Blog

SolarWinds Breach Orion Hack: One of the Biggest Cyberattacks in U.S. History

SolarWinds

The recent speculation about the future continues to see this year’s threats shaped by the conditions the COVID-10 pandemic has imposed on various business sectors. Cyber experts argue that the rewards the pandemic presents will tend to open new directions for cybercriminals. Meanwhile, organizations are in dire need to hire security testing companies to manage distributed workplaces, stressed organizations, and individuals. This trend is reinforced by the availability of more effective attack tools and services. Although highly critical attacks are rare, there is a drastic shift seen in the past few years from low to medium criticality among the incidents that have been reported. These incidents reflect the availability of sophisticated attack tools to less experienced cybercriminals.

SolarWinds is a software company based in Texas, USA. Officials have disclosed that there was a highly sophisticated attack on Orion Platform software builds for versions released between March 2020 and June 2020. The impacts of this attack are still not clear, but they are expected to be huge, as this attack appears to be the source of the FireEye (a security consulting company) breach as well. The attack involved a backdoor into the Orion Platform which was subsequently initiated in the form of a software update that contained malware. After this attack, FireEye and Microsoft have upgraded their security controls in order to protect their networks against the attack. The US Cybersecurity and Infrastructure Security Agency (CISA) has issued its guidelines to protect the Federal agencies from attacks exploiting the SolarWinds backdoor. 

Let’s see what happened and what is expected to happen next:

The hack began in early March when malicious code was sneaked into updates to the popular security tool Orion, which monitors the computer networks of businesses and governments. The attackers compromise a piece of this software and gained access to an extraordinary range of potential targets in the US. These firms include more than 425 of the Fortune 500 list of top companies, top 10 telecommunications companies, all 5 branches of the military, and top 5 accounting firms. While these are just a few names of SolarWinds’ 300,000 global clients, that include UK government agencies and private companies too. 

So far, investigators have just found that the US Treasury and Commerce departments were attacked. It was a supply chain attack that involved access by compromising the automatic update function built into Orion. The breach provided attackers the access they needed to monitor internal emails at the government departments. The attackers hacked SolarWind and inserted weaknesses into the software Orion. They could only gain access when their targets downloaded and ran a fake software security update. 

Luckily, the full attack was not easy to maneuver in technical terms. The attackers cleverly programmed the attack in such a manner that it would stay below the radar of the US government’s own security teams. It was then to upload stolen data in small quantities so that not malicious traffic could be detected. For now, it is unclear as to how much information has been taken by the attackers and what other departments they have chosen to enter. However, the US CISA has issued an emergency directive to review their networks for indicators of compromise and disconnect Orion products immediately. 

Who has been affected so far, and how bad?

There are no speculations about the long-term impacts of the hack yet. Although experts say that the impacts are global but so far have not revealed any secrets yet. SolarWinds provides network monitoring and other technical services to many organizations around the globe. Orion, the compromised product accounts for major revenues of SolarWinds. Its centralized monitoring system identifies problems in an organization’s computer networks, which means they have a complete view of these networks. Such tools aim at allowing access to the systems and the reason these systems are good targets is due to their deeply embedded systems and networks. According to officials at SolarWinds, they have sent an advisory to almost 33000 of its customers who may have been affected. Although they estimated a small number of customers, only a few of them had installed the product’s update earlier this year. Both US cybersecurity and SolarWinds have failed to identify which organizations were breached. Just because a company uses SolarWinds does not mean they were vulnerable to the attack. 

SolarWinds speculates that it is an outside nation-state that infiltrated its systems with malware. Both the US government or any of the affected companies have not publicly stated which nation-state they think is responsible.  Private customers and government entities affected by the breach may file legal proceeds against Solarwinds. While the company has also filed a report with the Securities and Exchange Commission with a detail about the hack. The company mentioned a total revenue from the affected products $343m or roughly 45% of the firm’s total revenue. The overall stock price has fallen 25% ever since the first news of the breach came in. 

Conclusion

This type of attack can be used to map how organizations work and list down all their structural vulnerabilities, with an aim to potentially exploit them later. Cyber operations like this affect the confidence in existing security measures. If the attackers want to stay hidden and for now it appears that the temptation to eavesdrop on internal communications at the different departments has been compelling. In case other customers of SolarWinds do not find evidence that they were being surveilled, they will consider the factor that the US government was too big a target to pass. Organizations and government agencies need to strengthen their cybersecurity stature by hiring security testing companies to implement security checks and policies to remain protected from such incidents in the future.