What the SolarWinds case has to teach

A cyber attack – that some experts have described as one of the most complex and longest lasting attack ever seen – made headlines worldwide in the last days of 2020. The initial target was the SolarWinds Orion platform.

Operating since at least March 2020, the first public report of this supply chain attack went public only in December by FireEye, which identified malware in SolarWinds Orion. The cybersecurity company itself was a victim of the attack. Since then, there has been a flood of cases of compromised systems in corporations, including from the technology industry, but mainly important federal government agencies in the United States. It was just the tip of the iceberg, revealing what would have been the worst cyberattack on the country so far.

“The cyberattack was very well technically and strategically orchestrated and aimed mainly at the US government”, commented Thiago Bordini, cyber intelligence director at the New Space Group, approved by the Brazilian Ministry of Defense to provide services that guarantee national sovereignty in terms of fraud prevention and cyber risk analysis.

According to Bordini, the attackers managed to infiltrate the build process of the Orion updates, without leaving a trace. It is a highly sophisticated technical procedure. CrowdStrike and KPMG have supported SolarWinds in the investigation and analysis of the root cause of the events that led to the inclusion of malicious code in the company’s development cycle. From a strategic point of view, they did this using the Orion platform, which monitors, analyzes and manages the entire IT stack from a single point and needs privileged access to perform its tasks. In addition, the platform is widely used by US government agencies.

It was no coincidence that Congresswoman Yvette Clarke, new president of the US House’s Internal Security Committee cyber panel since early 2021, declared in one of her first interviews that she intends to face several cybersecurity challenges, but the first two will be providing effective responses to the cyber attack related to SolarWinds Orion – the other one will be electoral security.

Although many documented invasions seek customer and citizen data, such as credit card and social security numbers, the SolarWinds case appears to be spying as the key objective. State secrets can be targeted by attackers. On the other hand, no company has admitted to being seriously affected, yet. To cite an example in the technology sphere, Microsoft admitted in late 2020 that attackers had access to part of its source code repository, but claimed that they made no changes.

There is a strong suspicion among experts from corporations and the US government that the attack was conducted against the US cyber infrastructure by a foreign nation state. The main suspicion is that this country is Russia. A map produced by Microsoft highlights the almost global scope of vulnerable targets, reaching many of the main national capitals outside Russia, and the high incidence in the United States.

According to a Reuters report in February 2021, Chinese hackers also hacked US government computers in 2020. The security breach exploited, also in SolarWinds software, was named Supernova and apparently has no connection to the one that has allowed hackers infiltrate the company’s update build process. Chinese hackers have exploited this vulnerability only after hacking into a network by some other means. Then they used the failure to go deeper. SolarWinds fixed the vulnerability in December.

However, tasks of scouring IT environments in organizations using or not using the Orion platform, looking for evidence of intrusion, data tampering and open doors for future intrusions, are just beginning. They must spend a lot of time and resources. Considering just the scope of SolarWinds case and one analysis initiative, three other vulnerabilities have been identified in less than two months. Trustwave, which works with intelligence to combat cyber threats, has discovered more security flaws in the Orion platform and SolarWinds FTP Serv-U systems for Windows environments as well. Fixes have already been released for the three vulnerabilities.

How the attack was designed and performed

Supply chain attacks corrupt a given process and spread problems across an entire industry, such as financial, retail or government. In the SolarWinds case, the attack targeted a software company’s chain and its update build process.

Hackers included malware (SUNSPOT) in the SolarWinds development environment in order to insert a backdoor (SUNBURST) into the Orion platform builds, without raising suspicion. SUNSPOT monitored the processes related to Orion builds and substituted source files to include the SUNBURST backdoor code. Several protections in the SUNSPOT avoided failures in the build process that could alert developers to the opponent’s presence.

Thus, hackers could develop adulterated Orion updates. It is estimated that 18,000 Orion users downloaded these files as being genuine. When installed, a door was opened at their facilities for further attacks and other subsequent criminal activities, such as espionage and theft of state secrets. According to the US Cybersecurity and Infrastructure Security Agency (CISA) fewer than 10 federal government agencies were in this situation until the beginning of January 2021.

A CISA emergency directive has warned that federal agencies should treat all SolarWinds Orion systems and servers as compromised and therefore should be disconnected or shut down immediately so as not to expose the federal networks to unacceptable risks.

For Bordini, hackers are unlikely to exploit these open doors in corporations. “We almost certain that their target is different, but it will always be a great mystery,” he said.

The day after

After being alerted by FireEye about the attack, SolarWinds went on to work on investigations and released hotfixes in a few days to fix the Orion platform vulnerabilities. In January 2021, it also announced a plan to make both company and its customer community more secure.

However, installing such hotfixes is not synonymous with total security for Orion users. This is a necessary but not a sufficient step. It is not known in detail how the invaders had worked during the period that the attack was active, but out of reach of the spotlight. It is also not known whether and how they may still be working through the backdoors that they possibly opened, which may have broadened the scope of their activities and also reached those who are not Orion users.

Cybersecurity experts affirm that spies are probably still active through the breached networks. It is likely that hackers have manipulated Microsoft Active Directory Federation Services, which certifies identities of authorized users, in the hacked environments through digital identity documents called “SAML tokens”. These authenticated tokens allow users to move easily from one environment to another, including from a company to other, for example, different cloud service providers. Being able to manipulate tokens and move around quickly, with no chance to be detected easily, is a field day for hackers. Fortunately, there is a way to protect companies against this technique, such as limiting access to computers authorized to issue tokens and ensuring the security of the encryption keys that create these tokens.

Below are more recommendations for SolarWinds Orion platform users or not:

1) Monitoring and recording, always The attack involving SolarWinds Orion lasted for months and may not yet have reached an end. Do all affected organizations have records of their IT activities during that period? Many of the recommendations include tasks of searching for records to try to identify suspicious actions related to the attack.

2) Granting permissions in the right measure Many organizations grant permissions to users and applications more than what is necessary, because it is more practical, in general. However, they need to avoid and mitigate the invasion risks by limiting privileges granted to suppliers and partners. This is the type of protection required to prevent so-called supply chain attacks. Evaluating high privilege accounts and seeing whether they can have reduced authority is a good thing. Most software tools do not need administrative access in order to operate.

3) Making an inventory of critical assets What makes it more difficult to respond to invasion incidents is the lack of documentation about critical assets and privileged access. With this kind of information, organizations can check whether these assets are safe in case of invasion and take additional measures to escape the invaders’ clutches. For example, when a provider needs privileged access to the network – it can happen – it is worth documenting the access rights for future consultation in case of suspected intrusion, as it happen in the SolarWinds case.

4) Checking the signature The update adulterated by the malware contains a valid digital certificate and was distributed by SolarWinds itself. This was another element worth mentioning in this case. However, other attackers use fake signatures and their own channels to distribute their files with Trojans. Therefore, it is recommended to check the signature before installing files, at least to protect companies against less sophisticated attacks.

5) Reviewing the contracts Contracts with software vendors need to establish specific terms about how a cybersecurity event will be disclosed, what information they will include, and how the potential consequences will be dealt.

There is still no magic to detect who is still vulnerable to this or futures cyber attack of the same category. Everyone, software vendors or users may be at risk. This is part of the game of always-connected life. However, as with life outside the network, caution and prevention are never too much.

What is a supply chain attack?

In general terms, supply chain refers to the group of people and companies involved in a given multi-process activity. In the case of cyber attacks, the huge number of variables gives multiple points of entry to hackers looking to infiltrate businesses, networks or infrastructures. In addition, this multiplicity of elements eliminates the exclusive responsibility to protect the entire chain – not one link is responsible alone, but everyone must be responsible in order that the protection is effective. And even though most have strict security mechanisms, a single point of vulnerability can put everyone in the crosshairs of a supply chain attack.

Timeline