Hackers of lore are often depicted breaking into prominent targets by typing frantically on keyboards in dark rooms and yelling “I’m in!” when they’ve purportedly breached their victim’s systems. But the sweeping SolarWinds breach, which has reportedly impacted the U.S. Treasury and Commerce departments, shows the reality is much less flashy and can be far more devastating.
Details are still emerging about the SolarWinds breach, in which hackers inserted malicious code into software updates for the SolarWinds network management product Orion in order to conduct cyber-espionage against the U.S. federal government and multiple other targets. But the fallout from the attack, which is suspected to be linked with Russian hackers, is still being investigated, and early indications suggest the ramifications — and victims — could be extensive.
In many respects, SolarWinds is just another, typical IT provider with government contracts. The company’s website has touted business with numerous U.S. military and civilian agencies and sponsors white papers on working remotely for trade publications. It had an exposition booth in February at RSA, one of the world’s biggest cybersecurity conferences.
But its customer base — which it says includes 300,000 customers and the likes of the Pentagon, the Navy, the Army, Cyber Command, the FBI and the departments of Homeland Security, Defense and Health and Human Services — and its level of access make it a ripe target for hackers interested in stealthy supply-chain attacks.
“Supply-chain attacks are some of the most devastating types of attacks because organizations already have a strong trust,” said Dave Kennedy, a former National Security Agency analyst and the founder and CEO of TrustedSec. “We run into SolarWinds all of the time at organizations and it’s often a point we as simulated attackers go after because it has such high permissions on an organization’s network environment. SolarWinds is used in both private and public sector organizations and widely used globally. The company is a prime target because of the level of access the software has to an entire company infrastructure.”
It’s only natural for government-sponsored espionage actors to try making their way into sensitive targets by first infiltrating an IT company with connections to prominent targets around the world. Nonetheless, the sweeping nature of the SolarWinds breach is a stark reminder that the federal government and private sector alike — even if they are in tune with supply chain security issues — are dependent on smaller organizations that can be quietly weaponized against them.
The Commerce Department, one of the breached entities, has been working for years to spread awareness about better security practices for keeping track of supply chain security issues, for instance. Commerce has not confirmed that hackers victimized it via the SolarWinds vulnerability.
It’s not the first time a supply-chain attack has caught the cybersecurity community off guard. In 2017, hackers compromised HandBrake, a video conversion tool, to distribute a remote access toolkit. The same year, hackers with suspected links to China laced malicious software in the file cleaning program CCleaner to ultimately target more than two million users.
In perhaps the most globally infamous supply-chain security nightmare to date, Russian hackers exploited a software vulnerability in Ukrainian tax software to lock up computers around the world. The U.S. has charged hackers linked with the Russian Main Intelligence Directorate, or the GRU, for the the NotPetya attack. The European Union has also sanctioned Russian hackers for the attack.
Although the federal government has been working to prevent supply chain-based attacks for years, the attractiveness of targeting smaller, lesser-known companies to infiltrate more sensitive targets isn’t going away anytime soon.
“Compromising a tool [SolarWinds] means the attackers have significant access to company assets and reminds us that defense-in-depth is a must as attackers pivot and embed in the corporate environments,” said Ben Johnson, a former NSA official who is now chief technology officer of Obsidian Security. From an intelligence service’s perspective, Johnson added, “Why try to bust down the front door if I can have your trusted delivery person bring my payload in for me?”
Even though supply chain-based attacks will be perpetually alluring to nation-state espionage operations, the scale of the SolarWinds breach is raising questions about what a capable counterintelligence operation looks like.
“If a government like the U.S. with the strongest counterintelligence capabilities in the world can get stung like this, how do you reassure a country that does not have the same kind of resources?” a diplomat at the United Nations told CyberScoop, speaking under condition of anonymity.
It’s also raising questions in the halls of Congress about whether the U.S. government has an adequate framework to assess the security of products upon which the government relies.
“I have warned for years that the government was falling down on the basics of securing federal systems, and this breach unfortunately proves me right,” said Sen. Ron Wyden, D-Ore. “To start, it’s high time to scrap the lax practice of allowing agencies to install high-risk software on government systems without subjecting it to a thorough security review. … If reports are true and state-sponsored hackers successfully snuck malware-riddled software into scores of federal government systems, our country has suffered a massive national security failure that could have ramifications for years to come.”
Russian hackers known as APT29 or Cozy Bear with ties to Russia’s foreign intelligence agency, SVR, are behind the SolarWinds attack, according to according to the Washington Post.
The Russian Foreign Ministry denied it conducts offensive cyberattacks through a comment shared on the Russian U.S. Embassy’s Facebook page.
While investigations are ongoing, one thing is clear for Sen. Mark Warner, D-Va.: The U.S. should prepare options to hit back.
“As we gather more information on the impact and goals of these malign efforts, we should make clear that there will be consequences for any broader impact on private networks, critical infrastructure, or other sensitive sectors,” Warner, the vice chair of the Senate Intelligence Committee, said in a statement.
In the meantime, the Department of Homeland Security’s cybersecurity agency is advising private sector and federal civilian agencies to check for indications they’ve been compromised and to stop using SolarWinds Orion “immediately.” Microsoft has also shared technical details on methods used in the SolarWinds hack.
Increased vigilance should not just be directed at SolarWinds, Kennedy said, because the cybersecurity community may begin seeing copycat supply chain hackers, who also may want to fly under the radar to gather intelligence on federal government agencies or the private sector.
“While SolarWinds is now public, adversaries are always looking for these types of supply-chain attacks because of how effective and successful they are,” said Kennedy. “We should expect that other software development companies are also a target as well as potentially already compromised. … We should be anticipating more of these moving forward.”
Sean Lyngaas contributed to this story.