At least three government agencies and six “large firms” in El Paso County are among a minimum of 18,000 organizations worldwide impacted by the massive breach at IT vendor SolarWinds, according to cybersecurity expert Shawn Murray.
The Texas-based supplier of software for the U.S. government and Fortune 500 firms was hit last year by hackers with alleged Russian ties and another group yet to be identified by authorities. The breach, which went undetected for months, resulted in SolarWinds sending out software updates to its customers that included malicious code allowing the hackers to spy on those organizations. The fallout will likely last for years.
“Here locally, I can’t disclose the government agencies or our local clients that have been impacted, but there are several of our clients here in town that have also been affected by this threat,” said Murray, president and chief academic officer for Murray Security Services. “They had to basically disconnect the number one application and hardware that they use to monitor all of the security events in their organizations.”
Murray and his peers around the globe are currently engaged in what could amount to a multi-billion-dollar effort to analyze — and in some cases rebuild — client networks that were utilizing Orion, the SolarWinds network platform that was breached in the hack and served as a primary bulwark to protect customer data.
A joint task force composed of the FBI, Homeland Security Agency, Critical Infrastructure Security Agency and Office of the Director of National Intelligence said in a statement last month that the hack was “likely Russian in origin.” The task force has also determined that the hack appears to have been carried out by APT29, code-named CozyBear, a sophisticated cyber threat group with suspected ties to the Russian foreign intelligence service known as S.V.R.
Government officials are just beginning to understand the long-term consequences of a foreign actor gaining access to large quantities of data from thousands of organizations, including the United States departments of Defense, Labor, Energy, State, Commerce, Treasury, Agriculture and Justice, as well as the National Institutes of Health.
In El Paso County, that could mean information at local defense and aerospace contractors, though Murray could not confirm whether any of those organizations were on the list of firms impacted by the hack.
Mike Crandall, chief executive officer at Digital Beachhead, a cyber risk management company based in Colorado Springs, said the likelihood that some of the military bases in the area were affected seems high.
“Locally, the bases may have been affected as the [Department of Defense] was a major target in the attack,” he said. “Cisco and Microsoft were also targeted, both of whom have a local presence and whose equipment and software is found in government, business and homes everywhere. The actual scale of this attack will never be totally known nor the damage completely recognized.”
ONE SYSTEM, TWO HACKS
The SolarWinds hack, code-named SUNBURST, is one of the most extensive cyber attacks in recent history, but its discovery can’t be credited to any major national cybersecurity agency.
In fact, it was another network security company based out of California, called FireEye, that first uncovered the breach after cybersecurity personnel learned that some network security testing tools had been stolen through malicious code contained in an Orion software patch. SolarWinds distributed the update to its customers between March and June 2020, but no evidence has emerged to indicate the company was aware it had been modified.
It took roughly nine months to discover the malicious code, but that isn’t far from the average.
According to a study conducted by IBM, the lag time before discovering a cybersecurity hack in 2019 was around six months, while the time it took to contain a breach was a little under two months. A separate study by Statista notes that the number of attacks per year is continuing to rise rapidly, with a 56.1 percent increase in attacks blocked throughout the world between 2017 and 2018. The health care industry, specifically, saw an 80 percent increase in network breaches between 2017 and 2019.
Murray said the hackers responsible in this case appeared to have had access to SolarWinds development systems for several months before the tampered patch was finally distributed to customers — another mark of the sophistication and novelty of the methods used, he said.
“Between September and November 2019, it is suspected that Russian state actors developed an Advanced Persistent Threat and inserted it, tested it and placed it into the SolarWinds trusted patch repository,” Murray said. “Because this is expected to be a trusted environment, SolarWinds digitally signs the infected patch to ensure integrity and trust and then distributes the infected patch to all of its subscribers of the Orion vulnerability management application.”
Murray calls this a “supply chain attack, which refers to a disruption in a standard process resulting in a compromised result with a goal of being able to attack subsequent users of the software,” he said.
There has also been some suggestion that SolarWinds may have left its platform particularly vulnerable to attack. Ian Thornton, a former cybersecurity adviser with the company, was quoted in a Jan. 2 New York Times article stating that he had warned management in 2017 that the system was exposed to a potentially “catastrophic” breach due to a lack of proper security protocols.
Murray suggests keeping the development process for software systems offline.
“In my opinion, any company that develops software of any type should do this on isolated networks that have no connectivity to the internet,” Murray said. “This may have prevented the attack to begin with. Sound development processes include separate development and testing environments as a principle.”
Concerns over vulnerabilities in SolarWinds network infrastructure were punctuated by Microsoft’s discovery in December of another hack of SolarWinds software, this one code-named SUPERNOVA, which experts so far believe was carried out by a different group altogether.
“We don’t believe it’s Russia,” Murray said, “and the purpose of this one was to exploit vulnerabilities in clients as well. It is suspected, based on publication by Microsoft, that 100 percent of Microsoft’s source codes for its operating systems and its Microsoft Office suite have been compromised. So if that truly has happened, that means everyone who has Microsoft operating systems, like Windows 10, Windows 7 or Microsoft Office 365, could possibly be compromised. And Microsoft Office and Microsoft Windows are the most used operating systems and office productions suites in the world.”
Murray adds, however, that the hackers in all likelihood have little interest in “you or me. They’re going to be going after the big customers.”
Small businesses also likely have little reason to worry, he added, but said ones with a subscription to a managed security service provider may still want to ask whether that provider has been affected and consider a remediation plan and risk assessment.
Microsoft said in a December blog post that the group responsible for SUPERNOVA would have been able to view some of its source code, but noted that the code could not be modified and assured its users that their personal information had not been compromised.
However, The Wall Street Journal reported Jan. 29 that SolarWinds is now investigating the possibility that flaws in Microsoft’s cloud services were the APT’s first vector into its own organization.
“The biggest concern to consumers of Microsoft products would be if the attackers have found vulnerabilities inside of Microsoft to directly affect the product line,” said Crandall. “While this is concerning as a whole, the average user need not spend time worrying about this.”
He said the second network breach impacting Microsoft will likely be easier to address with future updates that users of its operating systems will be able to download.
A U.S. Air Force veteran, he said the process of identifying the hacker responsible in each specific case is a bit like pinpointing the maker of an improvised explosive device.
“Each one has a signature that can be distinguished in the making of their devices,” he said. “In hacking it is very similar, and we can determine those signatures in each breach to help determine who is the perpetrator of the attack.”
PLAYING THE LONG GAME
While SolarWinds has issued statements that only 18,000 of its 30,000 customers using the platform were impacted by SUNBURST, other estimates, which account for organizations whose networks had secondary ties to Orion, have ranged as high as 300,000.
“Unfortunately, the true number may never be known,” Crandall said. “SolarWinds identified 18,000 customers who ‘potentially’ could have been affected by the incident, however, until every customer does a forensic analysis of every instance of SolarWinds within their organization the actual number cannot be known. Some agencies did not expend the time or expense of the forensic analysis — which can run into the tens of thousands of dollars — but simply mitigated any potential further risk by rebuilding their systems from scratch.”
So far, it appears that the hackers in this case appear to be most interested in data gathering, rather than using the data to shut down vital networks, for example. But Murray fears that may be a possibility down the road.
“If it is a Russian state actor, what we have known about Russia over the years is they are usually very quiet in their methodology,” Murray said. “They’re trying to learn. Information is power. So what they’ll want to do is learn what your network looks like. They may architect it out. They’ll know where your weaknesses are. If we were to, say, go into a cyber war, they would have very exclusive privileged knowledge of how critical networks work. They can disrupt utility grids. They could disrupt supply chains and supply systems. They could create misinformation campaigns that we wouldn’t be able to understand until it was too late.”
Crandall said the SolarWinds hack is a moment of reckoning for the cybersecurity field and for those organizations that still treat network security as an afterthought.
“Cybersecurity, much like information technology as a whole, is ever evolving,” he said. “The cybercriminals are always looking for new inventive ways to break in or collect data and the cybersecurity ecosystem is often following behind finding ways to discover, stop and deter those actions. What this incident highlights is that no one is immune to cyber crime and hopefully brings focus to all businesses — to include small to midsize — that they need to find ways to implement some form of cybersecurity as a focus point rather than a ‘side job’ of their current IT team.”