Since mid-December 2020, the U.S. government, the security community, big business, and big tech have been reeling in the face of one of the most massive breaches in U.S. history. How the SolarWinds hack happened and how it could have been avoided should be the first question on the lips of any security-minded individual or organization.
One of the main concerns to come out of this entire incident is that it wasn’t the NSA, Microsoft, or any other of the big players or security leaders that initially caught on to the hack. Instead, it was a cybersecurity firm that thanks to a red flag raised by their two-factor authentication system.
This highlights the importance of working with top cybersecurity professionals committed to assisting businesses to harden their security operations.
LIFARS’s Managed Response and Containment (MRC) features ongoing expert incident response, forensics, and remediation with additions to include proactive threat hunting services to enhance your existing SOC.
Coordinated, government-sponsored cyber-espionage operations are not exactly new. Major international actors, such as the U.S., Russia, and China have been engaged in these types of activities for years.
However, what sets this incident apart is the sheer scale of victims. Experts think that the attackers infected over 18,000 organizations between March and June of 2020 alone. The main suspects in the hack are Russia’s SVR foreign intelligence agency.
Microsoft, who has been actively assisting the official response, says at least 40 government agencies, think tanks, government contractors, non-governmental organizations, and technology companies have been infiltrated – 75% of which are from the U.S.
How Did Hackers Perpetrate the Attack?
The initial wave of infections largely stemmed from a supply chain attack on software from SolarWinds, via its Orion network management software, and Microsoft, via its cloud services. This provided attackers with a gateway to infiltrate users of these platforms. The hackers were then able to access documents and perform federated authentication by exploiting single-sign-on infrastructure.
Most Fortune 500 companies and governmental agencies use SolarWinds solutions as part of their IT infrastructure. It’s easy to see what SolarWinds was the optimal target for as an entry point for a large-scale cyber assault.
The hackers were able to directly compromise networks and systems used by top corporate, government, and security-sector agents. This also lead to secondary infections which are now a major concern for those involved in the cleanup operation. Not only because the SolarWinds’ platform is a complex and sophisticated piece of software but also because of its deep integration with multiple other software tools.
Where are We Now? How Long will the Cleanup Take?
Despite knowing of the attack and the potentially devastating consequences of continuing to use compromised systems, many simply have no choice but to continue.
As Bruce Schneier, a prominent security expert and Harvard fellow, put it: “We have a serious problem. We don’t know what networks they are in, how deep they are, what access they have, what tools they have left.”
He added that the situation is like living in a mansion where you’re certain a serial killer has been in. How do you get things done if you don’t know that he’s gone? You kind of just hope for the best,” he said.
This uphill battle is what prompted Schneider to claim the only way to be sure a network is clean is “to burn it down to the ground and rebuild it.”
Government and big-tech partners are now at the start of a major cleanup operation that they say will take months. You can compare the fight-back to the cyber equivalent of hand-to-hand combat. The hackers are actively trying to counter remedial actions by security responders.
Hackers are still trying to work their way deeper into different parts of integrated systems. In the meantime, they are still maintaining whatever foothold they can in the hope of stealing more sensitive information.
What makes the situation worse is the fact that infiltrators were active within the compromised systems. In most cases, for months before the scale of the attack became known.
The discovery of this massive hack also comes when a unilateral and coordinated government response is more difficult. Thanks to the end of the Trump administration and the ongoing handover to the Biden administration.
While the question of the day is “how the SolarWinds hack happened,” we might be using the exact same question about a different software provider within a year. Businesses should be taking their security into their own hands. Either by directly investing in their own SOC or by partnering with committed SecOps experts. They can help fill any gaps when it comes to detecting, responding to, and recovering from cybersecurity incidents.