A nine-month SolarWinds breach and multiple network occupations by nation-state hackers is the seed pod for a broad, deep string of global security breaches yet to appear or reach disclosure. The details are disheartening to the cybersecurity community and customers everywhere.
On December 8, 2020, FireEye reported that nation-state hackers stole its Red Team assessment tools. FireEye uses the tools to assess its customers' network vulnerabilities. The cybersecurity firm discovered the theft resulted from a breach of SolarWinds' Orion Platform of infrastructure monitoring products. FireEye was a customer of fellow cybersecurity company SolarWinds. FireEye reported the hack to SolarWinds, which published details of the breach on December 13. Microsoft and FireEye traced the attack to the Russian S.V.R.-affiliated hacker group Cozy Bear, also known as APT29.
According to Jeff Horne, CSO of Ordr, an Internet of Things (IoT) security firm, APT29 added the Sunburst Trojan backdoor to the SolarWinds.Orion.Core.BusinessLayer.dll file in the Orion Platform products source code repository as part of a supply-chain attack. From there, says Horne, SolarWinds built, tested, and digitally signed its software update before deploying it from its update server.
When SolarWinds released the update in March 2020, the Sunburst Trojan gave cybercriminals access to any network in which customers had installed the infected update on their SolarWinds server. "The Sunburst Trojan allowed the threat actors to execute code and run commands on that server," Horne says. There is still speculation as to how APT29 gained access to the code repository in the first place.
The SolarWinds hack is an ominous sign as supply-chain attacks ramp up unabated. There was a "massive 430% surge in next-generation cyberattacks aimed at actively infiltrating opensource software supply chains," says Sonatype's 2020 State of the Software Supply Chain Report. The SolarWinds supply chain hack created backdoors inside thousands of organizations. "Given the massive scale and global media coverage of the SolarWinds incident, we may soon see copycat supply chain attacks throughout the government and commercial sectors," says Safi Raza, director of cybersecurity at Fusion Risk Management.
The attack went undetected in part because customers tend to whitelist trusted products, such as the SolarWinds Orion Platform, so the infected servers could reach out across customer networks unhindered. "Because SolarWinds complied with industry and regulatory requirements, customers gave them free rein to run around their environments," says Raza.
According to Krebs On Security, the SolarWinds breach let criminal hackers inject malicious software into nearly 18,000 SolarWinds' customer networks. However, "the threat actors probably didn't access or run code on the networks of all 18,000 customers. They probably picked prime targets," says Horne. APT29 used a command and control server to orchestrate other malware infections on those target networks, establish further remote access, move laterally across the network, and exfiltrate data.
According to The New York Times, there were some 250 confirmed victims of the SolarWinds breach at the beginning of this year. Affected customers included global technology giants Cisco, VMware, Microsoft, and U.S. government agencies such as the federal Departments of Homeland Security, Justice, State, Commerce, and the Treasury, and the National Institutes of Health.
It's unlikely that the 250 confirmed victims account for everyone. IT World Canada confirms that attackers had months of dwell-time inside victim networks, between March and December 2020. Given the depth and scope of the intrusions, it could take months to years to unravel the damage to companies that have not yet come forward.
This reality is discouraging, given that SolarWinds was doing virtually everything the industry expects to protect itself. "People believe that as long as you're compliant, you have your SOC reports and your ICE certification, you must be secure. But, given what we have seen so far, there has to be more to it. Compliance does not mean security," says Raza.
According to Horne, a hack like SolarWinds breaks trust between customers and the security industry. The cybersecurity market will be valued at $300 billion by 2024, according to a 2019 Global Market Insights, Inc. report. "We spend so much on cybersecurity. Yet, an attack on some of the most secure companies in the world went unnoticed for months. This gap points to a huge problem with the cybersecurity industry," says Horne.
Since the SolarWinds hack, an unknown party has published an alleged offer on http://solarleaks.net/ to sell data recently stolen from Microsoft, VMware, Cisco, and FireEye. The offer could be referring to data exfiltrated by APT29 during the SolarWinds hack. The offer could also be entirely fraudulent, seeking payment in return for nothing. Yet the selling party lists data, source code, and artifacts for sale that appear to be far beyond what the tech giants have said were viewed or taken.
The scope of what criminal hackers can do now that they have acquired the Red Teaming tools and source code concerns the industry. Hackers could use FireEye's Red Teaming assessment tools to find and exploit flaws in company networks. Viewed or stolen source code presents its own set of malicious scenarios.
For example, the Sunburst Trojan let APT29 usurp authority over an internal Microsoft account and view Microsoft source code, according to the Australian publication Technology Decisions. Though Microsoft says viewing the source code alone could not lead to an increased risk, one source begs to differ.
According to Andrew Fife, vice president of Israeli security firm Cycode, attackers who saw Microsoft's source code might have stolen hard-coded secrets such as usernames, passwords, tokens, or API keys. These credentials could give them access to microservices, libraries, APIs, and SDKs. Attackers could use these credentials to log in to these resources directly, says Fife. "The outcomes run the full gamut of possibilities from virtually nothing up to a massive exposure of customer data. For example, Uber announced such a breach in 2017; they exposed credentials in the source code, which leaked out," says Fife.
Viewing Microsoft's source code may have made it easier for attackers to reverse-engineer its software. Reverse-engineering enables criminals to craft zero-day exploits. Then they can compromise the software vendor or its customers, according to Fife; it depends on what Microsoft software product's codebase APT29 viewed.
Finally, attackers could use part of Microsoft's source code to make supply chain attack code look like what developers would expect. Such attack code could make it easier for attacks to go undetected. According to Fife, the attackers could understand the structure, naming conventions, and deployment details in the source code. Then, they could make their code look like Microsoft developers wrote it.
Experts agree the SolarWinds hack exposed many enterprises. "We'll probably be hearing about organizations that have been compromised and just haven't announced it yet for the next couple of years," says Horne.
The longer it takes for any remaining organizations to report on the damage, the greater the probability of theft of intellectual property or customer data. The U.S. Department of Justice quickly confirmed that the hackers had accessed their emails, but did not retrieve any confidential information. Other organizations have not been as forthcoming. "The longer they wait, the more that people like me get worried that it's the size of the impact that is stalling their reports," says Raza.
"Mimecast and Qualys have since joined the list of organizations impacted by the SolarWinds hack. Given that these organizations provide crucial and sensitive security and email services, the impact is devastating," says Raza.
David Geer is a journalist who focuses on issues related to cybersecurity. He writes from Cleveland, OH, USA.