The SolarWinds Fiasco

Stephen DeAngelis

December 29, 2020

According to Bob Dylan’s iconic ballad, “The answer, my friend, is blowin’ in the wind. The answer is blowin’ in the wind.” Many companies are undoubtedly wondering where they can find answers to the SolarWinds Orion hack. This extensive breach came to light when the cybersecurity company FireEye made public the fact that its system had been hacked by nation-state hackers (almost everyone agrees those hackers were acting on behalf of Russia). Dan Petro (@2600AltF4), a Lead Researcher at Bishop Fox, reports, “The FireEye breach in the headlines … was attributed to their third-party software vendor, called SolarWinds, specifically their Orion platform software. Malware was distributed along with ordinary Orion software updates, and actively exploited by some malicious party.”[1] It soon became clear that SolarWinds fiasco was widespread and some of the main targets were government agencies as well as major corporations. According to Bloomberg reporters, “The hackers installed what is known as a backdoor in widely used software from Texas-based SolarWinds Corp., whose customers include myriad government agencies and Fortune 500 companies. That malicious backdoor, which was installed by some 18,000 SolarWinds customers, allowed the hackers access to their computer networks.”[2]

 

The Bloomberg reporters add, “It was clear from the start that a cyber attack by suspected Russian hackers aimed at several U.S. government agencies was going to be bad. … The reality of just how sprawling — and potentially damaging — the breach might be came into sharper focus. It started with a bulletin from the U.S. Cybersecurity and Infrastructure Security Agency, known as CISA, warning that the hackers were sophisticated, patient and well-resourced, representing a ‘grave risk’ to federal, state and local governments as well as critical infrastructure and the private sector.” Erica D. Borghard (@eborghard), a senior fellow with the New American Engagement Center at the Scowcroft Center for Strategy and Security at the Atlantic Council, added, “The compromise of the IT company, SolarWinds, and the breaches of multiple U.S. government agencies, including the Homeland Security, Treasury, and Commerce departments, could be the most significant cyber breach targeting the U.S. government in recent years. The extensive operation is reportedly the work of APT29 (also known as Cozy Bear), which is linked to Russian foreign intelligence.”[3]

 

Is your company affected?

 

If you are sitting easy thinking you’re safe because your organization is not a SolarWinds customer, lawyers from Proskauer warn you might not be as safe as you think. They explain, “Orion may be part of a larger infrastructure implementation or managed service provided by third party service providers. And as a result, even entities that do not have a direct relationship with SolarWinds may need to investigate potential impacts.”[4] The good news — if there is any — is that the hackers appeared to be involved in specific acts of espionage, meaning your company might not have been hacked. The Proskauer lawyers explain, “It is important to note that even though a business may have the malicious code integrated into their network, they may not yet have suffered an actual breach or intrusion. ‘Luckily,’ this actor seems to have taken great pains to remain concealed, and as a result, it appears that the perpetrators had not yet had an opportunity to invoke their ability to invade every impacted network in all potentially impacted cases.” That means there may still be time to act to protect your organization’s data. The Proskauer lawyers offer a nine-point checklist organizations can use in response to the SolarWinds hack.

 

Colin Zick (@ColinJZick), a lawyer with Foley Hoag LLP, cautions that supply chains are not immune to the SolarWinds hack. He explains, “You need to understand what ‘supply chain risk management’ is and why is it important. Supply chain risk management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Such as software like SolarWinds Orion. … Now more than ever, your company needs to know where your data is, where and when it is moving, where and when it is stored, how it is used, and who has access to it. You have to assume you will be hacked and have a plan that enables your company to survive that hack.”[5] He adds, “Unrelated to this hack but not to be lost, is a reminder that this time of year is the time when phishing attempts are at their peak. Be on alert personally, and reminder personnel that they should treat all unexpected or unfamiliar emails with suspicion.”

 

If your company has been affected, Alan Hendricks, a Senior Director at DMI, offers some sage advice. He states, “Any organization that uses the SolarWinds product must immediately take steps to resolve the core vulnerability by taking the tool offline and implementing the vendor patch. Additionally, organizations must conduct forensic analysis to determine the level of infiltration, data exfiltration, affected devices, and compromised systems.”[6] He adds, “Once these immediate steps have been taken, organizations must develop a long-term strategy to prevent future occurrences. Considerations include, but are not limited to, ensuring the network is segmented in such a manner the restricts movement between systems; vetting their product and service vendors to ensure they meet or exceed cybersecurity controls and operational standards; implementing data loss prevention capabilities; reviewing and updating security policies and procedures; and ensuring incident response, continuity of operations, and disaster recovery plans are developed tested, and implemented.”

 

Concluding thoughts

 

Journalist Lucian Constantin (@lconstantin) writes, “The [SolarWinds] incident highlights the severe impact software supply chain attacks can have and the unfortunate fact that most organizations are woefully unprepared to prevent and detect such threats.”[7] Even organizations with strong cyber defenses find that keeping pace with nefarious actors is challenging. Constantin notes, “Software supply-chain attacks are not a new development and security experts have been warning for many years that they are some of the hardest type of threats to prevent because they take advantage of trust relationships between vendors and customers and machine-to-machine communication channels, such as software update mechanisms that are inherently trusted by users.” Hackers are relentless. As a result, Borghard concludes, “As the SolarWinds incident illustrates, cultivating the security and resilience of the ICT supply chain is an enduring and vexing challenge — one that will have strategic and economic implications for decades to come.”

 

Footnotes
[1] Dan Petro, “What We Know (And Don’t) About The SolarWinds Orion Hack So Far,” Bishop Fox Labs, 15 December 2020.
[2] Michael Riley, Kartikay Mehrotra, and William Turton, “Russia-Linked SolarWinds Hack Snags Widening List of Victims,” Bloomberg, 17 December 2020.
[3] Erica D. Borghard, “The SolarWinds Compromise and the Strategic Challenge of the Information and Communications Technology Supply Chain,” Council on Foreign Relations, 22 December 2020.
[4] Jeffrey D. Neuburger, Ryan Blaney, Margaret A. Dale, and Nolan M. Goldberg, “How to Respond to the SolarWinds ‘Orion’ Supply Chain Attack,” The National Law Review, 21 December 2020.
[5]Colin Zick, “The SolarWinds Orion Hack: The Basics You Need to Know,” JDSupra, 21 December 2020.
[6] Tina Geiger, “SolarWinds Breach: Supply Chain Attack Means Security Departments Need More Resources to Manage Risk,” The Ritz Herald, 22 December 2020.
[7] Lucian Constantin, “SolarWinds attack explained: And why it was so hard to detect,” CSO, 15 December 2020.