Last week, a massive cyberattack on the United States was announced, triggering U.S. national security meetings and mild panic among citizens. Experts are calling this one of the most sophisticated and large scale attacks seen in years. More details have come to light, but much of the attack is still under investigation.
Who Was Targeted?
FireEye disclosed that the attackers leveraged the SolarWinds supply chain to compromise multiple global victims. As many as 18,000 Solar Winds’ customers received the malicious update, and so far 200 victims are confirmed. Worthy of mention, attackers broke into several U.S. government networks, including the Commerce and Treasury departments, the Department of Homeland Security, the State Department, the National Nuclear Security Administration, and the National Institutes of Health. Victims listed include entities in government, technology, consulting, and telecom.
Microsoft spokesperson Frank Shaw stated “Like other SolarWinds customers, we can confirm that we detected malicious Solar Winds binaries in our environment, which we isolated and removed. We have not found evidence of access to production services or customer data. Our investigations, which are ongoing, have found absolutely no indications that our systems were used to attack others.”
How The Breach Occurred
FireEye is a cybersecurity software provider and a consulting firm that investigates attacks for clients. On December 8th, FireEye revealed that they suffered an attack as well. In their breach, they lost the company’s Red Team penetration testing tools, which experts believe could be utilized to attack more organizations. While investigating their own breach, on December 11th, FireEye discovered the breach that had occurred at SolarWinds months prior.
SolarWinds is a company that produces IT products widely used by both U.S. corporations and the federal government. When the company experienced a breach, attackers had a path to SolarWinds’ customers. They gained access to victims via trojanized updates to SolarWind’s Orion IT monitoring and management software.
Once hackers gained access to the SolarWinds network management software, they were able to insert counterfeit tokens. These provide verification to providers such as Microsoft and Google about the identity of the computer system their email servers connect to. The hackers then gained access and remained undetected. This reportedly occurred in the Spring of 2020.
The Department of Homeland Security ordered all agencies to cease the use of any network management software made by a company called SolarWinds. This reactive measure was too little too late, however, as the intrusions, according to SolarWinds, had already been underway for several months.
See the SEC filing here.
While the investigation is still underway, federal and private experts currently agree the culprit was likely a Russian intelligence agency. Secretary of State Mike Pompeo said it’s “pretty clear” Russia is the culprit. Attorney General William Barr also agreed with Pompeo, stating that it “certainly appears to be the Russians.”
It remains too soon to tell how damaging the attack was and the impact it will cause on future security efforts. This serves as a vital reminder to ensure third-parties are compliant with all required regulations and industry standards to minimize risk to your organization.