On December 13, 2020, FireEye announced that threat actors had compromised SolarWinds’s Orion IT monitoring and management software and used it to distribute a software backdoor to dozens of that company’s customers, including several high profile U.S. government agencies.
Game Changing Attack Vector
This campaign is the first major supply chain attack of its kind at scale and represents a shift in tactics where a nation state has employed a new weapon for cyber-espionage. Just as the use of nuclear weapons at the end of WWII changed military strategy for the next 75 years, the use of a supply chain attack will change the way we need to consider defense against cyber-attacks.
This supply chain attack operated at the scale of a worm such as WannaCry in 2017, combined with the precision and lethality of the 2014 Sony Pictures or 2015 U.S. Office of Personnel Management (OPM) attacks.
The impact of this attack shows how a high-volume commercial software product can impact many organizations simultaneously. In the past, cyber-attacks such as WannaCry relied on vulnerabilities, exploiting organizations that failed to install critical patches. In the case of SolarWinds-SUNBURST, any organization that simply updated its software could be vulnerable to attack, which is why we saw the impact across multiple agencies in the federal government and private sector. Furthermore, the backdoor used stealth tactics to monitor if it was being analyzed by looking for the presence of debuggers and network monitors and suppressing communications and alerts of other malicious behavior in those scenarios.
Broad Reach and Impact
From a U.S. national security perspective, this attack enables the nation’s enemies to steal all manner of information, from inter-governmental communications to national secrets. Attackers can, in turn, leverage this information to influence or impact U.S. policy through malicious leaks.
The attack impacted private companies as well. Unlike government networks which isolate classified information both from the internet and non-classified material, private organizations often have critical intellectual property on the same internet-facing network they store non sensitive information. Exactly what corporate intellectual property or private data on employees has been stolen will be difficult to determine, and the full extent of theft may never be fully known.
These cyber supply chain attacks are a concern for consumers as well. In today’s highly interconnected homes, a breach of consumer electronics companies can result in attackers using their access to smart appliances such as TVs, virtual assistants, and smart phones to steal their information or act as a gateway to attack businesses while users are working remotely from home.
Endless Possibilities for Attackers
What makes this campaign so insidious is that the attackers used trusted SolarWinds software to infiltrate victim organizations with the SUNBURST backdoor, which then enabled the attacker to take any number of secondary steps. This could involve stealing data, destroying data, holding critical systems for ransom, orchestrating system malfunctions that could result in kinetic damage, or simply implanting additional malicious content throughout the organization to stay in control and maintain access even after the initial threat appears to have passed.
Encourages the Wrong Behavior
Such an attack is particularly challenging in that it raises concerns around best practices cybersecurity professionals have been trying to communicate for years. For decades, we have been saying that it is critical to patch and keep software updated. In this case, however, it was patching and bringing new software into an environment that opened organizations up to attack.
Organizations must not read into these SolarWinds-SUNBURST revelations that they should not prioritize keeping their environments up to date. Doing so would certainly open them up to a variety of other attacks.
How do we reconcile these two conflicting security viewpoints? Organizations and cybersecurity practitioners must be vigilant in their review and understanding of the software being brought into their environments. Additionally, they must identify their most critical information and data and apply the principles of least privilege to these items, ensuring that sensitive information such as national secrets and intellectual property are protected.
Daisy Chained Victims Amplify Impact
One additional area of concern is when software vendors are impacted. In this scenario, it is possible for there to be a daisy chain effect. The adversary could modify either source code or a development toolchain within a victim’s environment to plant additional backdoors that are then distributed to their customers.
Conclusion and More Information
The SolarWinds-SUNBURST campaign is like a “smart bomb” on a crowded landscape of “dumb bomb” cyber threats. WannaCry was a dumb bomb in that it was fully autonomous and indiscriminate in what it attacked. Whereas this SolarWinds-SUNBURST attack is a “precision guided” smart cyber weapon that is being used to target specific organizations in very specific ways. Every organization that is of interest to the attacker might be targeted slightly differently.
McAfee has incorporated technical indicators gleaned from the FireEye and SolarWinds incidents into our cyber defenses and solutions portfolio to protect our environment and customers. The details of these supplemental protections can be found in McAfee’s knowledge base (KB) articles KB89830 and KB93861.
Please also see the following analysis blogs focused on SolarWinds-SUNBURST: