The SolarWinds Supply Chain Attack and the Limits of Cyber Hygiene

By now, you’ve probably heard: On December 13, Reuters reported that malicious actors had gone after both the U.S. Department of Treasury and the U.S. Department of Commerce. The National Security Council met at the White House on December 12 to talk things over. A day later, U.S. officials indicated that they had asked CISA and the FBI to look into what had happened.

Two of Reuters’ sources said that the security incidents were connected to the intrusion at FireEye. According to the firm’s own investigation, whoever was responsible for the attack had accessed some of its Red Team assessment tools. The firm proactively developed countermeasures to minimize the risks posed by the theft of those capabilities.

At the time of reporting, researchers had not attributed the individuals responsible for the breaches. Some of Reuters’ sources said that Russia was the suspected culprit. Not surprisingly, Russia’s foreign ministry denied responsibility for the attacks in a Facebook post.

CISA went on to issue an emergency directive on December 13 tying all of these attacks to a compromise involving SolarWinds’ Orion infrastructure monitoring platform. Microsoft analyzed the attack chain and wrote that malicious actors might have compromised SolarWinds’ internal build or distribution systems. The attackers then infected the company’s signed libraries that used the targeted company’s digital certificates with code for a backdoor detected by FireEye as “SUNBURST.” 

Next, they compromised privileged account credentials or forged SAML tokens, allowing them to maintain long-term access in the victim organization’s network and/or to access the targeted company’s data.

Citing “unacceptable risk to Federal Civilian Executive Branch agencies” including the Departments of Treasury and Commerce, CISA recommended that federal agencies disconnect their affected products and uninstall Orion while SolarWinds works on a patch. 

It was around that same time when SolarWinds acknowledged the “highly sophisticated, manual supply chain attack” on its platform and recommended that customers upgrade to Orion Platform version 2020.2.1 HF 1 as soon as they can.

So, news of a breach with the potential size of the one carried out on the U.S. Treasury and U.S. Commerce Departments is eye-opening and of big concern. In addition, the directive from CISA urging all public and private sector companies to assess their exposure to the massive hack and plea to disconnect or power down SolarWinds products is exceedingly infrequent - this is only the fifth time this has occurred since the agency’s formation. 

The good news is that the infrequency of these types of directives will catch everyone’s eye and reinforce the seriousness of this latest breach. In other words, this warning should not go unnoticed. Since SolarWinds has tens of thousands of customers and more than 400 out of the world’s Fortune 500, a bold action like this was needed and required.

Now, we all want to know what the private sector companies protected in part by SolarWinds will do. We should all be listening carefully to SolarWinds, as well. As defenders, their first job is protecting their clients, but they hold vital pieces of information, as well. Their transparency and openness are extremely important. In the short term for any customers of SolarWinds, it is time to create a task force or war room to hunt adversaries and deal with the specific TTPs, vulnerabilities and exploits in question.

As public and private sector companies share common tools, practices and managed services, it is important to remember that homogeneity makes us vulnerable. You cannot pass this off to others; you have to own your space. That’s because the legitimate tools that make up that homogeneity can be compromised. Two points on this:

  • First, the security incidents at the U.S. Departments of Treasury and Commerce as well as FireEye can be traced back to their use of the Orion platform. They didn’t fall for a phishing campaign or suffer a malware infection from an unapproved application. SolarWinds was trusted and welcomed through the front door. That’s how they got infected by the SUNBURST backdoor.

  • Second, it just goes to show the limits of cyber hygiene. SolarWinds has a stellar reputation, and its software is signed and legit. This attack involved a valid, signed Symantec certificate on a normal SolarWinds Orion update. No hygiene in the world would have blocked that. The malicious actors had infected the distribution systems and/or signed libraries, a move which almost ensured that detection wouldn’t be straightforward.

With the U.S. government looking to transition between administrations, cyber activity that leads to lockdowns and freezes has the potential to even slow or damage government transition work. With the inauguration in January, it is important that we do not allow any damage. After that, the government can proceed in its normal transition of administrations. 

We’re left with this: now is the time to listen to CISA and the government and to carefully manage the need to stay open and servicing the public for the private sector as well as the need to continue government operations and transition while minimizing complexity and risk to security and privacy.

In the meantime, it’s on us to realize that the only solution is a robust, behavioral, post-breach mindset. Everything was working as it should, but Orion became the point of infection. This underscores the fact that this is not just a technology issue, it’s also a people and process issue, and while cyber-hygiene always matters, after a certain point effective detection capabilities matter more.

If you’re a Cybereason customer, please consult our Knowledge Base article for more details and actionable mitigation strategies HERE

Sam Curry
About the Author

Sam Curry

Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.

All Posts by Sam Curry