Everything You Need To Know About SolarWinds Supply-Chain Attack
SolarWinds Cyber Security attack was a supply-chain attack that involved targeting a third-party organization that supplies products or services to the targeted organizations. In this case, SolarWinds was the third-party organization that provides System Management software to its Customers and Orion. Orion is a Network Management Tool that is quite a lot commonly used by many organizations and departments to protect and manage their resources.
In the previous year, some foreign hackers (believed to be from the Russian intelligence SVR) somehow hacked into the systems of SolarWinds and were able to code spyware in the company’s one of the most common and widely used software, Orion.
There were more than 32,000 customers that use Orion at that time, out of which around 18,000 users were impacted by this attack. Many of these users were high-grade firms like the cybersecurity firm named FireEye, companies from the Fortune 500, and a lot many agencies of the US including the Treasury Department, Department of Homeland Security, the State Department, the Justice Department, Centers of Disease Control and Prevention, parts of the Pentagon, Department of Energy, the National Nuclear Security Administration and many more.
The foreign hackers who managed to code spyware into SolarWinds software (Orion), also released a worldwide update of Orion and they were able to display that the update was official and was directly coming from the SolarWinds systems. This update was released to install the “Sunburst” Malware into the software Orion and this update was installed by more than 16,000 SolarWinds customers.
This malware seemed to work like an AI integrated software by getting involved and blended in Orion’s activities. It could access every single file on the system and be using multiple methods to avoid getting detected. It was capable of dodging the anti-virus detection process every time. Overall it created and gave the hackers a backdoor to access anything and everything from the customer’s system at any point in time without getting noticed.
As soon as the malware was detected SolarWinds released an update that consisted of a patch for this malware and asked all its customers to update their Orion software ASAP. Customers and Users who were unable to update Orion for any reason, were asked to change passwords to their accounts and then block any direct internet access to SolarWinds servers.
About a week later, Microsoft revealed that the hacker group responsible for the cyberattack on SolarWinds was somehow able to cut in their corporation and viewed some of its source codes. Microsoft also mentioned that they have discovered some form of unusual activities in some of their internal accounts and when investigated, they were able to detect and locate that one of the accounts with unusual activities was used to view the source code from several source code repositories.
As the investigation moved further, more discoveries and announcements were made. A week after Microsoft revealed about the breach, the SolarWinds supply chain attack that was detected recently was blamed officially on the Russian government by the U.S. government for planning and executing this cyber attack.
A joint statement released togetherly by the FBI (Federal Bureau of Investigation), the CISA (Cybersecurity and Infrastructure Security Agency), the ODNI (Office of the Director of National Intelligence), and the NSA (National Security Agency) stated that “This work indicates that an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks. At this time, we believe this was and continues to be, an intelligence-gathering effort”.
In the same week, the first actual and genuine progression was made by the researchers, when cybersecurity researchers discovered a likely association between the backdoor that was utilized in the SolarWinds Supply Chain Attack and a formerly known malware strain. In a new examination that was published by Kaspersky scientists, the online protection firm said it found a few highlights that are quite similar with a different backdoor malware known as Kazuar, which is a .NET-based (dot net based) malware first reported in 2017 by Palo Alto Networks. Palo Alto Networks’ Unit 42 group likely connected this instrument to the Russian dangerous threat group Turla (otherwise known as Uroburos and Snake) in light of the way that the “code lineage in Kazuar can be traced back to at least 2005.”
With the investigation at its peak, CrowdStrike cybersecurity firm found another malware utilized by the SolarWinds attackers to infuse the backdoor in Orion software during the supply chain assault that prompted the trade-off of a few organizations and government offices. As the research moved deeper concerning the SolarWinds supply chain attack, cybersecurity specialists uncovered a third malware that was conveyed into the software working environment to infuse the hidden backdoor into the organization’s Orion network.
This discovered malware called “Sunspot” was another add-on to previously detected malware Sunburst. Sudhakar Ramakrishna who was appointed as the new CEO of SolarWinds, in an article, explained that “This highly sophisticated and novel code was designed to inject the SUNBURST malicious code into the SolarWinds Orion Platform without arousing the suspicion of our software development and build teams”.
Further, around two weeks ago, the cybersecurity firm FireEye, who discovered the SolarWinds Supply Chain Attack, said that this cyber attack still remains in its early stage with no development in the analysis of the attack and tracing the intruder. The attack has massively and shockingly impacted the private and government sector of the US. Cybersecurity firm FireEye has launched a tool and published a white paper for the victims of this attack to make sure if the attackers have entered and remained active or not, and also to cleanse their installations of Microsoft 365 (cloud-based) that contains users tools, emails, and documents.
Keeping in mind that how massive and destructive the cyberattack was, to enhance the work of cybersecurity agencies and their capabilities, and to support the Cybersecurity and Information Security Agency (CISA), and bring up a vital upgrade to federal government security, Joe Biden (President-elect) at that point, put-forward a funding plan of $9bn (i.e. 6.6bn Euros).
This complete funding operation was a part of the American Rescue Plan that was revealed on 14 January 2021. It was an overall plan of $1.9tn to support and enhance cybersecurity and also serve towards the relief of the COVID-19 crisis, as the US has been one of the worst impacted countries, worldwide, by the COVID-19 pandemic. This plan had another aim to get rid of the effects caused by the SolarWinds Supply Chain Attack that took place in December 2020, which was one of the largest cyberattacks believed to be operated by Moscow, responsible for infecting several cybersecurity agencies, tech companies, and federal government agencies, with an aim to steal confidential data including details about the COVID-19 vaccine.
Thereafter, President Joe Biden started recruiting a team of national security veterans with profound cyber capabilities, collecting acclaim from previous defense authorities and agents, as the United States government attempted to recuperate from perhaps the greatest cyberattack on its offices credited to Russian covert operatives. The Biden organization has selected elite cybersecurity specialists for administrative roles. A few onlookers stress, notwithstanding, that the team’s experience is completely in the public area. The differentiation was significant on the grounds that by far most of the US web foundation was claimed and worked by US enterprises.
This attack was the most advanced and critical cyberattack that ever occurred and if you want to avoid being a victim to such an attack you should focus much more on your software development and its deployment because all the other basic security measures, even if taken, were quite easily exploited in the attack.
The points you need to focus on about software are:-
- Harden software build environments
- Change tools & interfaces so unintentional vulnerabilities are less likely
- Use vulnerability detection tools when developing software
- Use tools to detect known-vulnerable components when developing software
- Improve widely-used OSS
- Ask for SBOMs in SPDX format, many software producers aren’t ready to provide one yet, but creating the demand will speed progress
- Determine if subcomponents used have known vulnerabilities
- Work towards providing SBOM information if we produce software for others
The SolarWinds organizations, on its website, have recently released a security advisory to make every single person aware of the attack, display details, and how to overcome it, and it could be accessed by clicking here.
If there is a common lesson from the past few years, it’s the importance of combining ongoing learning with innovations, greater collaboration, and constant courage. For four centuries, the people of the world have relied on governments to protect them from foreign threats. But digital technology has created a world where governments cannot take effective action alone. The defense of democracy requires that governments and technology companies work together in new and important ways to share information, strengthen defenses and respond to attacks.