Home What you need to know about SolarWinds and software supply chain attacks

What you need to know about SolarWinds and software supply chain attacks

A major software supply chain attack, known as SolarWinds, has brought many elements of our past approaches to distributing and securing software into question. Get all of your questions about software supply chain attacks and the SolarWinds breach answered right here.

What is a software supply chain attack?

Supply chain attack definition in relation to software:

A software supply chain attack begins when a targeted software developer is hacked. The cyber criminals may attempt to change source codes and stash malware in inconspicuous build and update mechanisms.

When software is created by trusted vendors (think Oracle, SAP, Microsoft), its updates are signed and certified. When software supply chain attacks occur, vendors do not realize that their apps or updates have been tampered with; that they now contain malware or worms.

The apps or updates are then sent to clients or released to the public. Afterwards, every device with the infected software then experiences cyber security issues.

What are the different kinds of software supply chain attacks?

Software supply chain attacks can take any of a series of different forms. In some instances, they rely on compromised software in the build tools or within updated infrastructure. On other occasions their success depends on specialized codes that are added to components of hardware or firmware.

Examples of software supply chain attacks?

The following software supply chain attack examples illustrate how devastating a supply chain attack can be.

  • Stuxnet was first observed in 2010 and it infected Security Control and Data Access systems (SCADA). All in all, the worm affected 200,000 computers and led to the degradation of industrial control systems.
  • The 2017 Equifax breach is blamed on a flaw in the externally managed software that the company relied on. The Equifax breach compromised data belonging to 145,000,000 Americans.
  • The SolarWinds supply chain attack impacted as many as 18,000 clients. The fact that certain software updates are often exempt from routine security screenings contributed to the widespread nature of this breach.

How can organizations avoid becoming victims in software supply chain attacks?

Organizations should ensure that third-party vendors comply with cyber security standards and regulatory requirements. Gaining visibility into third-parties’ security can be tough. Here’s how to do it:

  • Regularly reach out to your third-party vendors with security questionnaires. Such security questionnaires can help organizations assess third-party security posture.
  • Ask your third party vendors about the data that is or isn’t shared with other suppliers. In a 2018 Ponemon Institute Cyber Risk Report, the misuse or unauthorized sharing of data by third-parties was found to contribute to 41% of security incidents.
  • Organizations can also arrange for formal audits of third-party security set-ups.

Regulators are now quick to examine a company’s third-party risks. Cyber insurance policies may take this into account too. So, paying attention to your third-parties’ practices pays in more ways than one.

How SolarWinds was breached

The cyber attackers reportedly first gained access into systems on September 4th, of 2019, according to a SolarWinds blog post. Shortly therafter, the hackers stealthily tested code that would be able to create backdoors into the company’s Orion tool. The hackers are believed to have been aware of the fact that the tool would be deployed to thousands of customers, including government agencies and a host of Fortune 500 companies.

Modified Orion code was sent to customers in October of 2019. During the winter of 2020, the attackers had used the “Sunspot” malware to arrange the “Sunburst” backdoor into the Orion code base. Because software updates from companies are signed, SolarWinds signed this digital deployment, which then went on to infect customers’ network environments.

The Sunspot malware code could not be detected when installed on a SolarWinds developer’s system. It was set up so that it would hide until developers accessed specific source code files. This enabled the hackers to “replace source code files during the build process, before compilation,” stated one group of experts.

The code was crafted in such a way as to disable the backdoor code lines from showing up in Orion software build logs. The code’s construction also negated the possibility that it would cause build errors.

How many malware strains have been identified in relation to the SolarWinds attack?

The Sunspot malware was used to create the Sunburst backdoor. The Supernova malware was discovered shortly after the attack was made public. Another malware strain, known as Teardrop, has also been identified. Reports indicate that it appeared on the networks of organizations about which the hackers wanted to probe and plunder more extensively. Raindrop has also been written about.

Could a similar attack happen elsewhere?

Yes. SolarWinds CEO, Sudhakar Ramakrishna, is concerned about that possibility. It’s especially worrying due to the fact that some tools, like the Orion product, are exempt from organizational security policies. “…effectively combatting similar attacks in the future will require an industry-wide approach as well as public-private partnerships that leverage the skills, insights, knowledge and resources of all constituents,” said Ramakrishna.

How SolarWinds Orion works

The SolarWinds Orion platform is designed to monitor network performance and health through specific types of communication tools and data collection methods.

To run the Orion Platform, the use of two different servers (minimum) is required. The first server includes the Main Polling Engine and the Orion Web Console. The second server hosts the SolarWinds Orion database.

The first server obtains real-time information from network connected devices in a given environment. The second server processes the data and houses it in the SoalrWinds Orion SQL database. Per human-made request, the data is then shown on the Orion Web Console.

Solarwinds, who is/was affected?

The malicious software was accidentally distributed to as many as 18,000 SolarWinds customers. From the public sector to the private sector, both in the US and internationally, a wide variety of organizations were affected. Agencies including the US Energy Department and the US National Institute of Health  experienced attack fallout. Private groups, including Belkin, Ciena, SAP, Intel and Digital Sense, were affected.

The SolarWinds breach provided hackers with broad access into entire systems onto which it was installed. Moreover, the SolarWinds company had previously convinced IT administrators to grant Orion products exemptions from existing antivirus and security restrictions. The product otherwise may not have been able to operate correctly in clients’ systems. This, in turn, made the malware tricky to catch on networks. In general, the level of network access that hackers experienced vis-à-vis the SolarWinds attack exceeds the level of access that most cyber criminals can pull off in a cyber compromise.

How will SolarWinds proceed with investigations?

Experts expect that investigations will take years. The Wall Street Journal recently released a piece stating that 30% of SolarWinds victims did not operate the software blamed for the attack.

The US government is still investigating the extent to which the attack affected its systems. US acting director of the Cybersecurity and Infrastructure Security Agency, Brandon Wales, states that the SolarWinds attack is of such great complexity that it should no longer be conceptualized as the “SolarWinds” attack campaign.

Which SolarWinds software was hacked?

The SolarWinds Orion software. SolarWinds reports that no other products were compromised. Malicious code has not been identified in any of the company’s other platforms.

How SolarWinds hack was discovered

On Tuesday, December 8th, 2020, a firm discovered that hackers had stolen intellectual property. The firm was determined to uncover how cyber attackers moved past its cyber defenses. In doing so, the organization tore through 50,000 lines of source code.

On Friday, December 11th, 2020, the same firm discovered that SolarWinds’ Orion updates were maliciously modified by cyber criminals.

By the following day, the SolarWinds CEO was alerted about the attack, and an Emergency National Security Council meeting was held.

How SolarWinds attack happened

Precisely how the attack occurred is still under scrutiny, at the time of this writing. Cyber forensics experts have concluded that the hack represented a component of a larger global campaign to target federal, technological, telecom, extractive entities and other industries across the world.

Broadly speaking, the hackers managed to insert malicious code into authentic SolarWinds software updates. In so doing, they managed to avoid detection.

How did SolarWinds attackers avoid detection?

At certain points in the attack, the cyber criminals displayed extremely sophisticated knowledge of software idiosyncrasies and software development. Their level of skill enabled them to prevent internal alarm.

Some hackers impersonated employees who were working remotely, and operated from servers based in the same city as the given employee in order to escape detection.

Why SolarWinds Orion?

The SolarWinds Orion platform is used by roughly 33,000 businesses around the world. In some cases, businesses were unable to detect anomalies within Orion’s software updates, as they rendered the Orion product exempt from standard cyber security protocols.

What were the motives behind the Sunburst attack?

They weren’t financial. The motives are believed to be political due to how the attack affected the US Department of Defense, the State Department, the Treasury Department and other governmental groups.

Big victims that were compromised but haven’t disclosed?

In the US, disclosure laws say that businesses must release information about cyber attacks if they fall into certain categories and if personal information was compromised. Publicly traded companies must also disclose breaches. However, due to a patchwork of laws and loopholes, organizations may be able to skirt disclosure laws.

The first SolarWinds breach?

SolarWinds saw a zero day vulnerability in January of 2020, which could have enabled a bad actor to compromise partner accounts. Researchers report that the flaw was eventually fixed, although it remained open for three months.