Why the SolarWinds Hack Is a Wake-Up Call
The sweeping cyber espionage campaign shows how sophisticated adversaries can bypass even well-defended targets.
March 9, 2021 9:00 am (EST)
- Current political and economic issues succinctly explained.
The SolarWinds hacking campaign—one of the most extensive to date—exposed fundamental cybersecurity vulnerabilities within U.S. government agencies and the private sector. The campaign, which investigators suspect Russia is behind, is far from over. Here is a rundown of what has happened, what could be coming, and how to improve defenses against this type of cyber threat in the future.
How was the SolarWinds hack discovered?
The U.S. cybersecurity firm FireEye announced last December that an unidentified, highly sophisticated adversary—known as an advanced persistent threat (APT) actor—had compromised its network and stolen advanced tools to test the security of clients’ networks. In the cybersecurity community, APT is shorthand for the most capable actors, typically government agencies or criminal groups that are under the control of governments. FireEye said the actor gained access to its systems by hiding malicious software, or malware, in an update to network management software made by SolarWinds, a Texas-based company.
The hacking campaign is believed to have started in February 2020, though some analysis has traced it back to as early as October 2019.
How many organizations have been affected?
The malware was installed in the networks of as many as eighteen thousand companies and government organizations. At least one hundred private companies and nine federal agencies are thought to have had data stolen. The U.S. court system and several state and local government agencies are also victims. Organizations are still working to understand what data was stolen and to determine whether the adversary is still in their networks.
How does the malware work?
Once installed, the malware attempts to “call back” to a command-and-control server that alerts the adversary which companies are compromised. Then the adversary can choose to install second-stage malware to explore victim networks and exfiltrate data. In this campaign, the adversary exploited Microsoft Office365 and the software maker VMware to access additional networks.
Why is Russia suspected of being behind this hack?
Shortly after news of the incident broke, U.S. government sources attributed it to “Cozy Bear” or “APT-29”—nicknames for a threat group operating on behalf of Russia’s foreign intelligence service. Weeks later, several U.S. intelligence agencies issued a joint statement concluding that the campaign was carried out by an actor “likely Russian in origin.”
Evidence that Russia is behind the attack, including independent findings from cybersecurity firms, continues to mount. However, neither FireEye nor Crowdstrike, another leading cybersecurity company, has attributed the campaign to a particular group, though FireEye CEO Kevin Mandia has stated it is “very consistent” with previous hacks by Russian government actors.
Is the case effectively closed against Russia, then?
Assigning responsibility for a cyberattack to a specific organization or country is more of an art than a science. Investigators collect evidence on how an attack was carried out and compare it to that of previous incidents. If the evidence lines up, and those past incidents have been attributed to an actor, private response firms and government agencies might conclude that the same actor was behind the new incident.
What the U.S. government can do that private companies cannot is use the intelligence community, including spies and signals intelligence, to round out the picture. Suspicion that a specific actor carried out an incident may lead government investigators to go through intelligence it has already collected, which might corroborate that suspicion. Or investigators can begin new, targeted evidence collection against the suspected actor to confirm their involvement.
The Joe Biden administration has stood by the attribution to Russia and is planning responses, including sanctions, as punishment for the hack. Those sanctions are expected to come with a stronger statement of attribution than has been released so far.
How are the government and private companies responding?
The federal government as a whole—both the intelligence community and federal agencies such as the Cybersecurity and Infrastructure Security Agency (CISA)—failed to identify the attack, and this has troubled the Biden administration. President Biden has ordered a review of what the intelligence community knew about the campaign and why it was unable to warn the organizations that were victimized. The incident has also prompted federal agencies to seriously examine how they are defending themselves against such sophisticated attacks.
If not for FireEye’s discovery that it had experienced a material breach, federal agencies might still be in the dark. Private companies, however, are not taking a victory lap. Given the number of organizations that were targeted (many with sophisticated cybersecurity operations and the best detection tools that money can buy), the cybersecurity community as a whole is struggling to assure their customers that the problems brought to light by this campaign can be solved.
Is the SolarWinds saga over yet?
Officials describe the threat as “ongoing” and “persistent,” which means the actor continues to find ways to stay within victim networks or regain access to them rapidly. In February, news reports indicated that Chinese actors might have also accessed federal networks via separate vulnerabilities in SolarWinds. Meanwhile, other Russian, Chinese, Iranian, and North Korean threat actors continue to target U.S. agencies and the private sector. A possibly more damaging campaign against Microsoft Exchange servers by suspected Chinese actors may have impacted more than thirty thousand organizations.
What are the best defenses against sophisticated hackers?
Basic cybersecurity hygiene, such as strong passwords, multifactor authentication, vulnerability patching, and next-generation antivirus software, is not sufficient against these groups. Instead, organizations should invest in security and operational vigilance, as these actors will take advantage of any mistake that defenders make. However, most organizations cannot afford to make such high-cost investments.
Finding these type of threats requires chasing down alerts from dozens of security tools, most of which turn out to be false positives. FireEye only discovered that it had been compromised by tracking down an attempt to add a device to its multifactor authentication system by the adversary. When threats such as these are discovered, sharing information that can help other potential victims discover if they are compromised must happen rapidly. In the case of the SolarWinds hack, the security firm Palo Alto Networks discovered related activity and generated protections against the malware for its customers, but it did not share them more broadly because it was unaware of the scale of the campaign.
For federal agencies, upgrading from legacy computing infrastructure to more defensible cloud applications and infrastructure should be a top priority. Congress is likely to include $1 billion for the Technology Modernization Fund in the current relief bill, but replacing legacy systems in federal agencies will likely cost billions more dollars. The SolarWinds hack demonstrated the need to ensure that all components of the digital supply chain are trusted, something current technology and processes are simply not capable of doing.
Finally, while there is very little individuals and small companies can do if they are targeted by a sophisticated adversary, they can seek to use service providers that invest heavily in cybersecurity.