On December 13, 2020 network software developer SolarWinds disclosed that they had suffered their biggest security breach to date.
So cataclysmic was the attack that by the end of that month, the company had shelled out upwards of $3.5 million to rectify the situation.
Addressing the incident, company CFO Barton Kalsu said the worst wasn’t over and the enterprise should prepare to spend up to $25 million in 2021 before they are in the clear.
The attack compromised nine federal agencies including the U.S. Treasury and Commerce as well as hundreds of private and public companies.
The targeting of government departments escalated the matter to one of national security concern which saw the U.S. National Security Council convening for an emergency meeting.
With their reputation on the line and customer trust – including that of 425 of America’s Fortune 500 companies – hanging in the balance, SolarWinds is working hard around the clock to get things cleaned up.
Here is what we know of the attack so far.
Who is behind the attack?
In a statement issued on Thursday 15th April 2021, the White House pinned the blame of the SolarWinds nation-state attack on Russian state threat vectors, naming Russia’s foreign intelligence service (SVR) as the perpetrators.
The breach was the work of the SVR’s hacking arm Cozy Bear.
Cozy Bear, the notorious hacker group has been attributed a series of names in the past including APT29, The Dukes, The CozyDukes, Office Monkeys, and CozyCar.
Believed to have been formed around 2008, the group specializes in advanced persistent threats. The purpose of their work being cyberespionage and cyberwarfare.
The most popular methods employed by Cozy Bear are spear phishing and malware, the latter of which was the case in this SolarWinds nation-state attack.
The most notable attacks from Cozy Bear are
- August 2015 Pentagon attack
- 2016 Democratic National Committee incident
- 2017 Norwegian Government breaches
- 2020 COVID-19 vaccine data infiltration
- 2020 FireEye malware supply chain attack
- 2020 SolarWinds incident
It’s clear to see that cyber threat agents are becoming more aggressive. Don’t allow yourself to be a sitting duck. Hacks can cripple your operations and even lead to bankruptcy. Here are the top 5 lessons you can learn from the SolarWinds nation-state attack.
Lesson 1: Software supply-chain attacks are becoming more sophisticated
The SolarWinds nation-state attack began in March 2020 when it is alleged the hackers gained entry into the Orion system and remained undetected.
Through this vulnerability, Cozy Bear was able to systematically modify a critical component of an Orion plug-in that is disseminated as part of standard Orion platform updates.
FireEye analysts revealed the sophisticated nature of the SolarWinds nation-state attack, highlighting the discovery of a new malware dropper that has never been used nor seen prior to this attack which was subsequently nicknamed TEARDROP. TEARDROP is a dropper that seamlessly loads into the target network memory without leaving traces on the disk.
FireEye researchers confessed that the operational security they observed during their analysis of the SolarWinds nation-state attack was some of the best they have as yet ever encountered.
Lesson 2: Lack of federal breach notification law makes breach visibility difficult
The SolarWinds nation-state attack has been the talk of the industry because of the cadre of victims involved. We’re referring to over 18,000 government entities including branches of the U.S. military, the Pentagon and state departments whose networks were compromised.
What’s obvious to see here is that no corporation, company or government agency is safe.
However, one of the biggest issues that compound attacks of this size is the lack of federal laws that give companies or government departments that have been hacked leeway to disclose cyberattacks.
The absence of this federal breach notification law makes it increasingly difficult to gain visibility into the magnitude of cyber espionage and cybercrime at play.
Lesson 3: Organizations are woefully unprepared to detect and address threats
Despite being one of the foremost software companies in the U.S. serving a conglomerate of prolific clients including Fortune 500 companies, SolarWinds is proof that organizations are still underprepared to detect and prevent cyber threats by nation-states.
Equally worrisome is the fact that an actual cybersecurity company – FireEye – was also hacked in the same SolarWinds nation-state attack.
If a cybersecurity company cannot protect itself against malicious trojanized updates what of the end-users of its own products – that regular person who knows little about network security?
Companies must now ask, “What measures do we have in place to detect, prevent, and address threats?” This is a question every enterprise, small, medium and large needs to answer for itself.
Lesson 4: The necessity for software developers to protect code integrity
End-users can only do so much to protect themselves.
Companies are turning to software developers and looking to them as the authors of the code used in these products to find ways to protect code integrity.
Former NSA hacker David Kennedy is convinced that software developers should actively look into ways to mitigate risks when architecting products.
Speaking about the SolarWinds nation-state attack and what can be done, Kennedy said, “When building software, you don’t always think from inside out.”
He reiterated that developers needed to start asking, “How do we design our architecture infrastructure to be more resilient to these types of attacks?”
Lesson 5: Companies need to adopt zero-trust networking principles
However, the onus doesn’t lie with developers alone. Companies have a part to play as well and this begins with adopting zero-trust networking principles.
Created by the former principal analyst at Forrester Research Inc, John Kindervag in 2010, the Zero Trust Architecture or Zero Trust Network has been succinctly defined by CSOOnline.com as
“….a security concept centred on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access.”
In other words, companies need to be stricter about who is connecting to their networks regardless of where the connection point is coming from.
In terms of security, companies cannot let their guard down. From having strong passwords to patching vulnerabilities, every protocol that can be followed should be.
Granted the SolarWinds nation-state attack has made many companies uneasy about software updates but having predictive, pre-emptive cyber solutions such as those provided by security experts Cybeta will go a long way in ensuring that you stay on top of your security concerns at all times.
Contact us for a consultation or more information.