-resourced adversaries in the world. The cybersecurity threats to most organizations’ supply chains aren’t nearly so robust, but still require focused attention. Each vendor relationship should be evaluated from perspectives of physical, technical, and administrative security. Which vendors physically visit your organization? Do any have VPN access? Which of your software packages “phone home” for updates? What is your organization’s process for granting systems access to vendors and other externals? All of these things (and many more) must be considered and addressed. As you address the cybersecurity threats to your supply chain, documentation of processes, establishment of metrics, and regular monitoring for process control are key to its long-term security.
In addition to developing security for your organization’s supply chain, the SolarWinds attack serves as a reminder of the importance of ongoing vigilance and basic cybersecurity hygiene. While you may be forgiven for blowing by initial reports of the SolarWinds attack, you may also be victimized by it, or by other attacks on your supply chain. Redouble your efforts to monitor threats to your organization’s cybersecurity posture. Seek new sources of intelligence and make sure that you have the resources in place to monitor for threats on an ongoing basis. Remember that each software application that your organization runs represents a threat to your organization’s security. Consider how each program can be updated and make a plan to manage the software update process. Finally, re-consider your emergency operations plans from the perspective of a cybersecurity emergency. If your organization is running a compromised version of the Orion platform, you’re experiencing one now. In that case, you should follow guidance from the NSA and CISA and turn off your Orion infrastructure until it can be successfully upgraded. In either case, you should prepare for security emergencies that may require you to turn off systems that are critical to your organization’s operations.
The SolarWinds attack is an example of just how creative and effective determined, skilled, and well-resourced adversaries can be. Relatively few organizations are the direct targets of attacks from such adversaries but observing the extremes should serve to remind all of us of the importance of the sometimes tedious or difficult controls that are recommended for our organizations. This attack also illustrates how wide-ranging the fallout can be when sophisticated attacks are directed at their targets. Similar to the COVID-19 pandemic, cybersecurity threats put us all in a fight together – whether we want to be or not. Cybersecurity is a public good. The SolarWinds attack reminds us starkly just how much we depend on each other for our security and how important our responsibilities to cybersecurity are.
For more detailed technical information about the SolarWinds Sunburst attack and recommended remediation, follow this link to the SolarWinds FAQ about this attack: https://www.solarwinds.com/securityadvisory#anchor1
About the author
Lead Information Security Analyst