SolarWinds and Supply Chain Security

In an astronomical sense, solar winds can be damaging. These powerfully charged space particles released by the sun can damage satellites. Additionally, solar winds might push off our GPS signals by a few feet (gasp)! Fortunately, for us earth dwellers we do not feel or notice any of the negative impacts of these solar winds. That is, unless you go up into space without a space suit. Thank earth’s electromagnetic field for that.

Unfortunately, in this situation, these relatively harmful particles are not the solar winds I want to discuss.  No, what we must discuss is the company, SolarWinds. Furthermore, one of the most significant supply chain attacks in history. Recently, these ‘SolarWinds’ cause all kinds of heartaches. 

What happened?

Prior to the Holidays, shockwaves emanated across the security community. FireEye, an industry leading security company, announced a breach by a highly sophisticated nation-state sponsored attack group.  This led many to ask: How could a company that thousands entrust to protect them from such a thing fall victim themselves? The answer came less than a week later. 

Mapping out the SolarWinds Breach

Mapping out the full scale of the attack takes time.

Leveraging SolarWinds, a company that provides a variety of IT management software, attackers coordinated a highly sophisticated supply chain attack. This breach likely started as early as September 2019 or possibly sooner as the investigation continues unfolding. 

After gaining a foothold into the SolarWinds network the attack group began testing their compiled malicious code. Ultimately, deploying the backdoor known as SUNBURST as part of an update to the SolarWinds Orion package. According to SEC documents, roughly 33,000 customers use Orion. These trojanized updates were digitally signed by SolarWinds and dated March-May 2020 and posted to the online update website.  This means SolarWinds sent out tampered and infected updates to their own customers.

Who is impacted by the SolarWinds breach?

The list of impacted government agencies continues growing. Furthermore, both public and private organizations in numerous industries are impacted.  Allow us just to name a few heavy hitters:

  • U.S. Department of Homeland Security
  • U.S. Department of State
  • U.S. Department of the Treasury
  • U.S. Department of Energy/National Nuclear Security Administration
  • US States (Specifics not yet revealed)
  • Microsoft
  • Cisco
  • Google
  • FireEye

Just look at that list. Does it make you think “how could organizations like these become a victim?”.  Indeed, what we continuously watch unfold is likely the most sophisticated and successful cyber attack ever.  Moreover, these attackers are a very well-funded and resourced state-sponsored group. Indications reveal Russia being behind the SolarWinds attacks. 

The other scary reality to is that no organization is 100% safe from a cyber-attack, regardless of who are you.  These days it’s not really a matter of if, but a matter of when. Highly motivated, highly skilled, and well resourced attackers eventually get what they want.  

This event is still so fresh we do not fully understand the total repercussions.  What we do know is that supply chain attacks leave behind a substantial wake of damage. Furthermore, the wake of damage impacts both the vendor and their software supply chain. While it may still be too early to tell, this one may top all of them. 

Supply Chain Cyber Attacks

An attack on one supply chain means a potential attack on each member involved.

Let’s take a look at some other significant attacks in the supply chain:

Target – Weak security at HVAC supplier with access to Target systems allowed for an entry point to compromise Target. Ultimately, 41 million customer card accounts were affected and millions of dollars in regulatory and legal fees amassed. 

Stuxnet – What some deem the original “cyberweapon.” This computer worm is widely believed to have been developed jointly by the United States and Israel. The target: Iranian nuclear facilities. Gaining access to an operational network like a nuclear facility is no easy task. So, they had to get creative.  Large amounts of USBs with the worm preloaded on them were dropped off for purchase at local internet stores near the facilities. Consequently, Iranian uranium enrichment facilities screeched to a halt as the Stuxnet worm infected their infrastructure.

CCleaner – Popular freeware used by millions of users had update files infected by an attack group. Similar to the SolarWinds compromise.  This malicious update file was also posted to the CCleaner update distribution site.  Notably, over 2 million malicious files were downloaded. 

British Airways – Another highly targeted attack by a group known as Magecart. Exposed data includes over 400,000 personal and financial details due to compromised third-party code on the payment section of the British Airways website.  The attackers injected their own code to route transaction and payment information to a domain owned by them.  Originally threatened with a £183 million fine ($251 million), they ultimately had to pay £20 ($27 million.)

The list goes on and on, but you get the point.

Takeaway: Lasting Repercussions

The repercussions of these attacks for those who have fallen victim to them are significant. Unfortunately, this style of attack will likely only continue to grow.  Think about it from the attacker’s perspective, why try to breach hundreds of individual targets when you can target the one which gives you access to all of them?

Some time has passed since the news broke about the SolarWinds compromise. But, everyday there is a new story, new information.  Whether it is a new crop of companies that were hit by it, or a new malware strain identified as part of the breach.  What we still don’t know is the long term ramifications of a breach of this magnitude.  This story is still in its first act.

We might just be seeing the tip of the iceberg considering the scale of this SolarWinds attack.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.