Digital madness: the SolarWinds hack.
If 2020 didn’t look enough like a cyberpunk dystopian novel, the way Covid-19 transformed life around the world carried along a heightening of all digital risks and woes that are part of the “Internet package.”
To be fair, by pushing people to work from home and forcing companies into new business models and ways of working, the global pandemic prepared a fertile terrain for attackers.
Regardless of intentions, cyberspace with its freshly reconfigured networks would be likely to feature a whole new set of weak spots and vulnerabilities.
Today we’ll talk about the SOLAR WIND SUPPLY CHAIN HACK.
On December 8th, cybersecurity and incident response firm Fire Eye disclosed that the company had suffered a breach.
Hackers reportedly were after the firm’s own threat intelligence data and hacking tool used to run tests on paying customers’ systems as a way to identify weaknesses before hackers do.
As the The New York Times reported:
These are essentially digital tools that replicate the most sophisticated hacking tools in the world. FireEye uses the tools — with the permission of a client company or government agency — to look for vulnerabilities in their systems. Most of the tools are based in a digital vault that FireEye closely guards.
FireEye revealed on Tuesday that its own systems were pierced by what it called “a nation with top-tier offensive capabilities.” The company said that the attackers used “novel techniques” to make off with its own tool kit, which could be useful in mounting new attacks around the world.
Initially the breach was attributed to Russian State backed hackers and was relatively dismissed as “significant but not a catastrophe” (Washington Post).
Beginning on Sunday 13th however, news began to broke revealing that in a domino effect, U.S. government agencies such the Commerce, Treasury, Homeland Security, Energy State Department, plus corporations and other international targets had been victims of a massive state espionage hack.
The list of victims is quite long but what they all had in common was the Orion network management software from SolarWinds. The hackers used a technique called “supply chain attack” where all of the attacks were made possibile by one initial compromise, in this case at the IT infrastructure firm SolarWinds.
Long story short: SolarWind’s Orion vulnerability was used to install malware on a larger scale on corporate and government networks.
Hackers had breached the company as early as October 2019 and planted malicious code in software updates for its network monitoring tool Orion. Without knowing it, any customer that installed an Orion patch, released between March and June, was also planting a backdoor on their own network.
According to the company, through that one first intrusion, the attackers created a gateway in for about 18000 Solar Winds customer networks.
The impact of the attack varied among victims: in some cases hackers managed to create a backdoor but didn’t go any further, in other cases hackers used the backdoor access just long enough to figure out they didn’t care about the target and in a third case, the attackers moved deeper into the victim’s network for data mining.
This infiltration using SolarWinds as a conduit highlights the threat posed by supply chain attacks as it can undermine all of a cybersecurity company’s customers at the blink of an eye.
Russian hackers have used this technique before with expressly destroying goals however, even though it seems that the Solar Winds attack’s purpose was largely espionage, which is an overall globally accepted activity, some experts warn that we can’t know yet the destructive component the attacks entailed.
On the other hand, some politicians and researchers say that the intrusions crossed a line with espionage norms because of their scale and scope.
Source: Wired, Washington Post, SecurityBoulevard.com
