Summary of the SolarWinds Hack
Russian hackers inserted malicious code into a ubiquitous piece of network-management software (SolarWinds and other companies) used by a majority of governmental agencies, Fortune 500 companies and many cloud providers. The software potentially gives Russia an all-access pass into the data of breached organizations and their customers.
Immediate Steps to Protect Your Network
I would recommend having a conversation with your IT provider or security team about the following items, as much for future attacks as for the SolarWinds hack:
- After reading through this summary, take a deeper dive into this WSJ white-paper: The SolarWinds Hack – What Businesses Need to Know
- For small businesses, it is important that you check with any cloud software providers to make sure they have resolved any problems with affected software.
- Patch all instances of SolarWinds network management software and all network management, security and operational software in your environment.
- Make sure your security team keeps up with the latest fixes for the Sunspot virus.
- Configure your network assets to be as isolated as possible so that your most confidential data caches are separate from less confidential data.
- Review the security settings of every category of user on the system to tighten user-level access.
- Make sure employees know the proper procedures for connecting remotely to your network. Verify that they aren’t using a free personal VPN to connect.
- If you utilize Microsoft products, keep up to date with their Investigation Updates.
- If there is a chance you have been affected, have a full security audit done of your network.
Details of the SolarWinds Hack
During the worst possible time – a contentious presidential transition and a global pandemic – dozens of federal government agencies, among them the Defense, Treasury and Commerce, were breached by a cyber espionage campaign launched by the Russian foreign-intelligence service (SVR). The SVR is also linked to hacks on government agencies during the Obama Administration.
Senator Angus King said Putin “doesn’t have the resources to compete with us using conventional weapons, but he can hire about 8,000 hackers for the price of one jet fighter.”
In addition to internal communications being stolen, the operation exposed hundreds of thousands of government and corporate networks to potential risk. The hackers infiltrated the systems through a malicious software update introduced in a product from SolarWinds Inc., a U.S. network-management company. This allowed unsuspecting customers of their software to download a corrupted version of the software with a hidden back door allowing hackers to access their networks from “inside the house”. SolarWinds has more than 300,000 customers world-wide, including 425 of the U.S. Fortune 500 companies. Some of those customers include: the Secret Service, the Defense Department, the Federal Reserve, Microsoft, Lockheed Martin Corp, PricewaterhouseCoopers LLP, and the National Security Agency. (Note: more recently, it has been discovered that SolarWinds wasn’t the only primary software infected.)
A Solar Winds spokesperson said the company knew of a vulnerability related to updates of its Orion technology management software and that the hack was the result of a highly sophisticated, targeted and manual supply chain attack by a nation state. Like the FireEye breach, this was not a broad attack of many systems at once, but a stealthy, patiently-conducted campaign that required “meticulous planning and manual interaction.”
SolarWinds Hack was a Supply Chain Attack
These supply-chain attacks reflect a trend by hackers in which they search for a vulnerability in a common product or service used widely by multiple companies. Once breached, it spreads widely across the internet and across dozens or even hundreds of companies before the compromises are detected. Many companies have increased their level of cyber-protections, but they do not scrutinize the software that their suppliers provide. This is a concern because corporations typically have dozens of software suppliers. For example, in the banking industry, the average number of direct software suppliers is 83. In IT services, it’s 55.
To understand the severity and national-security concerns of this breach, think of this as a “10 on a scale of one to 10”. The Cybersecurity and Infrastructure Agency ordered the immediate shut down of use of SolarWinds Orion products. Chris Krebs, the top cybersecurity official at the Department of Homeland Security until his recent firing by Trump, stressed any Orion users should assume they have been compromised. Other investigators say that merely uninstalling SolarWinds will not solve the threat and that recovery will be an uphill battle unlike any we have ever seen. While the hackers may not have gained complete control of all companies, all experts agree that it will take years to know for certain which networks the Russians control and which ones they just occupy and to be assured that foreign control has been negated. Because they will be watching whatever moves we make—from the inside.
John Sileo is a cybersecurity expert, privacy advocate, award-winning author and media personality as seen on 60 Minutes, Anderson Cooper and Fox & Friends. He keynotes conferences virtually and in person around the world. John is the CEO of The Sileo Group, a business think tank based in Colorado.