Several years ago the world was hit with multiple global events that changed how we work, live, and communicate with others. The COVID-19 pandemic isolated individuals, and forced many companies into the work from home environment. Students had to vacate their college dorms or classrooms to take classes over Zoom, and all the while cyber criminals were finding new ways to target and breach organizations trying to keep up with the overwhelming changes occurring all at once. Finally, to end 2020 with a bang, a state-sponsored cyber crime group decided to implement the biggest cybersecurity breach of the 21st century.
The SolarWinds hack affected thousands of organizations and multiple U.S. government agencies, making it one of the biggest cybersecurity breaches ever seen. Despite this attack happening three years ago, we are still seeing the impacts of SolarWinds on the information technology and cybersecurity field today.
It is important for businesses to look back at what SolarWinds was, how it happened, and how it was able to happen in order to learn how to better protect both our organizations and the ones we serve.
SolarWinds is a software company that sells services to monitor, log, and examine an organizations network. Also known as a Network Management System (NMS), the vendor has the ability to track and monitor the performance of a businesses IT infrastructure so that companies have greater visibility of what is happening on their network. One of SolarWinds products, SolarWinds Orion, is used as an IT performance monitoring system that has privileged access to all sorts of company data. Orion is a software used by over 30,000 companies to monitor and improve their IT performance making SolarWinds a prime and lucrative target for bad actors.
The SolarWinds hack is now the greatest example we have of what a "supply chain attack" looks like. A supply chain attack occurs when attackers target a third party vendor rather than the organization itself. The hope is that if these attackers can breach their supplier, they can create a foothold into their primary target or steal sensitive data. This is exactly what happened with SolarWinds.
As previously mentioned, SolarWinds Orion software is used by over 30,000 companies around the world. The SolarWinds hackers (also known as Nobelium by Microsoft) were able to infiltrate SolarWinds and inject malicious code into the Orion software. The malicious code used in the attacked was dubbed "Sunburst" and is often used synonymously with the SolarWinds hack. Once the malicious version of Orion was pushed out to customers, Nobelium was able to create a backdoor into the victims organizations. However, the attack didn't stop at SolarWinds customers. Due to the nature of the supply chain attack, Nobelium was able to infiltrate the customers of organizations that worked with SolarWinds.
It is believed that the group behind the SolarWinds attack were affiliated with Russia's Foreign Intelligence Service and were therefore sponsored and directed by the nation to conduct the attack. It is important to understand that state-sponsored attacks are no joke. Oftentimes, these attacks are sophisticated, well funded, and extremely hard to combat. The SolarWinds attack went beyond a low level script kiddie or ethical hacker looking to expose a vulnerability.
One of the most dangerous aspects of the SolarWinds hack was how drawn out it was. Below is a timeline of the events leading up to the detection of Sunburst in Orion's updates.
We know that the attackers were able to infiltrate SolarWinds as early as September of 2019. From here they began smuggling in their malicious code and testing it on Orion. This process lasted around five months before Sunburst was officially injected into Orion. On March 26 of 2020, SolarWinds pushed out the Orion update containing the malicious Sunburst code to customers. For the next nine months SolarWinds unknowingly pushed out compromised updates to their customers before being notified by FireEye, a cybersecurity company that had been impacted by the attack.
The attackers had over a year to infiltrate SolarWinds, gather information, and exploit their victims. The term "dwell time" refers to the time between when an attacker gains access to the organization and when they are discovered. The longer the dwell time, the longer bad actors have to learn about the organizations security posture and find ways to exploit it.
Cyber attacks often bring about large scale consequences with SolarWinds being no different. It was estimated by SolarWinds that in the first three months of 2021, the cyber attack cost the company an estimated $18-19 million to investigate and remediate the incident. This number only reflects the cost of what SolarWinds spent to secure their own company and doesn't include the countless private organizations that were impacted by the hack. It was estimated to cost $90,000,000 in insured losses for companies with cyber insurance policies.
Financial losses aren't the only consequence that companies face when hit by a cyber attack of this magnitude. The reputational loss that these businesses incur can have long standing repercussions for how consumers view that organizations security posture. No client wants to work with a business they aren't sure can be trusted with the privileged data they exchange.
Additionally, companies may be held legally responsible for a data breach if it is found that they were negligent in their security practices. In SolarWinds case, several current and former employees of the company were targeted by the U.S. securities and exchange commission (SEC) in June of 2023 including the companies chief information security officer (CISO). The CEO of SolarWinds revealed to their employees that the SEC had sent "wells notices" informing employees that the SEC had set its sights on the company. While these notices don't bring any official charges, it is a warning that an investigation may be warranted. With the data protection laws we have in place today it is more important than ever for companies to take the necessary steps to protect their clients from bad actors. Failure to do so may result in financial, reputational, and in many cases legal repercussions.
How does your business avoid ending up in the same situation as SolarWinds? For SMBs, the tactics that these advanced threat actors use are often extremely effective. This is due to the fact that SMB's are often under resourced, under staffed, and under funded to defend against nation state attackers. This means that these businesses must be that much more intentional about how they secure their business. For starters, every organization should invest in cybersecurity insurance. The financial cost of a single ransomware attack can kill a business. Cyber insurance provides financial support for businesses in the event of a ransomware attack or other data breach.
It is also important that businesses not neglect the small, practical tools to secure their network. Requiring your employees to practice good password hygiene by crafting login credentials that are unique, impersonal, and complex can drastically reduce the chances of your applications being exploited. Implementing multi-factor authentication is also a critical practice to securing your tools against malicious actors. You should also ensure that every employee undergoes security awareness training so that they are prepared in the event of a social engineering attempt. Social engineering tactics like spear phishing make up 91% of data breaches, making it your biggest security threat.
Finally, a managed service provider (MSP) like CorpInfoTech can ensure that your business is getting the necessary tools to combat the most advanced cyber threats in the wild. CorpInfoTech offers fully or co-managed IT and security services that protect and monitor the sensitive data your organization relies on. If you want to take the next step in your cybersecurity journey, contact us today!
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.