SolarWinds Orion: Major Supply Chain Infiltration of 2020

Austin, Texas-based SolarWinds is at the forefront of one of the largest hacking operations in U.S. history. But until recently, few, if any, had heard of the company.  So, what exactly does SolarWinds do?

SolarWinds is a networking software company that helps other companies manage their entire IT portfolios.   “SolarWinds’ Orion product provides centralized monitoring across an organization’s entire IT stack. SolarWinds is one of the most widely used and effective tools for network monitoring, including across federal networks and major corporations,” said Jamie Barnett, a retired Navy rear admiral and senior vice president at the cybersecurity firm RigNet.

What happened?

By piggybacking on otherwise trusted software updates, the attackers cleverly took advantage of the normal and recommended best practice of keeping software up to date. Thousands of companies and government agencies could thus have been exposed simply for doing the right thing.

That’s what’s so scary: It’s not clear what could have been done differently in this case, because the very process meant to reassure users “this software can be trusted” was itself compromised.

Once inside a target, the attackers waited patiently until they collected enough data on authorized users to impersonate them, allowing the hackers to move through a victim’s network undetected for months, according to an analysis by the cybersecurity firm CrowdStrike.

The degree of access the hackers enjoyed, as well as the length of time they were able to collect information, may wind up making this “a much worse cyberattack than the Office of Personnel Management breach” disclosed by the U.S. government in 2015, said Barnett. That breach, attributed to Chinese-linked hackers, resulted in the theft of vast troves of personal data on millions of federal employees and security clearance applicants.

The rising frequency and intensity of state-sponsored hacking has some security cybersecurity leaders reiterating calls for a global treaty on cyberwarfare.

To understand this attack metaphorically, picture a soda company’s product line that has been poisoned.  The poisoning is not by someone within the company, however, who has planted the poison after you have opened it. Instead, the poisoner plants the ingredients that soda company uses at the factory.  In other words, the attacker knew the soda company would use ingredients shipped from a known supplier, and planted poison in the ingredients going to the factory. The attack against the SolarWinds Orion tool happened much the same way. 

This type of supply chain attack is particularly nefarious because it results in loss of sensitive customer information, disruption of the manufacturing process, and could damage a company’s reputation.  Additionally, companies face incredibly expensive loss of revenue when they take operations down to resolve the issue.

So, what should organizations do after an attack of this magnitude?

In the short term, any organization that uses the SolarWinds product must immediately take steps to resolve the core vulnerability by taking the tool offline and implementing the vendor patch. Additionally, organizations must conduct forensic analysis to determine the level of infiltration, data exfiltration, affected devices and systems compromised. 

In the long term, organizations must develop the long-term strategy necessary to prevent future occurrences. Considerations include, but are not limited to,  ensuring the network is segmented in such a manner the restricts movement between systems; vetting their product and service vendors to ensure they meet or exceed cybersecurity controls and operational standards; implementing data loss prevention capabilities; reviewing and updating security policies and procedures; and ensuring incident response, continuity of operations, and disaster recovery plans are developed tested, and implemented.

It is critical organizations utilize threat intelligence tools and processes to help identify supply chain compromises to identify potential threats and vulnerabilities, and plan for appropriate mitigation measures to prevent similar attacks. In layman’s terms, security departments must have personnel, processes, and tools necessary to manage the risk associated with using third party vendors. Supply chain risk assessments are critical to ensure vendors are performing due diligence and implementing industry best practices for security standards and controls.

When developing incident response plans, organizations must engage their suppliers.  Both parties need to have plans to notify the other if their network, systems, or data have been compromised or a compromise is suspected. Organizations must review and monitor vendor access and review system logs on a regular basis.  This includes change management controls that regulate updates and other modifications that go into production.

Organizations should also implement reliable backup measures to ensure data is available for recovery operations and the backup systems themselves are not at risk of compromise.  These measures should include real-time notification and resolution of backup failures and regular testing of backup restoration.

DMI can help

Many organizations do not have the skilled expertise, tools or other resources necessary to accomplish this on their own. DMI can help. DMI has helped dozens of commercial and federal clients gain and maintain real-time understanding of their current security posture, design and implement end-to-end cybersecurity, and quickly recover from major security incidents.