In December 2020, it was revealed that multiple high-profile targets, including the US government, had been hacked through software offered by SolarWinds. This was one of the largest hacks perpetrated in recent memory, and was particularly nasty because it affected multiple government agencies.
Let's see what happened in this hack, what kind of data was compromised, and how you can reduce your risk of attack from similar issues.
What Is SolarWinds?
If you're not familiar, SolarWinds is a major company that provides software to help businesses manage their IT. The software that was compromised in this case is Orion, an IT management platform.
Orion includes all sorts of tools, such as network performance monitors, IP address management, and user device trackers. These let large companies monitor the health of their systems, keep an eye on potentially malicious traffic, and much more.
The companies that ultimately were affected by this hack were not directly attacked. Instead, the perpetrators used what's called a supply chain attack to steal data from them through SolarWinds' software.
Supply Chain Hacks Explained
A supply chain hack occurs when an organization is hacked through a link in its supply chain. As you probably know, a supply chain refers to all the companies and resources involved in a company getting its product out to consumers. That includes raw materials behind them on the chain, distributors in front of them on the chain, and similar.
In this case, the attackers were able to break into SolarWinds' update servers for Orion. It's thought that they used compromised Microsoft 365 credentials from SolarWinds to do this, but that's not known for sure.
Once they had access to the server that SolarWinds uses to push updates to Orion, they put remote access malware inside of the usual updates. Any clients who used Orion in their business and installed these updates would unknowingly be providing a backdoor to the hackers.
After waiting for a few weeks, the malware would pretend to be real SolarWinds traffic to remain undetected. Once it was able to phone home to the perpetrators, they could monitor the victim's web traffic for all sorts of sensitive data.
This was much worse than the usual hack, due to the nature of Orion being made to monitor network traffic. Hackers could use this deep access to monitor the network in order to steal passwords, attack the most vulnerable machines, and similar.
The hack started in March 2020, but nobody was aware of it until December 2020. This means that the attackers had incognito access to network traffic for thousands of SolarWinds customers for months. There's no telling how drastic the effects of this event are or will be.
Who Perpetrated This Attack?
This kind of attack requires a sophisticated effort to pull off; it's not some group of teenagers pulling a prank. Indeed, the attackers infiltrated SolarWinds' systems in late 2019, and used the interim time to test their attack and get ready to make use of their victims' systems.
US government and top security officials believe that Russian hackers were behind the attack. Specifically, they think that the hacker group Cozy Bear, thought to be affiliated with Russian intelligence agencies, was the group who carried this out.
The Hack's Victims
Multiple US government institutions were affected by this hack, as they all use the Orion software. Below are a few of the agencies that were breached:
- Department of Defense
- Department of Health and Human Services
- Department of Homeland Security
- Department of State
- Department of the Treasury
Some local governments were also affected, such as Austin, Texas and Pima County in Arizona. In addition to government bodies, many private companies were also breached, including:
The Impact of the SolarWinds Hack
Since this hack was active for so long and was only discovered recently, the full extent of the damage isn't known. The hackers also didn't act on every company that they breached using Orion; they seemed to have prioritized the highest-value targets first.
However, it's clear that this was an extremely damaging event. With access to so much government data, the perpetrators could destroy sensitive information or use it to impersonate people. The data they stole could allow them to set up even more damaging hacks on government agencies in the future, or blackmail government employees into giving away more information.
The cleanup is also a major issue. Since there's no way to know how widespread the hack was, affected companies can only really be safe by rebuilding from scratch to avoid any traces of infection.
What This Hack Means for You
If your company doesn't use Solarwinds Orion, chances are that you're safe from this particular issue. We use a tool called N-Central, which was purchased by Solarwinds, but this product was unaffected by this hack. But it brings an important principle to mind: make sure you're careful with who your company includes in its supply chain.
Even if your business infrastructure is set up securely, someone you do business with could introduce a vulnerability into your network, like Orion did for so many firms.
Usually, installing updates is an important way to keep your systems secure, but in this case it was actually the catalyst for a huge infection. This also illustrates the importance of having a disaster recovery plan. If you suddenly had to treat most of your system as infected, would you have a way to reset and get back to normal quickly?
For more like this, see further discussion about Russian hacking.