SolarWinds Hack Explained: Key Insights and Learnings
The SolarWinds hack, one of the most significant cybersecurity breaches of the 21st century, was a devastating supply chain attack that impacted thousands of organizations worldwide, including government agencies and private enterprises. Here's a deep dive into the incident, its implications, and what we can learn from it.
Overview of the SolarWinds Hack
What is SolarWinds?
SolarWinds is a major software company based in Tulsa, Oklahoma, providing system management tools for network and infrastructure monitoring. Among its products is the Orion IT monitoring and management system, which had privileged access to IT systems globally, making it an attractive target for hackers.
The Nature of the Attack
The hack involved suspected nation-state hackers, identified by Microsoft as the Nobelium group, who gained access to the networks, systems, and data of thousands of SolarWinds customers by injecting malicious code into the Orion software. The breach compromised not just SolarWinds customers but also extended to the customers and partners of those organizations.
How the SolarWinds Hack Happened
Supply Chain Attack
The attackers used a supply chain attack method, targeting the third-party SolarWinds Orion Platform. By inserting malicious code, known as Sunburst, into the Orion system, they created a backdoor that allowed them to access and impersonate users and accounts within victim organizations. This backdoor blended with legitimate SolarWinds activities, evading detection even by antivirus software.
Technical Details of the Attack
The attack started with a sophisticated initial compromise of SolarWinds' internal systems. Attackers first infiltrated SolarWinds' build environment, where they inserted the Sunburst malware into the Orion Platform's build process. This insertion was done in such a way that it appeared as a legitimate update.
Code Injection: The attackers injected the malicious Sunburst code into Orion’s software updates. This malware was then digitally signed by SolarWinds, which gave it the appearance of legitimacy and allowed it to be distributed to thousands of customers.
Malware Behavior: Once the infected Orion software was deployed in customer environments, the Sunburst malware would lie dormant for up to two weeks, avoiding immediate detection. After this period, the malware would begin to communicate with the attackers' command-and-control (C2) servers. It did this by mimicking legitimate network traffic, which made it difficult for security tools to detect.
Command-and-Control (C2): The C2 servers would then issue commands to the compromised systems, allowing attackers to deploy additional payloads, move laterally within networks, steal data, and establish persistence within the affected systems.
Timeline of the Attack
- September 2019: Threat actors gained unauthorized access to SolarWinds' network.
- October 2019: Initial code injection into Orion was tested.
- February 2020: Malicious code Sunburst was injected into Orion.
- March 2020: SolarWinds unknowingly started sending out Orion software updates with the hacked code.
Who Was Affected?
The malware affected many companies and organizations. Government departments such as Homeland Security, State, Commerce, and Treasury were impacted, with evidence of missing emails from their systems. Private companies like FireEye, Microsoft, Intel, Cisco, and Deloitte were also affected by the attack.
The breach was first detected by cybersecurity company FireEye, which confirmed the infection when they saw the malware in customer systems. FireEye labeled the SolarWinds hack "UNC2452" and identified the backdoor used to gain access as "Sunburst."
Microsoft found signs of the malware in its systems, affecting its customers as well. Reports indicated Microsoft's systems were used to further the hacking attack, though Microsoft denied this claim. Later, Microsoft worked with FireEye and GoDaddy to block and isolate versions of Orion known to contain the malware, effectively cutting off hackers from customers' systems.
Why Did It Take So Long to Detect the SolarWinds Attack?
Attackers first gained access to SolarWinds systems in September 2019, but the attack wasn't publicly discovered until December 2020. This long period of undetected access gave the attackers ample time to explore and exploit the compromised systems. The delay in detection was largely due to the sophistication of the Sunburst code and the hackers' ability to mimic legitimate network traffic. This allowed them to circumvent threat detection techniques employed by both SolarWinds and other private companies, as well as the federal government.
What Was the Purpose of the Hack?
The purpose of the hack remains largely unknown. However, possible motives include accessing future product plans, or employee and customer information held for ransom. The level of access achieved by the hackers appears to be deep and broad, leading to speculation that many enterprises might be collateral damage in an attack primarily targeting government agencies.
Who Was Responsible for the Hack?
Federal investigators and cybersecurity experts believe that a Russian espionage operation, most likely Russia's Foreign Intelligence Service, was behind the SolarWinds attack. The Russian government has denied any involvement, stating that "malicious activities in the information space contradict the principles of the Russian foreign policy."
Technical Insights: How the Hack Was Executed
The SolarWinds attack was executed through a combination of sophisticated techniques:
Compromised Build Environment: Attackers gained access to SolarWinds' internal build systems, where they introduced malicious code into the Orion software during its development cycle.
Digital Signing: The malicious code was digitally signed by SolarWinds, making it appear legitimate and allowing it to bypass many security measures.
Delayed Activation: The malware remained dormant for up to two weeks after installation, helping it avoid immediate detection.
Command-and-Control Infrastructure: The malware communicated with attackers' C2 servers, which issued commands to compromised systems, allowing for lateral movement, data exfiltration, and persistence.
Key Learnings and Future Implications
The SolarWinds hack has highlighted the critical importance of supply chain security. Organizations must be vigilant in monitoring third-party software and implementing robust security measures to detect and mitigate such attacks.
Need for Enhanced Security Measures:
The attack has emphasized the need for enhanced security measures, including continuous monitoring, rigorous code review processes, and improved incident response capabilities.
Importance of a Software Bill of Materials (SBOM):
The incident has also underscored the importance of maintaining a Software Bill of Materials (SBOM), which can help organizations quickly identify and address vulnerabilities within their software supply chains.
Conclusion
The SolarWinds hack serves as a stark reminder of the vulnerabilities inherent in modern supply chains. The attack's sophistication and scale demand a renewed focus on cybersecurity practices and the implementation of comprehensive measures to safeguard against future threats.