Another week, another major attack. In a year where the pandemic has taken rightfully center stage, the many security breaches are also providing truly defining moments.
Karim Hijazi, founder and CEO of Prevailion, offers his insights to help make sense of the most recent breach. Prevailion specializes in infiltrating hacker networks in order to monitor their activities in real-time. In the simplest form, they see these attacks from the hacker's point-of-view, which allows them to identify attacks in the early stages.
Why is the SolarWinds breach such a big deal?
Hijazi: This is an incredibly scary breach because of the ubiquity of SolarWinds’ products and the “God mode” level access that it gave to the attackers. People really need to understand that this is not just another breach. This is almost unprecedented. It’s vastly more significant than the OPM breach by the Chinese government from a few years ago.
In this case, the attackers, which many believe to be the Russian government, were able to gain access into top federal agencies and major corporations for several months without being detected. That alone would be bad enough, but because they came in through an IT monitoring platform, they had a dangerous amount of access to all of those compromised systems. The cumulative damage from this hack is almost unfathomable. It will take many months, if not years, before we understand the full scope of this attack and the damage it caused - and it’s very likely we will never know the full story.
How did this breach happen?
Hijazi: This was a classic “supply chain attack,” in which the attacker finds a key vendor in the supply chain, compromises it and then stages an attack across all of its customers at the same time. In this case, the vendor was SolarWinds, whose products are ubiquitous among the US government and major corporations.
Once the hackers compromised SolarWinds, they were able to install malicious code into the update process it uses for its Orion Platform. This update was then pushed to approximately 18,000 users, where the malware successfully installed a backdoor. This backdoor could then be leveraged by the attackers to import new malware and secondary backdoors to exploit those victim environments.
Who was actually hacked?
Hijazi: The malicious update was sent to 18,000 customers, according to SolarWinds’ SEC filing. The company, and some security experts, are arguing however that only a fraction of those who received the malware were actually “hacked” because it required ‘manual, intelligent’ control to take advantage of the compromised systems. This implies the hackers could not have automated the attack, beyond the initial deployment of the backdoor.
However, I disagree with this assessment. Any organization that received that update was effectively compromised. It would have been very easy for the attackers to push other malicious code through that backdoor - such as other backdoors and implants - that could gain access and then go dormant, awaiting to be activated in the future. I have seen this done by other hacking groups in the past, so it is not at all a stretch to say that every Orion user who received that update is potentially at risk.
Based on the information SolarWinds shared prior to the hack, we know that their customers include most of the Fortune 500, all five branches of the US military and numerous other federal agencies including DHS, Treasury, Commerce and State.
What is the damage potential of this hack?
Hijazi: The short answer is, we have no idea. Consider this: a foreign adversary had almost unmitigated access to the IT systems of the entire US military, most of the federal government and most of the Fortune 500. At a minimum, they could have stolen vast amounts of data from all of these organizations, ranging from military and defense secrets, to corporate IP. Because it took so long before the breach was detected, the hackers also had plenty of time to map out these networks for future attacks, install secondary malware and backdoors that they could call upon later and steal credentials for additional exploitation. This was like leaving the backdoor wide open for five or six months. There is simply no telling how bad the damage from this will be.
How common are “supply chain” attacks?
Hijazi: The SolarWinds breach is certainly not the first supply chain attack we have seen, but it is definitely the most significant. There is no question that in the next few years, more big supply chain attacks like this will take place. It’s simply inevitable. Most large corporations rely on the same companies for their IT infrastructure and security needs. This creates a tempting target for hackers, particularly the nation-state groups which have advanced tools and tactics to carry out sophisticated attacks. This type of attack poses a threat to every major industry.
Supply chain attacks are far more dangerous than traditional breaches because they come in through trusted third-parties (which often have high levels of access and may skirt traditional security and monitoring programs) and because they are so difficult to detect. It is very difficult for a company to fully audit its supply chain partners, or to ensure they are taking the proper security measures to protect their assets and those of their partners. This creates a very complicated security situation, which is what sophisticated hackers will exploit. Supply chain attacks were already a major area of concern for the security industry, but in the aftermath of the SolarWinds breach, we will see many more copycat attacks that follow this strategy.
