The SolarWinds Breach

Published on 02 Feb 2021

Updated on 02 Feb 2021

CyberSense is a monthly bulletin by CSA that spotlights salient cybersecurity topics, trends and technologies, based on curated articles and commentaries. CSA provides periodic updates to these bulletins when there are new developments.

 

OVERVIEW

“One of the most high-profile cyberespionage campaigns in recent years.” “Among the most ambitious cyber operations ever disclosed.” “A moment of reckoning.” These are some of the descriptors applied to the SolarWinds breach, which the global cybersecurity community has been intently monitoring since it was first reported in mid-December 2020. This issue of CyberSense takes a closer look at what happened, how global agencies and CSA responded to the incident, and a few observations and learning points we picked up.

 

WHAT HAPPENED?

In the world of network management software, one name stands head and shoulders above the competition: SolarWinds’ Orion platform. Used by numerous government agencies and Fortune 500 companies worldwide, it is the pre-eminent product in the network management space. However, it was precisely this market dominance that led hackers to target the Texan firm. Sometime in 2019, hackers managed to infiltrate SolarWinds’ production network to insert malicious code into Orion’s software updates. Any organisation that downloaded the tainted updates effectively gave the hackers a backdoor into its network.


Production network

The hackers’ approach and behaviour stood out in this incident. Analysis of their tactics, techniques and procedures showed that the hackers were patient, disciplined, and prioritised stealth to minimise exposure of their operations. Once inside a victim’s network, the hackers blended in, and looked for opportunities to escalate privileges (or gain privileged access) and abuse authentication mechanisms. They were observed to have forged trusted tokens. These tokens, akin to a security pass belonging to someone in the target organisation with high-level clearance, could grant the hackers access to restricted sections of the target organisation’s network as well as its assets in the cloud, such as e-mails. The hackers could also plant more backdoors in other parts of the breached network.

Around 18,000 of SolarWinds’ public and private sector customers around the world downloaded – and were hence exposed to – the malicious software updates. Of these, experts believe that the hackers targeted a much smaller number of organisations with follow-on activity. The vast majority of this smaller group were US-based entities – US government agencies and tech companies, including the likes of Cisco, VMWare, and Microsoft.

 

WHAT MAKES THE SOLARWINDS BREACH SO SERIOUS, AND WHAT CAN WE LEARN FROM IT?

The SolarWinds breach is an example of a supply chain attack, in which the hacker’s intrusion into the victim’s network is facilitated by first compromising one of the victim’s trusted suppliers.


Supply Chain Attack

Supply chain attacks can generate wide “ripple effects”, due to the interdependencies that characterise the global economy. Organisations today often depend on external vendors such as tech firms and managed service providers. The compromise of a single, trusted supplier – or a popular and widely-used product – can result in multiple victims, some of which could be major vendors themselves with even larger customer bases. Such was the case in the SolarWinds breach. Cybersecurity agencies and researchers are still watching for signs of further breaches in the affected tech firms, which could have an even greater impact than the SolarWinds attack.

More insidious and problematic than compromising the SolarWinds supply chain was the hackers’ abuse of authentication mechanisms, which are a trusted part of a victim’s internal network. Their forging of authentication tokens allowed the hackers to roam the targeted network practically at will, as if they were one of the target organisation’s trusted employees. This makes detecting the hackers’ presence and tracing their steps within the network extremely difficult.

What are the key takeaways from this incident? First, it is likely that supply-chain attacks will continue to occur. Organisations should therefore make every effort to improve visibility over the activities and transactions happening inside their networks, especially if they rely on the services of vendors or third-party suppliers. The earlier they can detect breaches, the better their chances of mitigating the fallout in a timely manner.

Second, the SolarWinds breach demonstrates the asymmetric nature of the cybersecurity threat. Hackers can compromise a host of networks by exploiting just one vulnerability in a single supplier, while cybersecurity professionals need to constantly defend across all the systems under their charge, all the time. The odds are steep. Cyber-attacks are a matter of when, not if. Organisations must therefore continue to enhance and develop their cybersecurity capabilities and expertise.

Third, the SolarWinds breach also highlights the importance of the international community’s efforts in establishing clear rules and norms to promote responsible behaviour in cyberspace. Without them, cyber threat actors will feel free to act with impunity, endangering the prospects of connected nations and digital economies everywhere.

 

HOW HAVE AGENCIES RESPONDED GLOBALLY?

The interconnected nature of our global networks and supply chains means that many countries are potentially at risk from the fallout of the SolarWinds breach. Cybersecurity agencies around the world have issued advisories providing organisations with guidance to detect and mitigate any potential compromise. The global cybersecurity community have also shared insights and observations on the incident, including characteristics of the malware used to compromise SolarWinds, and methods of detecting and neutralising it.

So far, no government has definitively attributed the SolarWinds breach to any specific threat actor. The US government’s assessment, as set out in a joint statement by the Federal Bureau of Investigation, Cybersecurity and Infrastructure Security Agency, Office of the Director of National Intelligence, and the National Security Agency, is that an Advanced Persistent Threat actor, "likely Russian in origin”, is responsible for the cyber-attack. Russia denied any involvement in the cyber-attack on SolarWinds, and claimed that the accusations were more evidence of Russophobia.

There is no indication thus far that Singapore’s Critical Information Infrastructure (CII) and Government systems have been adversely affected by the SolarWinds breach. Nonetheless, the risk remains that somewhere along the supply chains of those tech firms that have been targeted, the hackers might have planted additional backdoors in preparation for future attacks. A real fear is that the hackers may have also penetrated the production networks of these tech firms and suppliers to corrupt their products, potentially putting millions of users at risk.

Once the SolarWinds breach was disclosed, CSA immediately raised the alert level and apprised all CII sector leads of the situation. Besides directing agencies to install the necessary patches and carry out thorough scans for indicators of compromise, CSA has also been working with sectors to step up vigilance and daily monitoring, even as the situation continues to evolve and new vulnerabilities are revealed. This involves CII sectors going through their logs over the past months with a fine comb for any indication of suspicious activity, such as unauthorised escalation of privileges and credentials abuse. In addition, CSA also advised the public on steps to better protect their systems against such threats. Most important of these are having full visibility of their networks, and implementing a regime of continuous monitoring for any unusual activity in the networks.

Mindful that cybersecurity is a team sport, CSA has tapped on our international partners closer to the frontline to learn more about the SolarWinds breach. This has helped CSA to better advise CII sectors on the preventive measures to take. CSA also organised virtual meetings with all ASEAN Member States to exchange insights and best practices arising from the incident, so that the region is better prepared against the potential threat that it poses. The proposal to establish an ASEAN CERT information exchange mechanism, welcomed by ASEAN Digital Ministers, will further contribute to regional cyber resilience in the face of transboundary cybersecurity threats.

 

CONCLUSION

The SolarWinds breach will not be the last major cybersecurity incident we face. The capabilities of cyber threat actors will only increase. CSA remains dedicated to the mission of securing cyberspace and protecting our digital way of life. Organisations, big or small, need to steel themselves for the inevitability of future malicious cyber activities and make efforts to strengthen the cybersecurity of their systems.

 


 

SOURCES INCLUDE:

FireEye, Microsoft Security Response Centre, New York Times, US Cybersecurity and Infrastructure Security Agency, US National Security Agency, Wall Street Journal