=
On December 13, 2020 cybersecurity company FireEye announced they had discovered a state-of-the-art exploit that created a backdoor in SolarWind’s Orion application. This hack was then distributed to thousands of systems running this application as a routine update from the manufacturer. With no reason to suspect any issues, IT administrators all over the country unknowingly downloaded this malware onto their systems and the damage began. Over 18,000 of SolarWind’s customers were left compromised by this hack leaving many to wonder what the real damage was. In short, this is only the beginning.
How did we get here?
Although this vulnerability was discovered on December 13, 2020, experts believe these systems had been compromised since at least early March, with some even believing it had been over a year since these backdoors were installed. This vulnerability was first loaded onto the Orion application after installing what appears to be a routine update from SolarWinds. The malware then utilizes multiple blocklists to sweep the system and identify any third-party security tools or anti-virus software. Once the threat actors established that there was no imminent threat of discovery, the malware begins executing commands called “jobs” which can be anything from transferring and executing files, to disabling system services. The malware then begins remotely encrypting small amounts of data and combined this with regular analytical data to masquerade as legitimate traffic that would normally be shown in the Orion software. At the same time, the malware also attempts to spread across the network by pivoting from one compromised system to another, gaining a beachhead and then expanding across networks from there.
What does this mean?
While threat actors from foreign nations are not uncommon, the complexity and severity of this case is remarkable. For almost a year, foreign actors had remote access to systems in a litany of organizations, from members of the federal government such as the Department of Justice and State Department, to 400 of the Fortune 500 companies in The U.S. The sophistication of this attack also alludes to the idea that these hackers must have been sponsored by a foreign state agent. These attackers had ample time and resources to make sure they were not discovered for extended periods. Although an investigation into what exactly was stolen is still underway, many experts have ruled out monetary incentive as the primary goal of this attack.
This attack was seemingly executed to gauge the security readiness and response of our nation’s government and some of its most critical businesses. With an ever-changing geopolitical landscape, our nation-state adversaries may no longer appear as combatants on a battlefield. The next war will likely not be fought as much with so called “boots on the ground” but rather “bots on the network” as cyberspace quickly becomes a primary theater of warfare moving forward. In this theater of operations, however, geographic distance does not protect businesses and governments as it once did. Everyone is now a potential target.
What is the solution?
No matter how safe an organization thinks they are, emerging threat actors are continuously looking for new ways to exploit any vulnerability in systems, people, and processes. Companies and government organizations, if they have not done so already, need to move cybersecurity to the absolute forefront of their strategic planning in 2021.
A lot of this type of attack may have been difficult to prevent in its totality given the level of sophistication, but effective round-the-clock monitoring, routine assessments, network segmentation, and proper evaluation of vendor software may help alleviate damage caused by such attacks. Proper segmentation of networks, data, and systems and having an effective data management plan is so crucial and may have even prevented expansion of this attack in many instances. Data management is the practice of classifying, protecting, controlling, and segmenting data and systems to prevent leakage or unauthorized disclosure of sensitive information. If implemented properly, it could thwart attempts by attackers to “pivot” across a network, even once they are inside the perimeter, thus containing any damage.
Beyond this, basic cyber hygiene can prevent so much carnage for routine attacks that are far more common. For example, stop using the same passwords on multiple sites or systems. If hackers get access to one set of account credentials, they will look to try these again and again to gain access to subsequent systems. Use a password manager to store strong and unique passwords to ensure that one password will not grant access to multiple sites. Also be mindful of what you are clicking that comes through email on as well. If you think an email or attachment looks suspicious, take no action, and report it to your information security representative. Many times, emails and attachments are used as the primary method to breach an organization’s systems. Cybersecurity starts at the ground level, too. Organizations should put much more focus on training their employees cyber-safe habits to foster a culture of security throughout the entire organization.
Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact
