The breach occurred in March of 2020 and was discovered in December 2020. The effects will be felt for years.
Earlier this year, criminals compromised software made by an Information Technology company you might not have heard of, SolarWinds. The infiltration led to a massive access breach that’s now affecting US federal agencies as well as financial organizations around the world and almost all Top 500 companies according to the security firm and news reports.
The compromised company SolarWinds sells software that allows an organization to monitor activity on their networks and IT Infrastructure. The criminals inserted malicious code into SolarWinds software called Orion, to create a “back door” into the updates that was released to the public in March 2020. Around 18,000 SolarWinds customers installed the tainted updates onto their systems, the company said. Hackers then used the back door to access customer systems, once inside they had free reign.
SolarWinds has removed its customer list from its website, in an attempt to protect the privacy of their customers that were affected.
According to Wayback Machine, an archive of the site located here, the list includes 425 companies in the Fortune 500, including the top 10 telecom operators in the US. A New York Times report said parts of the Pentagon, Centers for Disease Control and Prevention, the State Department, the Justice Department, and others, were all impacted.
The list of affected companies is long, and potentially dangerous. It includes:
The U.S. Departments of State, Defense, Commerce, Treasury, Homeland Security and Energy
The cybersecurity firm FireEye, who discovered the hack and broke the story
DellEMC & VMware
AT&T (including Warner Media)
Comcast (including NBCUniversal)
Boston Consulting Group
Proctor & Gamble
The FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and Office of the Director of National Intelligence (ODNI) issued a joint statement, announcing what is called the “Cyber Unified Coordination Group (UCG)” in order to coordinate government response to the crisis. The statement calls this a “significant and ongoing cybersecurity campaign.”
In an opinion piece written for The New York Times, Thomas P. Bossert, former Homeland Security Adviser for President Donald Trump, also named Russia for the attack and said it points to the Russian intelligence agency known as the Foreign Intelligence Service (SVR). Russia has denied any involvement in the attack so far.
What Makes This Breach So Dangerous?
Many large-scale incidents of hacking come with drawn-out legal battles and investigations that last for months, or even years, following the initial discovery and disclosure. But the SolarWinds compromise is different. In the coming year, we won’t just be fighting about who was responsible or figuring out how this happened but assessing the fallout and repairing affected systems. That whole time, government and private sector systems will not entirely know what was compromised.
Let me explain.
The SolarWinds Orion products are specifically designed to monitor the current status of networks and systems then report on any issues discovered. Many organizations also leverage autonomous response and repair options in SolarWinds that can be triggered by the issues it has detected. So SolarWinds will have access to everything, which is what made them such a perfect conduit for this compromise. In theory, there are no limiting boundaries on scope or impact, as has been made clear by the gradual revelation of more and more high-value targets.
Even more worrisome is the fact that the attackers possibly make use of their initial access to targeted organizations, such as FireEye and Microsoft, to steal tools and code that would then enable them to compromise even more targets. After Microsoft realized it was breached via the SolarWinds compromise, it has been reviewing its own products and ascertain if anything was “used to further the attacks on others,” according to Reuters. Microsoft is still investigating and released a statement on the matter.
A large part of the problem about the breach into SolarWinds is that it granted intruders broad access to the entire network of every system it was installed on. Additionally, SolarWinds had apparently persuaded many of its customers that its Orion products needed to be exempt from existing antivirus and security restrictions on their computers because otherwise it might look like a threat or be unable to function properly. (This is actually an old problem—security products identifying other security products as malware. For instance, if you try to install multiple antivirus programs on the same computer, they will sometimes recognize the malware signatures stored by the other and try to shut it down as malware. And then the other one will see that there’s a program trying to shut it down and assume that that program must be malware, since trying to turn off the antivirus program is also a typical trait of a malicious program!)
So What Can Be Done?
Solar Winds has issued the following statement:
We recommend that all active maintenance customers of Orion Platform products, except those customers already on Orion Platform versions 2019.4 HF 6 or 2020.2.1 HF 2, apply the latest updates related to the version of the product they have deployed, as soon as possible. These updates contain security enhancements including those designed to protect you from SUNBURST and SUPERNOVA. NOTE: If you reinstall, you need to re-apply the patch or hotfix.
The latest updates designed to protect against SUNBURST and SUPERNOVA are as follows:
2019.4 HF 6 (released December 14, 2020)
2020.2.1 HF 2 (released December 15, 2020)
2019.2 SUPERNOVA Patch (released December 23, 2020)
2018.4 SUPERNOVA Patch (released December 23, 2020)
2018.2 SUPERNOVA Patch (released December 23, 2020)
If you’re unable to upgrade at this time, we have provided a script that customers can install to temporarily protect their environment against the SUPERNOVA malware. The script is available at https://downloads.solarwinds.com/solarwinds/Support/SupernovaMitigation.zip.
With a breach such as this it’s not just your systems that may have been compromised, it’s your partners, you services and your customers. Organizations needs to communicate and review exactly the current status of their systems and acknowledge the possibility of being breached. An example of such a review has been published by the Department of Justice and reported by ZDNET News.
There is a larger challenge here, lack of knowledge compounded by minimal primary news coverage. The majority of the public would have very little information or interaction with products like SolarWinds as that company has practically zero consumer market. However everyone has been impacted by this criminal breach in one form or another.
ConaLogix is prepared to help your company update and secure any SolarWinds products your system may be using as well as coordinate next steps. Contact us today for a free system security assessment.
Sign Up to our Contact List to stay informed about ConaLogix.