SolarWinds Cyber Breach Causing Major Disruption to Businesses and Government Agencies
In what could be the most impactful cyber breach of recent years, SolarWinds announced that their Orion software platform was breached. The breach was discovered by FireEye (a SolarWinds client) as part of an investigation into their own recent breach. Unlike prior breaches that seem to become lost in the headlines, where millions of personal records were stolen or recent ransomware attacks that have taken down entire medical systems for weeks, this breach was unique and creative. It attacked the supply chain of thousands of companies that use the SolarWinds’ Orion Platform.
Who is SolarWinds?
SolarWinds is a provider of system network management and monitoring services for companies and government agencies all over the globe. More than 400 United States Fortune 500 companies, hundreds of universities and colleges, the United States military, and all top ten U.S. telecommunications companies use SolarWinds products (Click here for the SolarWinds Security advisory noting impacted products).
SolarWinds was breached as part of a “supply chain” attack, where attackers inserted malware into SolarWinds software updates. These updates would, in turn, be pushed out to SolarWinds’ clients as part of routine software updates. Because these updates came from a trusted source (SolarWinds), all the attackers had to do was to sit back and wait for companies to apply the updates. Once applied, these updates gave the attackers a doorway into the victims’ networks. The attackers were then able to download software, extract data and establish a presence in SolarWinds client networks. Because the malware was embedded within SolarWinds itself, it was able to masquerade its behavior as legitimate activity from a trusted application. It was the 21st-century version of a take on the famous trick involving a wooden horse deployed by Odysseus in Homer’s The Iliad.
What Impacted Companies Need To Do
The United States Cybersecurity and Infrastructure Agency (CISA) issued Emergency Directive 22-01 regarding the SolarWinds breach which instructed all federal agencies under its authority to:
- Forensically image system memory and/or host operating systems hosting all instances of SolarWinds Orion versions 2019.4 through 2020.2.1 HF1, analyzing for new user or service accounts (privileged or otherwise).
- Analyze network traffic to identify indicators of compromise.
- Immediately disconnect any system running a known compromised version of SolarWinds Orion and keep them offline pending further CISA guidance.
While the CISA directive applies only to some federal agencies, it is guidance that all companies running known compromised versions of the SolarWinds Orion software should follow.
But these are just the first steps. Companies should investigate whether the attackers were able to create persistent threats or “backdoors” in their systems. This may include:
- Identifying and removing all threat actor-controlled accounts.
- Rebuilding hosts monitored by the SolarWinds Orion monitoring software using trusted sources.
- Resetting all credentials used by or stored in SolarWinds software. Such credentials should be considered compromised.
The SolarWinds breach highlights the potential impact of vendors on a company’s cybersecurity posture. It will be vital for Companies to continue to monitor and assess their cybersecurity risk with a renewed focus on vendor risk management and incident response in order to be prepared for the next major attack.
You don’t have to face cybersecurity issues alone. If you would like to discuss your cybersecurity concerns, please reach out to Windham Brannon’s cybersecurity practice leader Al Tanju at firstname.lastname@example.org.