Just when you could not wait to get through 2020 another big headache (perhaps “migraine” is more appropriate) hit the world, only this time in cyberspace. The cyber risk world was rocked recently with the news of a very sophisticated attack on SolarWinds, a much-used software provider to help businesses manage their networks, systems, and information technology infrastructure. It’s as if the Grinch himself sledded in himself and stole any remaining cheer we had.
Per SolarWinds regarding its Orion product (versions 2019.4 HF 5 through 2020.2.1, released between March 2020 and June 2020) was compromised and a threat actor (believed to be a nation-state) added a malicious payload to that suite (a .DLL file) which lay dormant for about 2 weeks to avoid sandboxing and to evade anti-virus detection. It is believed this occurred as far back as June 2020.
What makes this so worrisome is that the SolarWinds product Orion is such an integral component to many organization’s networks as it can perform numerous tasks in network automation, configuration, operations, and performance manager. (Orion performs as an IP address manager, monitors application functions and database performance, acts as a network traffic and availability analyzer and a monitor for server storage, configuration.) What was compromised was SolarWinds’ software update mechanism. The threat actor hacked into the mechanism then used it to infect selected companies (about 18,000) who installed the backdoor management tool SUNBURST. The .DLL file which is the downloaded, stays dormant for weeks and slowly retrieves and executes command files that allow it to transfer files, execute files, profile the system, disable system services, and can be used to access sensitive info sent back to third party servers. The result is that victims now have a backdoor into their system and attackers can access these systems via this backdoor, bypassing security and audit mechanisms.(More technical details here.)
A common question I have been getting is “how big was this breach”? Around 85 percent of Fortune 500 companies, ten top US telecoms, five top U.S. accounting firms, hundreds of universities and colleges worldwide, all five branches of the US military, the Pentagon, State Department, the NSA, and NASA use this product. That’s nearly 18,000 customers – this is a very big deal! In the complexity of the breach we see the threat actor went after the supply chain (i.e., SolarWinds) and not directly after a government agency or other company.
At first, the US government’s recommendation was to disconnect the infected system from the network. However, that poses little support as the recipient’s entire infrastructure has now been compromised. Security patches from SolarWinds have now been released along with other security firms rapidly trying to find ways to assist in securing these systems.
So, what does this mean to you as an outsourcer?
First off, you should not flood your vendors with a questionnaire containing a ton of generic questions inquiring “How bad is it?” – note that they are still trying to figure this out and it’s going to take some time. Rather, simply ask them “Do you utilize SolarWinds and in particularly, the Orion product?” If they say “No” then there is really no need currently to pepper them with further questions. However, if they reply “yes” you should then inquire as to when they plan to brief you – along with their other customers – as to what they’ve uncovered, what they’re doing to resolve the crisis, and what they plan to do post-assessment as they’ll need to perform much monitoring and scanning of their networks, systems, etc., for back doors, side doors, “out of the norm” activity with privileged accounts, outbound activity, and the like. Again – I reiterate – be aware that this is going to take a lot of time and effort for affected organizations so patience really is a virtue here as they will need to map out their game plan to really trace all backdoors the hacker established in their network.
So, in short, yes – this is a very ugly breach that is going to keep a lot of systems, network engineers, and security professionals very busy over the next few weeks (or even months) to try to clean up. To date, no one can put their finger on the nation state responsible for the hack, nor has anyone taken credit for the breach. So, if you are tasked to follow up with your vendors regarding the SolarWinds-Orion breach and you identify a vendor who was affected, remember to not be a Grinch yourself and be considerate as to all the Who’s in Who-ville working fastidiously over the holidays to address this hack. They will get back to you and other organizations when they are comfortable, so patience is certainly a virtue here. And let us all hope for a better year in 2021!
If you have any additional questions or inquiry regarding this breach, SolarWinds is making regular updates to their Security Advisory page and you can email if you have additional questions at SWISupport@solarwinds.com. Emergency directive from Cyber Security Division, Homeland Security is available here. The article below is another good reference for TPRM professionals: