Cybersecurity is similar to a castle’s defenses. The only difference being, a digital fortress, like the ones maintained by company IT professionals, can be attacked from every possible angle, not just from the front. The most effective and dangerous types of cyber attacks are the ones you aren’t prepared for. Oftentimes, enterprises don’t have the tools and mechanisms in place to detect or contain a supply chain attack due to the lack of visibility over third-party systems. This is precisely what makes them such an attractive entry point for cyber criminals to exploit.
The biggest supply chain attack of the 21st century occurred earlier this year when IT management company SolarWinds had its update server hacked and compromised by nation-state actors. The scope and impact of the data breach are still being uncovered as more than 18,000 SolarWinds customers attempt to patch and recover from the tainted update. As security experts try to repair the damages of months of undetected data extraction, companies must try to learn from the fallout as they prepare for similar supply chain attacks down the road.
Why the SolarWinds Breach is so Impactful
All of this starts with a password. In 2019, a SolarWinds password, ‘solarwinds123’, was leaked onto the public internet by an independent security researcher. According to a recent CNN report, this password was used to protect the SolarWinds file server. CNN also reports that current and former top executives are blaming a company intern for the password’s leak and the company’s recent cybersecurity scandal. Regardless of who is to blame, a password of that strength should not be used to safeguard the company hired to secure defense department emails. This is the sentiment that Republican Senator Katie Porter expressed to CNN during the fallout.
Using the password in question, Russian hackers were able to access the update server for SolarWinds’ Orion software, an “infrastructure monitoring and management” tool. The access and permissions required by Orion made it the perfect launching point for cyber criminals to invade the systems of SolarWinds customers. In accessing the Orion update server, the threat actors inserted a malicious code that every Orion owner would download during the next update. Once enough users had downloaded the update, the nation-state attackers were able to leverage all the tools and credentials that Orion had. And because the malware was integrated into the Orion code, malicious activity was that much harder to detect. As a result, the hackers were able to skim, monitor, and extract information for months prior to detection.
Putting the Fallout into Perspective
The most devastating part of supply chain attacks like the SolarWinds breach is that IT leaders do not have visibility over many of the systems, applications, and tools used by third-party vendors.
The Guardian reported that the initial data breach happened as early as March 2020 before its eventual discovery in December. This means that Russian hackers had unauthorized access to the systems of enterprises and U.S. government agencies, such as the Department of Homeland Security, for more than half a year. Even if SolarWinds customers are able to update their Orion software and extract the existing malware, IT leaders may never fully know the degree to which their assets were compromised. Even if only a quarter of the 18,000 SolarWinds customers were attacked, the number of contacts, files, and sensitive information they extracted could have dramatic consequences if they are used in a future attack.
What makes the Solarwinds hack particularly concerning is not the number of affected customers, but the types of customers that were affected. Facebook recently had over 530 million of their users’ personal information leaked onto the Internet following a 2019 data breach. While 18,000 is significantly smaller, the size and scale of the organizations that were hit may affect an equally large number of individuals. Most of the clients affected by the Solarwinds breach were not disclosed, but many Orion owners include Fortune 500 companies across North America, Europe, Asia, and the Middle East. NPR cited SolarWinds’ recent findings, which estimated that about 100 companies and a dozen government agencies were successfully compromised. Of the notable SolarWinds clients, Microsoft, Intel, Cisco, the U.S. Treasury, Justice, and Energy departments, and the Pentagon were also compromised in the attack.
What Have Security Experts Learnt From the Attack
Who protects the cybersecurity team? This is the question that many IT leaders were forced to ask when one of their own network monitoring tools was compromised and used against them. Due to the size and complexity of modern corporations, IT executives must utilize systems and technologies that support widespread surveillance and threat detection. Unfortunately, what the SolarWinds hack has revealed is that even these security tools are susceptible to attacks. Not only do security experts need to monitor their company networks, servers, and IoTs, they must also regularly inspect their monitoring systems.
What supply chain attacks like this highlight is the need for 360-degree cybersecurity. This means having a digital and physical security program that mitigates the attack risk against every possible entry point.