GlobalSign Blog

Cyber Autopsy Series: SolarWinds Breach Makes History

Cyber Autopsy Series: SolarWinds Breach Makes History

Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re adding several new cases to our Cyber Autopsy file, which could have been prevented had there been better defenses in place. Join us every Friday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just keep your name off the list.

Cyber Victim:

SolarWinds – Texas-based SolarWinds develops software for businesses to help manage their networks, systems, and information technology infrastructure. With more than 300,000 customers worldwide it is considered a leader in its market.

Case Details:

The SolarWinds hacking campaign is likely to go down in cyber history as one of the most damaging attacks ever initiated. The US technology company was used by Russian hackers as a springboard to compromise nine US government agencies is “the largest and most sophisticated attack the world has ever seen,” Microsoft Corp President Brad Smith said. The operation, which was identified in December 2020, gave hackers carte blanche access to thousands of companies and government offices that used its products. As a result, hackers got access to emails at the US Treasury, Justice, and Commerce departments and other agencies.

Cyber History:

It does not appear that SolarWinds was attacked prior to the December 2020 attack. However, this doesn't mean the company is excused for not taking the proper security precautions that could have prevented what has become one of the most daunting cyber attacks of 2021.

Description of Events:

It all began to unfold in late 2020 when cybersecurity firm FireEye announced on December 8th they were a victim of a nation-state attack. The security team reported their Red Team toolkit, applications used by ethical hackers in penetration tests, was stolen. Then, on December 13th, the company discovered that attackers had found and entered a backdoor in SolarWinds’ Orion business software, which it dubbed “SUNBURST.”

As FireEye began to peel back the layers, it learned that a cyber intrusion had occurred at SolarWinds in September 2019. Specifically, on September 4th, 2019, when a threat actor entered the SolarWinds system; then, two weeks later, they injected test code and performed a trial run. More activity ensued in December, when hackers accessed at least one of SolarWinds’ Office 365 email accounts. As a result, attackers were able to compromise other email accounts, ultimately leading to a much wider intrusion into the company’s Office 365 environment.

Systems/Parties Impacted:

On December 13th, 2020, SolarWinds began notifying customers. They posted on their Twitter account that all customers should upgrade immediately to Orion Platform version 2020.2.1 HF 1 to “address a security vulnerability." The following day, the company filed an SEC Form 8-K report, stating the company "has been made aware of a cyberattack that inserted a vulnerability within its Orion monitoring products." On December 15, 2020, the Wall Street Journal reported that the US Commerce and Treasury Departments, the Department of Homeland Security (DHS), the National Institutes of Health, and the State Department were all affected. Days later, more victims were revealed, including The Energy Department (DOE) and National Nuclear Security Administration (NNSA), which maintains the US nuclear weapons stockpile. The list continued to grow as another 200 were announced days later.

By late December, the Trump administration acknowledged that hackers acting on behalf of a foreign government – almost certainly a Russian intelligence agency – had broken into a range of key government networks, and had accessed their email systems.

Then, on December 31st Microsoft announced the attackers breached some of its source code. However, the company said the attackers could not modify code, products, or email and they did not use Microsoft goods to attack other victims.

In April, Business Insider captured the ramifications of this exceptionally damaging attack:

“Now that multiple networks have been penetrated, it's expensive and very difficult to secure systems. Tom Bossert, President Trump's former homeland security officer, said that it could be years before the networks are secure again. With access to government networks, hackers could, "destroy or alter data, and impersonate legitimate people," Bossert wrote in an Op-Ed for the New York Times.

Not only is the breach one of the largest in recent memory, but it also comes as a wake-up call for federal cybersecurity efforts. The US Cyber Command, which receives billions of dollars in funding and is tasked with protecting American networks, was "blindsided" by the attack, the New York Times reported.  Instead, a private cybersecurity firm called FireEye was the first to notice the breach when it noticed that its own systems were hacked.”

Mode of Entry:

According to SpyCloud, once inside SolarWinds system, attackers were able to modify the build process and inject malicious code into versions of its Orion software platform released between March and June of 2020. At least 18,000 organizations downloaded the malicious update, ultimately enabling known compromises of at least nine federal agencies and over 100 private sector organizations. Attackers were able to steal identities and tokens to impersonate real users, sidestep multi-factor authentication, and extend their foothold within affected networks.

Despite all signs pointing to a Russian-backed attack, the country has flat-out denied any involvement with the incident.

In the spring, the BBC's Moscow correspondent Steve Rosenberg confronted Russia’s Foreign Intelligence Service (SVR) director Sergei Naryshkin about its links to the hacking group known as APT29, Nobelium, Cozy Bear, or the Dukes he responded, "These claims are like a bad detective novel". He added: “all these claims about cyber attacks, poisonings, hacks, interference in elections which are blamed on Russia” as “absurd, and in some cases so pathetic”.

Despite Naryshkin’s denial, federal investigators and cybersecurity experts believe SVR is the likely entity responsible for the attack. Don’t forget – this is the same group credited with breaking into the email servers in the White House, the State Department, and the Joint Chiefs of Staff in 2014 and 2015 – as well as attacking the Democratic National Committee and members of the Hilary Clinton presidential campaign.

Final Diagnosis:

The SolarWinds attack is still fresh in many minds. And that's not just because it impacted nine federal US agencies and initially 18,000 organizations worldwide. It's also because it appears the attackers aren’t slowing down. In fact, on September 28th, SearchSecurity reported that Microsoft researchers believe Nobelium has been using a backdoor tool called FoggyWeb since at least April. The researchers say "FoggyWeb" is being used to maintain persistence on compromised Active Directory servers to steal data from compromised servers and receive and execute additional malicious code. The backdoor had been observed in the wild as far back as April.

As a result of this incident – and to be fair – other security incidents that took place in 2021 (the Colonial Pipeline and JBS Meat attacks especially), the US government is now in the process of making radical changes to its cybersecurity posture. Companies in the software supply chain are looking at new approaches in order to better understand the many, many different pieces of software they use, and could begin using Software Bill of Materials (SBOMs) to better track and manage it all.

Hopefully enough painful lessons have been learned, and an incident of this magnitude won’t be repeated. Software tools will only get better, companies will be smarter about monitoring and protecting their systems. Here’s to the future!

file closed stamp on case folder

That's it for this week's case! Don't forget to check in next week to see who we cover, or click subscribe below to get new blogs delivered straight to your inbox.

Blog CTA_blog newsletter signup.jpg

Share this Post