The SolarWinds supply chain attack acted as a wake-up call to the Tech industry and continues to shed light on an increasingly prevalent attack technique. We take a deeper dive into the biggest cyber-attack of 2020, the lessons learned and why the effects of the attack are still being felt three years on.
Supply chain attacks (where malicious hackers target the suppliers of their real targets) have been a go-to tactic for attackers for years. Amidst a growing litany of abuse, the so-called SUNBURST attack against enterprise asset tools management firm SolarWinds stands out as particularly consequential.
Attackers broke into SolarWind’s production environment and planted malicious code into SolarWinds’ Orion software. Tainted updates were served up as a patch to enterprise customers of SolarWinds Orion, including multinationals and government agencies.
The impact was so substantial because the Orion asset management tool is used to manage servers at a diverse range of organisations including various arms of the US government, threat response firm FireEye and software giant Microsoft.
The cyber attack – which may have begun as early as September 2019 but was only detected in December 2020 – was subsequently blamed by Western intelligence agencies on Kremlin-linked Russian hacking group APT29 (AKA Cozy Bear).
APT 29 is a Russian intelligence operation linked to its Foreign Intelligence Service (SVR) or Federal Security Service (FSB).
How did attackers get into SolarWinds?
Subsequent computer forensics work revealed that attackers first compromised SolarWinds environment in September 2019.
According to a timeline of the attack put together by SolarWinds, the attackers proceeded cautiously. For example, by managing the intrusion through numerous US-based servers and mimicking legitimate network traffic, the attackers successfully stayed under the radar for many months.
Miscreants first injected test code as part of a trial run that continued until early November 2019. The SUNBURST code was not injected into the Orion source code itself but into the software developer’s development pipeline, as explained in a detailed technical blog by security firm CrowdStrike.
According to Microsoft, the attackers obtained superuser access to SAML (Security Assertion Markup Language) token-signing certificates that were used to forge tokens gaining access to privileged users and accounts in the process.
It was only in February 2020 that the hostile SUNBURST payloads were compiled and deployed as a backdoor in a software library bundled with the Orion platform.
Malicious payloads were served up SolarWinds’ Orion Platform updates to customers starting on or around March 26, 2020.
Having achieved their main objectives, the threat actors began covering their tracks in June 2020 by removing their malware from software development build virtual machines.
How did attackers compromise SolarWinds’ environment?
This work also discovered an unrelated insecure FTP server with the password ‘SolarWinds123’. The affected system held no Orion code and was not even part of SolarWinds domain, allowing the vendor to discount this admitted security lapse as a vector in the attack.
The impact of the SolarWinds attack
SolarWinds investigated and remediated various vulnerabilities in its Orion platform in the months that followed without having a clear picture of what had happened. It was only in December 2020 that it was notified about the attack by threat incident firm FireEye, imitating a more comprehensive clean-up process and investigation of the attack in collaboration with law enforcement, intelligence agencies and governments.
FireEye picked up the attack after spotting suspicious traffic from its network to what was subsequently identified as a command and control server linked to the SUNBURST attack.
An estimated 18,000 of Orion’s 33,000 Orion customers downloaded the tainted software updates. In May 2021, SolarWinds estimated the actual number of customers who were hacked through SUNBURST to be “fewer than 100” who had applied a tainted update on internet-facing servers.
The SUNBURST attack carried significant consequences for its victims, including unauthorised access to networks, potential data breaches, and the risk of further exploitation. In the immediate aftermath of the attack, the US Cybersecurity and Infrastructure Security Agency (CISA) put out an emergency directive urging all “federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately”.
Evidence suggests that the threat actors target a select group of targets with confirmed victims including Microsoft, the US Treasury Department and FireEye.
Lessons learned from the SolarWinds supply chain attack
In response to queries from Evalian, SolarWinds stressed the previously unprecedented nature of the attack as well as the need for other organisations to improve their information sharing and partnerships in order to build their resilience against comparable assaults.
“SUNBURST was a highly sophisticated and unforeseeable attack the United States government has said was carried out by a global superpower using novel techniques in a new type of threat cybersecurity experts had never seen before,” SolarWinds told Evalian. “That is why we have continued to prioritize transparent communication about what we have learned with customers, government agencies, and the industry. We strongly believe increased information-sharing about threats and more robust public-private partnerships are the only way to prevent sophisticated and widespread nation-state attacks such as SUNBURST.”
SolarWinds launched a secure-by-design initiative in the wake of the Sunburst attack back in 2021, introducing measures such as post-build verification and carrying out software development across three environments with separate user credentials. Last month the vendor said that its build system aligns with the US government-backed Secure Software Development Framework (SSDF) and Software Supply Chain Security Guidance.
Legacy from the SolarWinds cyber attack
Evalian’s head of cyber resilience, Matt Gerry said a combination of the scope of the attack and the high profile of victims meant that the “far-reaching consequences” of the attack were still been felt three years on.
“The attack brought into sharp light the threat posed by highly sophisticated threat actors and the major threat ‘foreign backed’ groups posed to national security in a way that other previous attacks had not,” Gerry explained. “It’s also hard to accurately quantify the damage to national security (and corporate IP) being an outside observer but given the scope of systems and data exposed in the attack, both the short and long-term ramifications must be immense.”
Estimated insured losses from the SolarWinds attack came to $90 million, with payouts used to finance incident response and forensic services. SolarWinds reported expenses of $3.5 million including costs related to incident investigation, remediation, and legal fees.
The full extent of the damage caused by the SolarWinds attack remains unclear but the incident rallied investments in security improvements across the tech industry and the US government.
“I expect many organisations are still feeling the effects in both the ongoing cost of incident response and the implementation of higher levels of security as part of their business processes,” Gerry said.
Evalian’s Gerry concluded: “The attack undoubtedly prompted companies to urgently re-assess their supply chain security controls, policies and practices and driving legislative/policy change in governments. This all resulting in increased scrutiny and due diligence requirements as part of doing business in 2023.”
Do you want to strengthen your security posture?
With the increasing interconnection of business, managing third-party suppliers is becoming a complex and sprawling issue, opening further avenues of risk. Limited resources and the availability of adequate expertise around this subject are proving to be a key challenge. We can also provide guidance on what types of security questions to ask your supply chain when onboarding vendors,. Call us for a no-obligation chat if you need support and direction.
Download our FREE Guide to Supply Chain Security.