SolarWinds Cyberattacks: Perception Vs. Reality
“SolarWinds, a leading information security vendor, is at the center of a supply chain attack where over 18,000 government agencies and private organizations worldwide have been hacked.”
From a layman’s perspective, this statement is entirely true. True because, according to most people, these organizations were hacked, literally or otherwise. However, it doesn’t capture the whole story accurately. First, there is no surety that there were breaches across all these institutions. Two, and most importantly, the hack impacted these organizations differently and to varying degrees. So, while a blank statement like “they have been hacked” gives us a rough idea, it doesn’t paste a vivid picture of the actual situation. Therefore, it’s essential to understand that the hack’s severity varies from one victim to another.
To help us understand this better, let’s look at how the attackers orchestrated the SolarWinds hack.
How Did The SolarWinds Hack Occur?
In a filing with the SEC on December 14th, SolarWinds divulged that the hackers managed to infiltrate the system they use to develop updates for its Orion product. They then inserted a malicious code into the software update that was due for release. This is called a supply-chain attack, i.e., hackers compromise software during assembly and use it to attack different targets.
Why Is the SolarWinds Hack a Big Deal? According to SolarWinds, up to 18,000 out of its 33,000 Orion customers had already installed the tainted software by the time news of the breach broke. This number is too high to hack at once — even for a nation-state hacker group like Cozy Bear. The attackers must have, therefore, prioritized high-end targets like federal agencies and multinational companies like Microsoft. However, even this doesn’t guarantee that they actually hacked these organizations.
How Hacked Was SolarWinds Hacked?
Although several companies have come out to confirm that the hack has impacted them, most of them maintain that the threats are minimal and that there’s no reason for alarm.
Using a Hacking Scale to Better Understand This: If we’re going to dissect the anatomy of the SolarWinds hack to the core, we need to define a “hack scale.”
Let’s use the five stages of cancer as our benchmark:
- Stage 0: The attackers have entered your systems but haven’t taken any action. They could be secretly monitoring your online activities and communication patterns.
- Stage 1: The attackers have seized control of your systems but haven’t spread to the entire network.
- Stage 2: The attackers have spread to the broader network but only have ‘read-only’ access, i.e., they can view and steal company information but not manipulate it.
- Stage 3: The attackers have a “write” access to your entire network. They can read and alter your data.
- Stage 4: The attackers have admin control of your entire network. They can do all sorts of things, from reading and altering data to creating accounts and entry points, locking you out, etc.
From the information given by SolarWinds, the affected clients only experienced stage O. Let’s take Microsoft’s case, for example. A statement by the tech giant reads, we have detected malicious Solar Winds binaries in our environment, which we isolated and removed … we have not found evidence of access to production services or customer data. Our ongoing investigations have found absolutely no indications that our systems were used to attack others.”
Based on this statement, Microsoft experienced stage 0 or stage 1 at worse. In FireEye’s case, the attackers stole some data but didn’t alter any information. This is consistent with the second stage. The two examples illustrate why a scale is essential; it enables us to deduce the hacks’ comparative severity.
What Lessons Can You Learn from This Hack?
Do Not Take Any Chances. Assume that you are a target and conduct an extensive network assessment to determine the risk levels. Key areas to focus on include traces of the malware, any backdoors, and signs of abnormal activities.
Above all, always remember that hacks vary in severity based on the attacker’s access and control levels. Instead of switching to a panic mode, focus on assessing the threat levels, and tailoring the appropriate response protocols.
Not sure where to begin? Call Outsource IT Solutions Group at (855) 651-1418, and let’s discuss your network security.