securitylinkindia

Solarwinds Cyber Hacking

Iqbal Singh Technology Expert & Senior Corporate Executive in a European MNC E: iqchucks@gmail.com The recent SolarWinds Cyber hacking is deemed by many cyber security experts to be the biggest security breach ever in the history of cyber hacking. The attack was audacious, sophisticated, meticulous, stealthily executed, and the range of targets is said to be staggering – Fortune 500 companies, US Federal and State Departments including Defense, State, Treasury, US Cyber Command and the National Nuclear Security Administration (NNSA). The attack has shaken up the establishments and the corporate world across the globe. Such was the importance attached to the matter that US President Joe Biden allocated US$ 9 billion to improve cyber security infrastructure on Day 1 of taking office. The full impact of the attack and the causes are still being ascertained as I write this. Being an extremely complex attack while a lot is spoken, written and talked about it, most people are not very clear about as to what exactly happened, and how and what preventive measures should one take in the future. In this article I shall attempt to demystify the attack in as simple a manner as possible bereft of technical jargon, and in an easy to understand manner even for a non-technical layman. I must also insert here a disclaimer that the article is based on the current understanding of the issue as per the info available in the public domain, things can change as more unknown details unravel. SolarWinds SolarWinds is a company that makes IT monitoring and management software solutions. It counts 425 of the Fortune 500 companies and several key US Federal and State agencies amongst its customers. It has over 33000 customers globally. One of their products Orion had been infected and the same software was installed by around 18,000 of its customers. I feel that for giving the readers an idea of the attack it would be best to begin with how the attack came to light. While the readers may not understand all the jargon I request them to hold on for a few moments as I would explain them later in the article. The chronology of events as they were revealed to the world 08-Dec-2020 FireEye suffers attack: Hackers broke into FireEye’s network and stole the company’s red team penetration testing tools (Red team is the offensive side of the security. Red teams think like the attacker, they imitate real-world attacks and mimic adversary techniques and methods, uncover vulnerabilities in an organization’s infrastructure, launch exploits, and report on their findings). From that point of view the theft of these tools is pretty significant and serious. In simple terms the tools fell into the hands of the bad guys – the very guys against whom it was meant to protect. 11-Dec-2020 FireEye discovers SolarWinds was attacked: FireEye discovered that SolarWinds Orion updates had been corrupted and weaponized by hackers. 12-Dec-2020 FireEye alerts SolarWinds CEO: Orion contained a vulnerability as the result of a cyberattack. Emergency NSC White House meeting: The National Security Council holds a meeting at the White House on Saturday to discuss a breach of multiple government agencies and businesses. 13-Dec-2020 CISA emergency directive: The Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directive 21-01, ordering federal agencies to power down SolarWinds Orion because of a substantial security threat. SolarWinds security advisory: SolarWinds issued a security advisory outlining the Orion platform hack and associated defensive measures. FireEye disclosure: FireEye said an attacker had leveraged the SolarWinds supply chain to compromise multiple global victims. Microsoft guidance: Microsoft offered guidance regarding the attacks. Media coverage: Hackers believed to be working for Russia have been monitoring internal email traffic at the U.S. Treasury and Commerce departments. 14-Dec-2020 SolarWinds disclosed breach in an SEC filing. SolarWinds stock falls: Shares fell down by about $20. 15-Dec-2020 SolarWinds released software fix. Investigation request: A bipartisan group of six senators wanted the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) to submit a report to Congress about the impact of the SolarWinds cyber attack on agencies. 17-Dec-2020 US CERT alert issued. IT Service providers targeted: Microsoft discovered more than 40 of its customers were targeted. Five IT solutions providers and consulting firms – Deloitte, Digital Sense, ITPS, Netdecisions and Stratus Networks – were breached. U.S. Nuclear agency targeted: Hackers accessed systems at the National Nuclear Security Administration, which maintains the U.S. nuclear weapons stockpile. Microsoft: Impacted by malware. United States cybersecurity policy: President-elect Joe Biden vowed to elevate cybersecurity as an ‘imperative’ when he took office and said he would not ‘stand idly by’ in the face of cyber attack   What is different this time? Cyber attacks are not new. Usually there’s a vulnerability that allows threat actors to get into the network. What’s unique about this case is that the initial vulnerability was in the vendor software, so it’s often now being referred to as a supply chain hack because the vulnerability was embedded as code. Other differences are: SolarWinds’ security products impacted. 18 known products and 18,000 customers were delivered with the malicious code. Federal agencies. The exposure to federal agencies was a matter of grave concern. While targeting government agencies, they focused to access their emails. FireEye red team tools. Sophisticated tools from FireEye got into the nefarious actors’ hands. Post breach into the target network. The attackers settled in, sat there for a while, scanned the network, moved laterally in that environment and hunted for privileged access. Orion software build and code signing infrastructure was compromised. The source code of the affected library was directly modified to include malicious back-door code, which was compiled, signed and delivered through the existing software patch release management system. Attackers were very patient. They waited for a prolonged duration to extract the data and then cover their tracks. SolarWinds operation is an intelligence gathering effort,’ rather than an operation looking to destroy or cause mayhem among US IT infrastructure. SolarWinds customers. Look like the who’s who of the…

Read More